[ Inactive ] HELP!! Trojan Horse Downloader Generic2.YRE makes me Crazy.

Unknown

Here is the logfile of HijackThis
Many thanks to help me to solve the problems.

Logfile of HijackThis v1.99.1
Scan saved at 下午 08:02:49, on 2006/12/7
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINNT\System32\sistray.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Documents and Settings\Administrator\桌面\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\system32\userint.exe
O1 - Hosts: 61.141.31.11 www.kzdh.com
O1 - Hosts: 61.141.31.11 www.7255.com
O1 - Hosts: 61.141.31.11 www.7322.com
O1 - Hosts: 61.141.31.11 www.7939.com
O1 - Hosts: 61.141.31.11 www.piaoxue.com
O1 - Hosts: 61.141.31.11 www.feixu.net
O1 - Hosts: 61.141.31.11 www.6781.com
O1 - Hosts: 61.141.31.11 www.7b.com.cn
O1 - Hosts: 61.141.31.11 7b.com.cn
O1 - Hosts: 61.141.31.11 www.918188.com
O1 - Hosts: 61.141.31.11 hao.allxue.com
O1 - Hosts: 61.141.31.11 good.allxue.com
O1 - Hosts: 61.141.31.11 baby.allxue.com
O1 - Hosts: 61.141.31.11 www.allxue.com
O1 - Hosts: 61.141.31.11 about.lank.la
O1 - Hosts: 61.141.31.11 www.x114x.com
O1 - Hosts: 61.141.31.11 www.37ss.com
O1 - Hosts: 61.141.31.11 www.7k.cc
O1 - Hosts: 61.141.31.11 www.73ss.com
O1 - Hosts: 61.141.31.11 www.81915.com
O1 - Hosts: 61.141.31.11 222.88.90.22
O1 - Hosts: 61.141.31.11 www.9991.com
O1 - Hosts: 61.141.31.11 www.my123.com
O1 - Hosts: 61.141.31.11 www.haokan123.com
O1 - Hosts: 61.141.31.11 www.5566.net
O1 - Hosts: 61.141.31.11 www.gjj.cc
O1 - Hosts: 61.141.31.11 www.2345.com
O1 - Hosts: 61.141.31.11 dl.hao318.com
O1 - Hosts: 61.141.31.11 www.123wa.com
O1 - Hosts: 61.141.31.11 www.ku886.com
O1 - Hosts: 61.141.31.11 www.5icrack.com
O1 - Hosts: 61.141.31.11 www.jjol.cn
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Realplayer.exe] C:\WINNT\System32\Realplayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Realplayer.exe] C:\WINNT\System32\Realplayer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cdnns.dll' missing
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab
O16 - DPF: JT's Blocks - http://download2.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download2.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111046442750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34328979-EAC2-4B0D-A148-EEAF0270449C}: NameServer = 85.255.115.20,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

zami

Hi There!
I am currently working on your log.
I will get back to you as soon as possible.
~zami~

zami

Firstly, let's disable AVG guard:

Open AVG Antispyware and in the main window click "Resident Shield", then toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

• Restart your computer
• After hearing your computer beep once during startup, but before the
  Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract
  All,
• Open the extracted folder and double click RunThis.bat to
  start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the
  registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool
  will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and
  display Finished, then press any key to end the script and load
  your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the
  contents of the results file Report.txt back onto the forum with
  a new HijackThis log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You may want to print out these instructions for reference, since you
will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make
sure "Run fixit" is checked and click Finish. The fix will
begin; follow the prompts. You will be asked to reboot your computer;
please do so. Your system may take longer than usual to load; this is
normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of
the logfile C:\fixwareout\report.txt

---

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category
View, select the Network and Internet Connections category otherwise
double click on Network Connections. Then right click on your default
connection, usually local area connection for cable and dsl, and left
click on properties. Click the Networking tab. Double-click on the
Internet Protocol (TCP/IP) item and select the radio dial that says
Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In your next reply, please include the following logs: C:\fixwareout\report.txt, SDFix report and a fresh HJT log. Thanks.

acman

Thanks for your help first!
But I can't run the programs you mentioned (SDFIX & FixwareOUT).

Both of the programs said that
" Unable to execute file:
(C:\fixwareout\fixit.bat)

ShellExecuteEx failed: code2"

So what can I do??? HELP!!!!!!!!!!

zami

Hi. Lets find out, what is going on...

Please download: GMER
or this link: http://www.majorgeeks.com/GMER_d5198.html

• Unzip it and double-click GMER.exe
• Click the rootkit-tab and click scan.
• Do NOT check the "Show All" box during the scan!!
• Once done, click Copy.
• This will copy the results to clipboard.
• Paste the results in your next reply

acman

Thx for your help. and i post the result below.

GMER 1.0.12.12011 -
Rootkit scan 2006-12-15 02:10:41
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT ejjjjagd.sys ZwClose
SSDT ejjjjagd.sys ZwCreateKey
SSDT 84B7D109 ZwCreateThread
SSDT ejjjjagd.sys ZwDeleteKey
SSDT ejjjjagd.sys ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey
SSDT ejjjjagd.sys ZwEnumerateValueKey
SSDT ejjjjagd.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT ejjjjagd.sys ZwQueryValueKey
SSDT ejjjjagd.sys ZwReplaceKey
SSDT ejjjjagd.sys ZwRestoreKey
SSDT ejjjjagd.sys ZwSetSecurityObject
SSDT ejjjjagd.sys ZwSetSystemInformation
SSDT ejjjjagd.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT ejjjjagd.sys ZwTerminateThread

Code 29D3C067 KeFindConfigurationNextEntry

---- Kernel code sections - GMER 1.0.12 ----

PAGE Ntfs.sys F736C097 7 Bytes JMP F72D3EE2 ejjjjagd.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[472] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[536] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\services.exe[648] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\lsass.exe[660] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[812] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[872] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[940] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1040] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\NETWOR~1\COMMON~1\naPrdMgr.exe[1228] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\system32\svchost.exe[1272] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\WINNT\explorer.exe[1400] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!ReadFile 7C80180E 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!WriteFile 7C810F9F 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!PeekNamedPipe 7C85F6EF 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] kernel32.dll!WinExec 7C86114D 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] ADVAPI32.dll!RegOpenKeyA 77DCC41B 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WININET.dll!InternetOpenA 76696D2A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WININET.dll!InternetOpenUrlA 76696FDD 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WININET.dll!InternetReadFile 76699555 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!select 71A12DC0 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!socket 71A13B91 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!bind 71A13E00 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!send 71A1428A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3624] WS2_32.dll!recv 71A1615A 5 Bytes CALL 37001160 C:\WINNT\system32\EntApi.dll

acman

Because it is too long of the log , i cut it into 2.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F72D399E] ejjjjagd.sys
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F72D39F6] ejjjjagd.sys
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F72D3AFE] ejjjjagd.sys
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F72D3AA6] ejjjjagd.sys
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F72D3A4E] ejjjjagd.sys
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 84F95550
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 84F95550
Device \FileSystem\Ntfs \Ntfs FastIoRead [F72D3BD4] ejjjjagd.sys
Device \FileSystem\Ntfs \Ntfs FastIoWrite [F72D3B56] ejjjjagd.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFA85A] avgtdi.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 84F95C78
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 84F95C78
Device \Driver\NetBT \Device\NetBT_Tcpip_{34328979-EAC2-4B0D-A148-EEAF0270449C} IRP_MJ_CREATE 849D20E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{34328979-EAC2-4B0D-A148-EEAF0270449C} IRP_MJ_CLOSE 849D20E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{34328979-EAC2-4B0D-A148-EEAF0270449C} IRP_MJ_DEVICE_CONTROL 849D20E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{34328979-EAC2-4B0D-A148-EEAF0270449C} IRP_MJ_INTERNAL_DEVICE_CONTROL 849D20E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{34328979-EAC2-4B0D-A148-EEAF0270449C} IRP_MJ_CLEANUP 849D20E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{34328979-EAC2-4B0D-A148-EEAF0270449C} IRP_MJ_PNP 849D20E8
Device \Driver\NaiAvTdi1 \Device\McTdiApi IRP_MJ_CLOSE [B5733DA4] cdntran.sys
Device \Driver\NaiAvTdi1 \Device\McTdiApi IRP_MJ_DEVICE_CONTROL [B5733D42] cdntran.sys
Device \Driver\NaiAvTdi1 \Device\McTdiApi IRP_MJ_INTERNAL_DEVICE_CONTROL [B5733C5C] cdntran.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFA85A] avgtdi.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 84F95EB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 84F95EB0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 84BA3B90
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 84A01700
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 84A01700
Device \Driver\00000057 \Device\00000065 IRP_MJ_POWER [F74D5EA8] sptd.sys
Device \Driver\00000057 \Device\00000065 IRP_MJ_SYSTEM_CONTROL [F74E9A70] sptd.sys
Device \Driver\00000057 \Device\00000065 IRP_MJ_PNP [F74E2728] sptd.sys
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 84BA3B90
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F784AD60] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL [F784AD60] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F784AD60] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL [F784AD60] sfsync02.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL [F784AD60] sfsync02.sys
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 84BA3B90
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 84BA3B90
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 849D20E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 849D20E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 849D20E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 849D20E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 849D20E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 849D20E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 849D20E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 849D20E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 849D20E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 849D20E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 849D20E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 849D20E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFA85A] avgtdi.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 84F95808
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 84F95808
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFA85A] avgtdi.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 84AB6AE8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7AFA85A] avgtdi.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 84AB6AE8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 84AB6AE8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 848B40E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 848B40E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 84F95EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 84F95EB0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 84A75670
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 84A75670
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F784AD60] sfsync02.sys
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F784AD60] sfsync02.sys
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 849720E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 849720E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 848A2EB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 848A2EB0

---- EOF - GMER 1.0.12 ----

zami

I think AVG guard is blocking those fixes:

Start AVG Antispyware. On the main screen under Your Computer's security.
* Click on Change state next to Resident shield. It should now change to inactive.

Now try to run SDFIX & FixwareOUT and tell me what happened. Thanks.

acman

My AVG antispyware is out of expiry date and can't use the resident shield.
And I close it with the exit command in the toolbar is also have the same result. Can't execute the *.bat file.

zami

Please download and Save blacklight to your C:\ Important!!.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Then go to start > run and copy and paste next command in the field:

C:\blbeta.exe /expert

This should open your blacklight.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Create a Startup List

• Open HiJackThis
• Click on the "Config..." button on the bottom right
• Click on the tab "Misc Tools"
• Check off the 2 boxes next to the Box that says "Generate StartupList log"
• Copy and past the StartupList from the notepad into your next post

In your next reply, please include the following logs: Blacklight log and a fresh hijackThis report. Thanks.

acman

Thanks! There is the log of Blacklight

12/17/06 00:38:12 [Info]: BlackLight Engine 1.0.47 initialized
12/17/06 00:38:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/17/06 00:38:12 [Note]: 7019 4
12/17/06 00:38:12 [Note]: 7005 0
12/17/06 00:38:27 [Note]: 7006 0
12/17/06 00:38:27 [Note]: 7022 0
12/17/06 00:38:27 [Note]: 7011 1380
12/17/06 00:38:27 [Note]: 7026 0
12/17/06 00:38:27 [Note]: 7026 0
12/17/06 00:38:27 [Note]: FSRAW library version 1.7.1020
12/17/06 00:48:05 [Note]: 7007 0

acman

And there is the log of hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 上午 12:56:21, on 2006/12/17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\sistray.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\桌面\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\System32\userinit.exe,C:\WINNT\system32\userint.exe
O1 - Hosts: 61.141.31.11 www.kzdh.com
O1 - Hosts: 61.141.31.11 www.7255.com
O1 - Hosts: 61.141.31.11 www.7322.com
O1 - Hosts: 61.141.31.11 www.7939.com
O1 - Hosts: 61.141.31.11 www.piaoxue.com
O1 - Hosts: 61.141.31.11 www.feixu.net
O1 - Hosts: 61.141.31.11 www.6781.com
O1 - Hosts: 61.141.31.11 www.7b.com.cn
O1 - Hosts: 61.141.31.11 7b.com.cn
O1 - Hosts: 61.141.31.11 www.918188.com
O1 - Hosts: 61.141.31.11 hao.allxue.com
O1 - Hosts: 61.141.31.11 good.allxue.com
O1 - Hosts: 61.141.31.11 baby.allxue.com
O1 - Hosts: 61.141.31.11 www.allxue.com
O1 - Hosts: 61.141.31.11 about.lank.la
O1 - Hosts: 61.141.31.11 www.x114x.com
O1 - Hosts: 61.141.31.11 www.37ss.com
O1 - Hosts: 61.141.31.11 www.7k.cc
O1 - Hosts: 61.141.31.11 www.73ss.com
O1 - Hosts: 61.141.31.11 www.81915.com
O1 - Hosts: 61.141.31.11 222.88.90.22
O1 - Hosts: 61.141.31.11 www.9991.com
O1 - Hosts: 61.141.31.11 www.my123.com
O1 - Hosts: 61.141.31.11 www.haokan123.com
O1 - Hosts: 61.141.31.11 www.5566.net
O1 - Hosts: 61.141.31.11 www.gjj.cc
O1 - Hosts: 61.141.31.11 www.2345.com
O1 - Hosts: 61.141.31.11 dl.hao318.com
O1 - Hosts: 61.141.31.11 www.123wa.com
O1 - Hosts: 61.141.31.11 www.ku886.com
O1 - Hosts: 61.141.31.11 www.5icrack.com
O1 - Hosts: 61.141.31.11 www.jjol.cn
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Realplayer.exe] C:\WINNT\System32\Realplayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Realplayer.exe] C:\WINNT\System32\Realplayer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Foxy 下載 - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy 搜尋 - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: (no name) - {6354ABE6-05F1-49ed-B850-E423120EC338} - http://cn.widget.yahoo.com/index.htm?source=Cns (file missing)
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomsg (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\cdnns.dll' missing
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab
O16 - DPF: JT's Blocks - http://download2.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download2.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111046442750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34328979-EAC2-4B0D-A148-EEAF0270449C}: NameServer = 85.255.115.20,85.255.112.81
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.20 85.255.112.81
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINNT\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINNT\System32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINNT\System32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINNT\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINNT\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINNT\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINNT\System32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINNT\System32\wiascr.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

zami

And the startup list....?

acman

StartupList report, 2006/12/17, 上午 11:07:12
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrator\桌面\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\sistray.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\桌面\HijackThis\HijackThis.exe

---

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\「開始」功能表\程式集\啟動]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

---

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\System32\userinit.exe,C:\WINNT\system32\userint.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

---

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SiSUSBRG = C:\WINNT\SiSUSBrg.exe
SiS Tray = C:\WINNT\System32\sistray.EXE
DAEMON Tools = "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Realplayer.exe = C:\WINNT\System32\Realplayer.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
ShStatEXE = "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
Network Associates Error Reporting Service = "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

---

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

---

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

---

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

---

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINNT\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Realplayer.exe = C:\WINNT\System32\Realplayer.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

---

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

---

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

---

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

---

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

---

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

---

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

---

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

---

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

---

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

---

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

---

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

---

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

---

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

---

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

---

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

---

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=
HKLM\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

---

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

---

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

---

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

---

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

---

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

---

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Symantec NetDetect.job

---

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[HKJC Applet]
CODEBASE = https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
OSD = C:\WINNT\Downloaded Program Files\HKJC Applet.osd

[i.Game MJImpressYHK]
CODEBASE = http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab
OSD = C:\WINNT\Downloaded Program Files\i.Game MJImpressYHK.osd

[JT's Blocks]
CODEBASE = http://download2.games.yahoo.com/games/clients/y/blt1_x.cab
OSD = C:\WINNT\Downloaded Program Files\JT's Blocks.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Yahoo! Pyramids]
CODEBASE = http://download2.games.yahoo.com/games/clients/y/pyt1_x.cab
OSD = C:\WINNT\Downloaded Program Files\Yahoo! Pyramids.osd

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINNT\Downloaded Program Files\CONFLICT.1\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINNT\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111046442750

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

---

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\cdnns.dll (file MISSING)
NameSpace #2: C:\WINNT\System32\mswsock.dll
NameSpace #3: C:\WINNT\System32\winrnr.dll
NameSpace #4: C:\WINNT\System32\mswsock.dll
Protocol #1: C:\WINNT\system32\mswsock.dll
Protocol #2: C:\WINNT\system32\mswsock.dll
Protocol #3: C:\WINNT\system32\mswsock.dll
Protocol #4: C:\WINNT\system32\mswsock.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\rsvpsp.dll
Protocol #7: C:\WINNT\system32\mswsock.dll
Protocol #8: C:\WINNT\system32\mswsock.dll
Protocol #9: C:\WINNT\system32\mswsock.dll
Protocol #10: C:\WINNT\system32\mswsock.dll
Protocol #11: C:\WINNT\system32\mswsock.dll
Protocol #12: C:\WINNT\system32\mswsock.dll
Protocol #13: C:\WINNT\system32\mswsock.dll
Protocol #14: C:\WINNT\system32\mswsock.dll

---

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD 網路支援環境: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS 非同步媒體驅動程式: System32\DRIVERS\asyncmac.sys (manual start)
標準 IDE/ESDI 硬碟控制器: System32\DRIVERS\atapi.sys (system)
Windows Gateway: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
音訊常駐驅動程式: System32\DRIVERS\audstub.sys (manual start)
AVG Anti-Spyware Driver: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys (system)
AVG Anti-Spyware Guard: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (autostart)
AVG Anti-Spyware Clean Driver: System32\DRIVERS\AvgAsCln.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
cdnprot: system32\drivers\cdnprot.sys (system)
cdntran: system32\drivers\cdntran.sys (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
C-Media WDM Audio Interface: system32\drivers\cmuda.sys (manual start)
COM+ System Application: C:\WINNT\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
磁碟驅動程式: System32\DRIVERS\disk.sys (system)
Distributed Logical Disks Manager: %SystemRoot%\System32\svchost.exe -k DistriDiskMan (autostart)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
邏輯磁碟管理員驅動程式: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
EntDrv51: \??\C:\WINNT\system32\drivers\EntDrv51.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
FsVga: System32\DRIVERS\fsvga.sys (system)
Volume Manager 驅動程式: System32\DRIVERS\ftdisk.sys (system)
遊戲連接埠列舉器: System32\DRIVERS\gameenum.sys (manual start)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 鍵盤及 PS/2 滑鼠連接埠驅動程式: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINNT\System32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program Files\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start)
PnP ISA/EISA Bus 驅動程式: System32\DRIVERS\isapnp.sys (system)
鍵盤類別驅動程式: System32\DRIVERS\kbdclass.sys (system)
鍵盤 HID 驅動程式: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee Framework Service: C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart (autostart)
Network Associates McShield: "C:\Program Files\Network Associates\VirusScan\Mcshield.exe" (autostart)
Network Associates Task Manager: "C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe" (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
滑鼠類別驅動程式: System32\DRIVERS\mouclass.sys (system)
滑鼠 HID 驅動程式: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Microsoft IR Communications Driver: System32\DRIVERS\MSIRCOMM.sys (manual start)
Windows Installer: C:\WINNT\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
NaiAvFilter1: system32\drivers\naiavf5x.sys (manual start)
NaiAvTdi1: system32\drivers\mvstdi5x.sys (system)
遠端存取 NDIS TAPI 驅動程式: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
遠端存取 NDIS WAN 驅動程式: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
nwupspx: System32\drivers\nwupspx.sys (system)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
平行連接埠驅動程式: System32\DRIVERS\parport.sys (manual start)
PCI Bus 驅動程式: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN 迷你連接埠 (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
直接平行連接埠連結驅動程式: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN 迷你連接埠 (IrDA): System32\DRIVERS\rasirda.sys (manual start)
WAN 迷你連接埠 (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
直接平行連接埠: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
終端機伺服器裝置重新導向器驅動程式: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINNT\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter 驅動程式: System32\DRIVERS\serenum.sys (manual start)
序列連接埠驅動程式: System32\DRIVERS\serial.sys (system)
ServiceLayer: "C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe" (manual start)
StarForce Protection Environment Driver (version 1.x): System32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver (version 2.x): System32\drivers\sfhlp02.sys (system)
StarForce Protection Synchronization Driver (version 2.x): System32\drivers\sfsync02.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiSkp: System32\DRIVERS\srvkp.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
系統還原篩選器驅動程式: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
SigmaTel USB-IrDA Dongle: System32\DRIVERS\irstusb.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus 驅動程式: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
終端機裝置驅動程式: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINNT\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft AGPv3.5 Filter: System32\DRIVERS\uagp35.sys (system)
Windows User Mode Driver Framework: C:\WINNT\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 一般上層驅動程式: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
遠端存取 IP ARP 驅動程式: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Network IPSEC Connections: C:\WINNT\SYSTEM32\RUNDLL32.EXE C:\WINNT\SYSTEM32\WBEM\SMTPCONFS.DLL,Export 1087 (autostart)
54Mbps USB Adapter: system32\DRIVERS\wind502u.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINNT\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemRoot%\System32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

---

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

---

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

---

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

---

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

---

End of report, 35,258 bytes
Report generated in 0.344 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

zami

Let's try a different version of Combofix.
This version is (for the time being) called combofix /WOW.
Please read these entire instructions before you begin. We need to run this application from safe mode.

Please download Combofix to your desktop.

Open a blank Notepad. Save the command below in Bold text in the
blank Notepad as a text file so that you can copy/paste it while in safe
mode:
"%userprofile%\desktop\combofix.exe" /wow

Please print the instructions below.
Then reboot your computer in safe mode.
As soon as it starts to boot, rapidly press the f8 key.
select safe mode from the menu
If you are still unsure, see here


Once in safe mode and logged in as an Administrator, please continue with
the instructions below:

Go to start-->run and copy/paste in the following from the Notepad you
saved and click "OK":
"%userprofile%\desktop\combofix.exe" /wow

When finished, it will produce a log for you. Save it and post that log
in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause
it to stall. In your next post, please include:

A new hijackthis log
The combofix log

*use separate posts to ensure the logs don't get cut off!

zami

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.