warm_boy_8x
New Member
Hijack Hunter 1.8.4.1
Log created on 1/29/2011 at 9:48:22 PM
[+] Generic system info
Operating System: Microsoft Windows XP Service Pack 3 32-bit
Build Version: 2600.xpsp.080413-2111
Internet Explorer: 8.0.6001.18702
System Folder: C:\WINDOWS\system32
[+] Running processes
[System Process] (0 bytes) (Unknown) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
System (0 bytes) (Unknown) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
C:\WINDOWS\system32\Ati2evxx.exe (598016 bytes) (ATI Technologies Inc.) (6/28/2010 8:56:06 AM) (--A-) (eca673779ecd27d674953d692fe070f6)
C:\Program Files\Avira\AntiVir Desktop\sched.exe (135336 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (ca8a0e78c3bbbad05a9a132bc468df9c)
C:\Program Files\Avira\AntiVir Desktop\avguard.exe (267944 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (48be1fcff1c929c899f29bcdc8659d9f)
C:\Program Files\Java\jre6\bin\jqs.exe (153376 bytes) (Sun Microsystems, Inc.) (10/6/2009 7:42:28 PM) (--A-) (112325f53ab720ca77825726d427fbdc)
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (29263712 bytes) (Microsoft Corporation) (11/24/2008 10:31:10 PM) (--A-) (4263dcf845b089e397c7c3bfc74f04fe)
C:\WINDOWS\system32\PnkBstrA.exe (66872 bytes) (Unknown) (9/28/2010 5:11:03 PM) (--A-) (831883b107684301f48ace752c963984)
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (76968 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (8c91bd35ae9aa8b628eec5e637bb1d0f)
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (87904 bytes) (Microsoft Corporation) (11/24/2008 10:31:12 PM) (--A-) (d2f4f32b59440011174b4f8137af4e0c)
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (602392 bytes) (Yahoo! Inc.) (11/10/2008 3:48:14 AM) (--A-) (dd0042f0c3b606a6a8b92d49afb18ad6)
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (56928 bytes) (Cyberlink Corp.) (10/6/2009 10:54:28 PM) (----) (56f676060d70ba066459478824510bea)
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (281768 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (c983e62b6fb74457d173ba93f66f6068)
C:\WINDOWS\RTHDCPL.EXE (17676288 bytes) (Realtek Semiconductor Corp.) (6/28/2010 8:56:16 AM) (--A-) (3b1764f98494b0c93f0df5572c7629e8)
C:\Program Files\Unikey32\UniKeyNT.exe (261632 bytes) (Unknown) (7/3/2010 8:38:38 PM) (--A-) (862fc3dd4330b4678a864e657140e1b4)
C:\Program Files\Internet Download Manager\IEMonitor.exe (263600 bytes) (Tonec Inc.) (5/25/2010 10:28:58 PM) (--A-) (207b16fa69f61d1895f8d8532f587e4b)
C:\Program Files\Avira\AntiVir Desktop\avscan.exe (435368 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (9469a0ce83b9656e7ca6f940daf965fb)
chrome.exe (0 bytes) (Unknown) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
C:\Program Files\Internet Download Manager\IDMan.exe (3270040 bytes) (Tonec Inc.) (1/24/2011 8:13:12 AM) (--A-) (0ab4577560d3f1b98c8de691a201326c)
C:\Program Files\NoVirusThanks\Hijack Hunter\HijackHunter.exe (628736 bytes) (NoVirusThanks Company Srl) (1/29/2011 9:45:25 PM) (--A-) (b6ffa83b91d78a0369fe0e15e4dba69c)
msfeedssync.exe (0 bytes) (Microsoft Corporation) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
[+] Loaded Modules
C:\WINDOWS\system32\Ati2evxx.dll (143360 bytes) (ATI Technologies Inc.) (6/28/2010 8:56:07 AM) (--A-) (db326a97e844964af487d6ffde28256b)
C:\WINDOWS\system32\msacm32.drv (20480 bytes) (Microsoft Corporation) (8/23/2001 7:00:00 PM) (--A-) (9a3bd5f55aadff859539142f6328a66e)
C:\WINDOWS\AppPatch\AcAdProc.dll (39424 bytes) (Microsoft Corporation) (4/14/2008 10:41:50 AM) (--A-) (ea9ee60b408878e5f2012f9c783836db)
C:\WINDOWS\system32\Ati2edxx.dll (43520 bytes) (ATI Technologies, Inc.) (6/28/2010 8:56:07 AM) (--A-) (68169471fa71b327ed009b80cddc82de)
C:\WINDOWS\system32\atipdlxx.dll (188416 bytes) (ATI Technologies, Inc.) (6/28/2010 8:56:07 AM) (--A-) (df585de3b2ae3ce0fb72eb562bb989a7)
C:\WINDOWS\system32\Normaliz.dll (23552 bytes) (Microsoft Corporation) (1/7/2009 6:20:36 PM) (--A-) (10753a3adc3e39a3b10cc3f08e98e6b4)
C:\WINDOWS\system32\iertutil.dll (1985536 bytes) (Microsoft Corporation) (3/8/2009 4:32:22 AM) (--A-) (803a6176020d97e68704b211bfe7d255)
C:\WINDOWS\system32\mdimon.dll (17920 bytes) (Microsoft Corporation) (10/6/2009 9:22:05 PM) (--A-) (cf0376023360aadd55c89ba50564afdc)
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.d ll (18944 bytes) (Microsoft Corporation) (10/6/2009 9:22:05 PM) (--A-) (58e13a2292839321d3cdc918d5a4f5ae)
C:\WINDOWS\system32\odbcbcp.dll (24576 bytes) (Microsoft Corporation) (4/14/2008 10:42:04 AM) (--A-) (369f7b1a4f358b976176556a1a331f36)
C:\WINDOWS\system32\MSCOREE.DLL (270848 bytes) (Microsoft Corporation) (9/23/2005 7:28:52 AM) (--A-) (c749f552cba8e0dd2a0268df044985f4)
C:\WINDOWS\system32\sqlncli.dll (2248544 bytes) (Microsoft Corporation) (11/24/2008 10:31:10 PM) (--A-) (1f5585ee39c5b6629ae82205d5c7e84b)
C:\WINDOWS\system32\SQLNCLIR.RLL (205528 bytes) (Microsoft Corporation) (10/14/2005 2:48:56 AM) (--A-) (19e8e01fa6bfedd71f92e2adf3725d50)
C:\WINDOWS\system32\ieframe.dll (11067392 bytes) (Microsoft Corporation) (3/8/2009 4:39:48 AM) (--A-) (964fe5abad6d9a1e38797219514db5b2)
C:\WINDOWS\system32\WPDShServiceObj.dll (52224 bytes) (Microsoft Corporation) (4/19/2006 1:01:34 AM) (----) (9ba50416b769387c619c3ec6bf3cbb85)
C:\WINDOWS\system32\PortableDeviceTypes.dll (168960 bytes) (Microsoft Corporation) (4/19/2006 1:01:20 AM) (----) (36bf42ca5ae8bf8d1e1bc00ed5068abb)
C:\WINDOWS\system32\PortableDeviceApi.dll (345600 bytes) (Microsoft Corporation) (4/19/2006 1:01:28 AM) (----) (1f8c6bbebecbed21e002f45c18d523e9)
C:\WINDOWS\system32\CmdLineExt.dll (98304 bytes) (Sony DADC Austria AG.) (6/30/2010 3:31:19 PM) (--A-) (0aa300b8dcf8b4324ec491d6a44d4dab)
[+] Registry startups
Value: RemoteControl
Data: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: LanguageShortcut
Data: "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: avgnt
Data: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: Adobe Reader Speed Launcher
Data: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: Adobe ARM
Data: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: RTHDCPL
Data: RTHDCPL.EXE
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: Alcmtr
Data: ALCMTR.EXE
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: UniKey
Data: C:\Program Files\Unikey32\UniKeyNT.exe
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: ctfmon.exe
Data: C:\WINDOWS\system32\ctfmon.exe
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: Google Update
Data: "C:\Documents and Settings\USER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: SpeedBitVideoAccelerator
Data: "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" /startup
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: IDMan
Data: C:\Program Files\Internet Download Manager\IDMan.exe /onboot
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: StubPath
Data: C:\WINDOWS\system32\ieudinit.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}
Value: SCRNSAVE.EXE
Data: C:\WINDOWS\system32\ssflwbox.scr
Key: HKEY_CURRENT_USER\Control Panel\Desktop
Value: {0055C089-8582-441B-A0BF-17B458C2A3A8}
Data: C:\Program Files\Internet Download Manager\IDMIECC.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Value: {02478D38-C3F9-4efb-9B51-7695ECA05670}
Data: C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Value: {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Data: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value: {d2ce3e00-f94a-4740-988e-03dc2f38c34f}
Data: C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}
Value: {DBC80044-A445-435b-BC74-9C25C1C588A9}
Data: C:\Program Files\Java\jre6\bin\jp2ssv.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}
Value: {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
Data: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
Value: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Data: C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[+] Other Startups Methods
Value: WPDShServiceObj
Data: C:\WINDOWS\system32\WPDShServiceObj.dll
CLSID: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
Value: DLLName
Data: Ati2evxx.dll
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
[+] Startup folders
[+] TCPIP nameservers
[+] Internet Explorer settings
Value: Start Page
Data:
Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value: ProxyOverride
Data: local
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings
[+] Internet Explorer Trusted Sites
[+] Windows Firewall allowed programs
Value: %windir%\Network Diagnostic\xpnetdiag.exe
Data: %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
Data: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enable d:Yahoo! Messenger
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Launcher.atm
Data: E:\Phi Doi(game)\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Res-Voip\SCVoIP.exe
Data: E:\Phi Doi(game)\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Music\Launcher.atm
Data: E:\Phi Doi(game)\Music\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Music\Res-Voip\SCVoIP.exe
Data: E:\Phi Doi(game)\Music\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\phidoi test\Launcher.atm
Data: D:\phidoi test\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\phidoi test\Res-Voip\SCVoIP.exe
Data: D:\phidoi test\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\ACE Online\Launcher.atm
Data: D:\ACE Online\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\ACE Online\Res-Voip\SCVoIP.exe
Data: D:\ACE Online\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\ACE Online\Launcher.atm
Data: E:\ACE Online\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\ACE Online\Res-Voip\SCVoIP.exe
Data: E:\ACE Online\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\WINDOWS\system32\PnkBstrA.exe
Data: C:\WINDOWS\system32\PnkBstrA.exe:*:EnablednkBstr A
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\WINDOWS\system32\PnkBstrB.exe
Data: C:\WINDOWS\system32\PnkBstrB.exe:*:EnablednkBstr B
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\BoomSpeed\NMService.exe
Data: E:\BoomSpeed\NMService.exe:*:Enabled:Nexon Messenger Core
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\Documents and Settings\USER\Local Settings\Temp\7ZipSfx.000\CF_Downloader.exe
Data: C:\Documents and Settings\USER\Local Settings\Temp\7ZipSfx.000\CF_Downloader.exe:*:Enab ledT2Downloader
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\cod 5\CoDWaWmp.exe
Data: E:\cod 5\CoDWaWmp.exe:*isabled:Call of Duty(R) - World at War(TM)
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\cod 5\CoDWaW.exe
Data: E:\cod 5\CoDWaW.exe:*isabled:Call of Duty(R) - World at War(TM)
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\GenesisAD\GenesisAD\AnotherDay.exe
Data: E:\GenesisAD\GenesisAD\AnotherDay.exe:*:Enabled:An otherDay
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\GenesisAD\GenesisAD\GameConsole.bin
Data: E:\GenesisAD\GenesisAD\GameConsole.bin:*:Enabled:a dhost
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\Program Files\uTorrent\uTorrent.exe
Data: C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\AirRivals_EN\New Folder\Launcher.atm
Data: E:\AirRivals_EN\New Folder\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\AirRivals_EN\New Folder\Res-Voip\SCVoIP.exe
Data: E:\AirRivals_EN\New Folder\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\DRivals\Launcher.atm
Data: E:\DRivals\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\DRivals\Res-Voip\SCVoIP.exe
Data: E:\DRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: %windir%\Network Diagnostic\xpnetdiag.exe
Data: %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List
[+] Windows Firewall allowed ports
Value: 1900:UDP
Data: 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List
Value: 2869:TCP
Data: 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List
[+] System Hijack
Value: DisableSR
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Value: Hidden
Data: 2
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced
Value: ShowSuperHidden
Data: 0
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced
Value: FirstRunDisabled
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: FirewallDisableNotify
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: UpdatesDisableNotify
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: EnableDCOM
Data: Y
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
Value: Start
Data: 2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RemoteRegistry
Value: Start
Data: 4
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\wuauserv
Value: Wallpaper
Data: C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Key: HKEY_CURRENT_USER\Control Panel\Desktop
Value: OriginalWallpaper
Data: C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Key: HKEY_CURRENT_USER\Control Panel\Desktop
Value: ConvertedWallpaper
Data: D:\wallpaper giáng sinh\White_Christmas_by_adni18.jpg
Key: HKEY_CURRENT_USER\Control Panel\Desktop
[+] Executables in Temp folders
C:\DOCUME~1\USER\LOCALS~1\Temp\cabex.dll (94208 bytes) (Unknown) (1/10/2011 6:25:29 PM) (--A-) (580affd9e4c729204ebb193808382bd4)
C:\DOCUME~1\USER\LOCALS~1\Temp\CmdLineExt02.dll (36864 bytes) (Unknown) (10/22/2010 9:14:32 PM) (--A-) (e60a8e3889df3c95e5f8fe2473db889e)
C:\DOCUME~1\USER\LOCALS~1\Temp\dwmapi.dll (37376 bytes) (Microsoft Corporation) (7/29/2009 9:06:38 AM) (--A-) (7ac53e9745beaa47568c7766a01e112e)
C:\DOCUME~1\USER\LOCALS~1\Temp\GLFB.tmp.tbHero.dll (2349080 bytes) (Conduit Ltd.) (8/3/2010 9:29:29 AM) (--A-) (455e61a2cf37f7210df685e2b77bfbe3)
C:\DOCUME~1\USER\LOCALS~1\Temp\LF2_v20a_Setup.exe (29471591 bytes) (Unknown) (11/4/2010 2:12:17 AM) (--A-) (cf0ae7424106d23c3759217b87fb5943)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@188@C592A8.### (2048 bytes) (Unknown) (11/15/2010 3:45:57 PM) (--A-) (b6f864ac519e0f07dc368281bc854bfd)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@418@C592A8.### (2048 bytes) (Unknown) (11/14/2010 5:16:54 PM) (--A-) (761ee2a769784275569e2ce9e9ae93f0)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@630@C592A8.### (2048 bytes) (Unknown) (11/15/2010 3:45:04 PM) (--A-) (d36e622ce83ccc015cf73b9f21829647)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@68C@C592A8.### (2048 bytes) (Unknown) (11/15/2010 3:45:28 PM) (--A-) (fa59106ef84669d4b5025563f6471a54)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@7CC@C592A8.### (2048 bytes) (Unknown) (11/16/2010 2:44:35 PM) (--A-) (d4ba87ee397ae5e807e0682b4d290b7c)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@9B0@C592A8.### (2048 bytes) (Unknown) (9/15/2010 12:10:06 PM) (--A-) (7b117a35f7151c73de8dda098b184833)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@B18@C592A8.### (2048 bytes) (Unknown) (11/15/2010 6:22:40 PM) (--A-) (76fb454d9f6f7826b2526ea75c4e40cb)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D30@C592A8.### (2048 bytes) (Unknown) (11/24/2010 9:47:45 AM) (--A-) (100af056d29da18fcc72b0fb9875f8d8)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D34@C592A8.### (2048 bytes) (Unknown) (11/20/2010 4:43:40 PM) (--A-) (b66efa21735d8177f79125d868e0da1f)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D38@C592A8.### (2048 bytes) (Unknown) (11/24/2010 7:30:48 AM) (--A-) (e2900183dda62dda8b9c2ba6dfe56a5d)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D74@C592A8.### (2048 bytes) (Unknown) (11/14/2010 5:09:40 PM) (--A-) (09c077365c42fd15a0655f0f0f7a6da7)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@DE8@27568D0.### (2048 bytes) (Unknown) (7/24/2010 3:32:20 AM) (--A-) (b8b9313295fb24d84a9a37ce93cfad86)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@E88@C592A8.### (2048 bytes) (Unknown) (11/16/2010 2:32:39 PM) (--A-) (d413ff02fdb8929214b1c1c4b4ef3c2d)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EA8@C592A8.### (2048 bytes) (Unknown) (11/13/2010 10:41:21 AM) (--A-) (f9866cdec5515d380850dea06883ba79)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EB4@C592A8.### (2048 bytes) (Unknown) (11/22/2010 11:04:49 AM) (--A-) (707c4f2dfb92449728a30a7ff67befe4)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EE8@C592D0.### (2048 bytes) (Unknown) (11/15/2010 3:49:27 PM) (--A-) (b0c1dec4bb9d6ce0307a7e4b7b56665d)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EEC@C592A8.### (2048 bytes) (Unknown) (11/26/2010 8:01:28 AM) (--A-) (8664533e89d7dd5f9a733aadcbf60454)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@F74@C592A8.### (2048 bytes) (Unknown) (11/20/2010 4:44:03 PM) (--A-) (daf4458bee8bf0de086eb8364af78dd8)
C:\DOCUME~1\USER\LOCALS~1\Temp\msvcp71.dll (499712 bytes) (Microsoft Corporation) (7/29/2009 9:06:38 AM) (--A-) (561fa2abb31dfa8fab762145f81667c2)
C:\DOCUME~1\USER\LOCALS~1\Temp\msxml6-KB927977-enu-x86.exe (910080 bytes) (Microsoft Corporation) (6/28/2010 10:22:11 AM) (--A-) (ecf7b649bc6a5794621c78bbce88159a)
C:\DOCUME~1\USER\LOCALS~1\Temp\mtasa-1.0.4-rc-02033-0-000-nsis.exe (2734467 bytes) (Unknown) (10/13/2010 6:15:21 AM) (--A-) (6ad7a7799b070ca6b32201375d3dae9a)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5B.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5C.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5D.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5E.tmp (706048 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (27d9ed8cb8b62d1e0a8e5ace6cf52e2f)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5F.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np60.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np61.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b)
C:\DOCUME~1\USER\LOCALS~1\Temp\np62.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92)
C:\DOCUME~1\USER\LOCALS~1\Temp\np63.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np64.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b)
C:\DOCUME~1\USER\LOCALS~1\Temp\np65.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92)
C:\DOCUME~1\USER\LOCALS~1\Temp\Psapi.Dll (18192 bytes) (Microsoft Corporation) (7/29/2009 9:06:38 AM) (--A-) (b3d22a483875a61cb2060c7d518effc2)
C:\DOCUME~1\USER\LOCALS~1\Temp\SecurityScan_Releas e.exe (3598224 bytes) (McAfee, Inc.) (10/10/2010 1:40:22 AM) (--A-) (b2c46c7064c867f4722a0f51cf18fb62)
C:\DOCUME~1\USER\LOCALS~1\Temp\SIntf32.dll (19924 bytes) (Unknown) (10/22/2010 9:14:32 PM) (--A-) (36058fd9c9713188411f783dcc0ac500)
C:\DOCUME~1\USER\LOCALS~1\Temp\SIntfNT.dll (24516 bytes) (Unknown) (10/22/2010 9:14:32 PM) (--A-) (42c9db97bb3c55ecd6ba50e77aca4f49)
C:\DOCUME~1\USER\LOCALS~1\Temp\Uninstall.exe (85844 bytes) (Unknown) (12/27/2010 5:56:58 AM) (--A-) (722e74daa9eb2f1d5a1cb996282687be)
C:\DOCUME~1\USER\LOCALS~1\Temp\vcredist_x86.exe (4216840 bytes) (Microsoft Corporation) (8/24/2010 8:08:55 PM) (--A-) (5689d43c3b201dd3810fa3bba4a6476a)
C:\DOCUME~1\USER\LOCALS~1\Temp\wPQr_p9U.exe.part (567664 bytes) (Google Inc.) (9/16/2010 3:21:16 AM) (--A-) (f995e950cf5de1c816f84905f32c772d)
C:\DOCUME~1\USER\LOCALS~1\Temp\zing_ui_skin.dat (377856 bytes) (Unknown) (7/29/2009 9:06:38 AM) (--A-) (60af708ad4f0bc03dd888b1ceafca0cd)
C:\DOCUME~1\USER\LOCALS~1\Temp\~e5.0001 (59392 bytes) (Macrovision Europe Ltd.) (10/22/2010 10:05:07 PM) (--A-) (388bc430a34394a2b8ebfd16508ab3ac)
[+] Executables in suspicious folders
C:\WINDOWS\Temp\contentDATs.exe (497296 bytes) (McAfee, Inc.) (10/10/2010 1:41:01 AM) (--A-) (48176f75d6d125a4d345d78cb94a6c48)
C:\Documents and Settings\USER\Application Data\PnkBstrK.sys (22328 bytes) (Unknown) (9/28/2010 5:11:40 PM) (--A-) (c3e33580a3a85be28612b83d0c321e20)
C:\WINDOWS\system32\npptNT2.sys (4682 bytes) (INCA Internet Co., Ltd.) (8/19/2010 3:02:29 AM) (--A-) (9131fe60adfab595c8da53ad6a06aa31)
C:\WINDOWS\system32\TesSafe.sys (541824 bytes) (TENCENT) (7/8/2010 1:15:26 AM) (--A-) (c1f511d49c2902ba21ca1a974bf3835a)
C:\Program Files\windows nt\hypertrm.exe (28160 bytes) (Hilgraeve, Inc.) (10/6/2009 6:13:19 PM) (--A-) (9dbb82fb602aa42b131c55c5d136dc9c)
[+] Autorun.ini
[+] Unknown .SYS files
C:\WINDOWS\system32\drivers\ahcix86.sys (183824 bytes) (AMD Technologies Inc.) (12/1/2008 5:21:39 PM) (--A-) (bfed486888067b7935b3c9f5951c41be)
C:\WINDOWS\system32\drivers\Ambfilt.sys (1684736 bytes) (Creative) (6/28/2010 8:56:20 AM) (--A-) (f6af59d6eee5e1c304f7f73706ad11d8)
C:\WINDOWS\system32\drivers\amdk8.sys (41984 bytes) (Advanced Micro Devices) (12/1/2008 5:21:38 PM) (--A-) (1b0806a92432bf6e9def9fbf0494f67d)
C:\WINDOWS\system32\drivers\ati2erec.dll (53248 bytes) (ATI Technologies Inc.) (6/28/2010 8:56:07 AM) (--A-) (96cb5f6bde6aae00be45d9fcf1f88a84)
C:\WINDOWS\system32\drivers\avgntdd.sys (45416 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (5b44c214f9cd9f590be9125347610380)
C:\WINDOWS\system32\drivers\avgntflt.sys (61960 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (47b879406246ffdced59e18d331a0e7d)
C:\WINDOWS\system32\drivers\avgntmgr.sys (22360 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (87451aa7cc6b6a590ebcea05e755075a)
C:\WINDOWS\system32\drivers\avipbb.sys (135096 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (da39805e2bad99d37fce9477dd94e7f2)
C:\WINDOWS\system32\drivers\BkavAuto.sys (33798 bytes) (Unknown) (10/6/2009 10:14:24 PM) (--A-) (68d68d16ee1af3388a5b56345171f9f7)
C:\WINDOWS\system32\drivers\cpuz135_x32.sys (21992 bytes) (CPUID) (12/16/2010 11:13:42 PM) (--A-) (c2eb4539a4f6ab6edd01bdc191619975)
C:\WINDOWS\system32\drivers\hdaudbus.sys (144384 bytes) (Windows (R) Server 2003 DDK provider) (4/14/2008 3:06:06 AM) (--A-) (573c7d0a32852b48f3058cfd8026f511)
C:\WINDOWS\system32\drivers\iastor5.sys (874240 bytes) (Intel Corporation) (12/1/2008 5:21:39 PM) (--A-) (309c4d86d989fb1fcf64bd30dc81c51b)
C:\WINDOWS\system32\drivers\iastor7.sys (277784 bytes) (Intel Corporation) (12/1/2008 5:21:39 PM) (--A-) (fd7f9d74c2b35dbda400804a3f5ed5d8)
C:\WINDOWS\system32\drivers\iastor8.sys (328728 bytes) (Intel Corporation) (12/1/2008 5:21:39 PM) (--A-) (baabb0301949774a66b955c65319635a)
C:\WINDOWS\system32\drivers\idmtdi.sys (97112 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (0ded5397f34f5b4ae61674d7303557d9)
C:\WINDOWS\system32\drivers\imagedrv.sys (5504 bytes) (Ahead Software AG) (10/6/2009 8:45:28 PM) (----) (0a7c49b48c772591a2d362daa00246c8)
C:\WINDOWS\system32\drivers\imagesrv.sys (125184 bytes) (Ahead Software AG) (10/6/2009 8:45:28 PM) (----) (549ba4f539e7b8d8129500b96dd7b27a)
C:\WINDOWS\system32\drivers\iteatapi.sys (27648 bytes) (Integrated Technology Express, Inc.) (12/1/2008 5:21:39 PM) (--A-) (39a2f7ebcb6817c4a016b544921c7982)
C:\WINDOWS\system32\drivers\iteraid.sys (26112 bytes) (Integrated Technology Express, Inc.) (12/1/2008 5:21:39 PM) (--A-) (979836fc6dc05218b4e93e5ccea5654b)
C:\WINDOWS\system32\drivers\Jraid.sys (79960 bytes) (JMicron Technology Corp.) (12/1/2008 5:21:39 PM) (--A-) (b07084095f8c03aadb9811c9df14b5e4)
C:\WINDOWS\system32\drivers\m5228.sys (45069 bytes) (ALi Corporation.) (12/1/2008 5:21:39 PM) (--A-) (06c174e5c7845055c3d6317709af6423)
C:\WINDOWS\system32\drivers\m5281.sys (51072 bytes) (ALi Corporation) (12/1/2008 5:21:39 PM) (--A-) (a51cd61975297508d4483fcbf931d86c)
C:\WINDOWS\system32\drivers\m5287.sys (103680 bytes) (ULi Electronics Inc.) (12/1/2008 5:21:39 PM) (--A-) (87cf2d570f452a5c1b9fc5c5a44389a5)
C:\WINDOWS\system32\drivers\m5288.sys (210304 bytes) (ULi Electronics Inc.) (12/1/2008 5:21:39 PM) (--A-) (485ed377977dc9661626aaab614504cf)
C:\WINDOWS\system32\drivers\m5289.sys (52480 bytes) (ULi Electronics Inc.) (12/1/2008 5:21:39 PM) (--A-) (e1ca1ea9ad7c8c50ea533829a6854d63)
C:\WINDOWS\system32\drivers\Monfilt.sys (1389056 bytes) (Creative Technology Ltd.) (6/28/2010 8:56:20 AM) (--A-) (9fa7207d1b1adead88ae8eed9cdbbaa5)
C:\WINDOWS\system32\drivers\nvatabus.sys (100736 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (c03e15101f6d9e82cd9b0e7d715f5de3)
C:\WINDOWS\system32\drivers\nvgts.sys (145952 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (37954cd1d0afc11becd149f7c3ec88c2)
C:\WINDOWS\system32\drivers\nvraid.sys (82944 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (b65ce56c36f573113ff2f6d0f07b7563)
C:\WINDOWS\system32\drivers\nvrd32.sys (133152 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (bef704aa9e17d176a46ddf77c6a52194)
C:\WINDOWS\system32\drivers\PnkBstrK.sys (138464 bytes) (Unknown) (9/28/2010 5:11:40 PM) (--A-) (6d2dbe236cf5ef94e4be1969d1b6d304)
C:\WINDOWS\system32\drivers\rndismpk.sys (27264 bytes) (Microsoft Corporation) (12/7/2010 10:40:52 AM) (--A-) (af79f98e2a9720995badd93cca1d4e01)
C:\WINDOWS\system32\drivers\Rtenicxp.sys (117888 bytes) (Realtek Semiconductor Corporation) (6/28/2010 8:56:23 AM) (--A-) (839141088ad7ee90f5b441b2d1afd22c)
C:\WINDOWS\system32\drivers\RtHDMI.sys (3720832 bytes) (Realtek Semiconductor Corp.) (6/28/2010 8:56:20 AM) (--A-) (8d9794c6ff5b66bc38d5e66a4b0e3b4f)
C:\WINDOWS\system32\drivers\RtkHDAud.sys (4952576 bytes) (Realtek Semiconductor Corp.) (6/28/2010 8:56:20 AM) (--A-) (fb4293b1eab313c28d4a1b8db61aca72)
C:\WINDOWS\system32\drivers\RTL8187B.sys (275968 bytes) (Realtek Semiconductor Corporation) (10/6/2009 7:37:45 PM) (--AR) (56b331a3e315c53532cc7084e5b6dfc4)
C:\WINDOWS\system32\drivers\secdrv.sys (20480 bytes) (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) (4/14/2008 3:09:16 AM) (--A-) (90a3935d05b494a5a39d37e71f09a677)
C:\WINDOWS\system32\drivers\sffp_mmc.sys (10240 bytes) (Microsoft Corporation) (4/14/2008 5:10:50 AM) (--A-) (d66d22d76878bf3483a6be30183fb648)
C:\WINDOWS\system32\drivers\si3112r.sys (102528 bytes) (Silicon Image, Inc) (12/1/2008 5:21:39 PM) (--A-) (c82f9b4993f502361067e3ab61d46f7a)
C:\WINDOWS\system32\drivers\sisraid.sys (48128 bytes) (Silicon Integrated Systems) (12/1/2008 5:21:39 PM) (--A-) (826b83cdaafb6e164bbc1d77cb99e2ce)
C:\WINDOWS\system32\drivers\sisraid2.sys (30976 bytes) (Silicon Integrated Systems Corp) (12/1/2008 5:21:39 PM) (--A-) (b8a2f8dcdc75f19962d975727f393920)
C:\WINDOWS\system32\drivers\sisraid4.sys (68864 bytes) (Silicon Integrated Systems) (12/1/2008 5:21:39 PM) (--A-) (af43fbb04fd9acc46a115b50d7c11e1a)
C:\WINDOWS\system32\drivers\siwinacc.sys (10368 bytes) (Silicon Image, Inc.) (12/1/2008 5:21:39 PM) (--A-) (72cf151fb410e544904dbc7d7f29b796)
C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys (268912 bytes) (Unknown) (6/28/2010 2:38:36 PM) (--AR) (25ecea986742275ecb23a1cb6bc87a61)
C:\WINDOWS\system32\drivers\ssmdrv.sys (28520 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (a36ee93698802cd899f98bfd553d8185)
C:\WINDOWS\system32\drivers\SysLib.sys (57857143 bytes) (Unknown) (10/6/2009 10:14:24 PM) (--A-) (252593a7867287721a19d55c41f3f83e)
C:\WINDOWS\system32\drivers\SysLib0.sys (33713664 bytes) (Unknown) (10/6/2009 10:14:49 PM) (--A-) (a7190e64e9311d27ae280f5ac52e8ee4)
C:\WINDOWS\system32\drivers\SysLib1.sys (9450496 bytes) (Unknown) (10/6/2009 10:14:54 PM) (--A-) (327849bd00621d6c86ccbb6ff0ed95ac)
C:\WINDOWS\system32\drivers\usb8023k.sys (11136 bytes) (Microsoft Corporation) (12/7/2010 10:40:52 AM) (--A-) (f39039d5c96c1d3ac2a637a659dbf282)
C:\WINDOWS\system32\drivers\viamraid.sys (117248 bytes) (VIA Technologies inc,.ltd) (12/1/2008 5:21:39 PM) (--A-) (00046aa2e396edc2238556e740a8e5af)
C:\WINDOWS\system32\drivers\vmscsi.sys (17968 bytes) (VMware, Inc.) (12/1/2008 5:21:39 PM) (--A-) (82132036ee4d3e8aa3e73feebe1a9741)
C:\WINDOWS\system32\drivers\wpdusb.sys (40704 bytes) (Microsoft Corporation) (4/19/2006 1:01:26 AM) (----) (f6c0eb46c66c7be80f22115ecb44b1f0)
[+] Non accessible files
[+] Executables in Internet Explorer Folder
C:\Program Files\Internet Explorer\ExtExport.exe (144384 bytes) (Microsoft Corporation) (3/8/2009 4:35:04 AM) (----) (44d37a87f00d8684ad907dae295f67fb)
C:\Program Files\Internet Explorer\iecompat.dll (100352 bytes) (Microsoft Corporation) (3/8/2009 4:35:04 AM) (----) (eed9645cfc825b42d1178d8ae2392cc4)
C:\Program Files\Internet Explorer\iedvtool.dll (742912 bytes) (Microsoft Corporation) (3/8/2009 4:35:32 AM) (----) (bd3c4101b9340e697c9eb0c9c7c9fedf)
C:\Program Files\Internet Explorer\ieproxy.dll (246272 bytes) (Microsoft Corporation) (3/8/2009 4:33:50 AM) (----) (1424612f4eed15fef3c216db72d18e3e)
C:\Program Files\Internet Explorer\iexplore.exe.mui (12288 bytes) (Microsoft Corporation) (3/8/2009 2:21:44 PM) (----) (943030b55fdb56fb8b8fcc086071e119)
C:\Program Files\Internet Explorer\jsdbgui.dll (521216 bytes) (Microsoft Corporation) (3/8/2009 4:35:02 AM) (----) (33db6e706fd3a2271033c5d29b3d6f76)
C:\Program Files\Internet Explorer\jsdebuggeride.dll (121344 bytes) (Microsoft Corporation) (3/8/2009 4:35:02 AM) (----) (3494af094cfb1d1b9a3c1ce255492b6c)
C:\Program Files\Internet Explorer\JSProfilerCore.dll (118272 bytes) (Microsoft Corporation) (3/8/2009 4:35:04 AM) (----) (d68cc4e775420716b6abc4d188d5d316)
C:\Program Files\Internet Explorer\jsprofilerui.dll (233984 bytes) (Microsoft Corporation) (3/8/2009 4:35:12 AM) (----) (0f6a0675181d3ae76755986f3bf9e598)
C:\Program Files\Internet Explorer\pdm.dll (355832 bytes) (Microsoft Corporation) (1/7/2009 6:20:18 PM) (----) (3ca2dfd1ee857cde7dccf4235f52d142)
C:\Program Files\Internet Explorer\sqmapi.dll (134144 bytes) (Microsoft Corporation) (1/7/2009 6:20:54 PM) (----) (5eb87ba0b93ca7e894fc8002e3ce4c2a)
C:\Program Files\Internet Explorer\xpshims.dll (12800 bytes) (Microsoft Corporation) (3/8/2009 4:33:18 AM) (----) (64c5c0f1a40c26fe6362825c044578c5)
[+] Files created/modified 15 days ago
C:\WINDOWS\system32\drivers\idmtdi.sys (97112 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (0ded5397f34f5b4ae61674d7303557d9) (Created)
C:\Program Files\Avira\AntiVir Desktop\aecore.dll (196983 bytes) (Avira GmbH) (1/21/2011 6:08:03 PM) (--A-) (afff0fff53ae04747c340868ab1cfa27) (Modified)
C:\Program Files\Avira\AntiVir Desktop\aegen.dll (397683 bytes) (Avira GmbH) (1/21/2011 6:08:10 PM) (--A-) (165152efdc31f4046ede52116e403107) (Modified)
C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll (205178 bytes) (Avira GmbH) (1/19/2011 2:00:25 AM) (--A-) (8baa75903e65e4cdd742dc8c22c09924) (Modified)
C:\Program Files\Avira\AntiVir Desktop\aepack.dll (512374 bytes) (Avira GmbH) (1/21/2011 6:09:09 PM) (--A-) (66f9f6f5817e42f478178cc44b95f096) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aecore.dll (196983 bytes) (Avira GmbH) (1/21/2011 6:08:03 PM) (--A-) (afff0fff53ae04747c340868ab1cfa27) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aegen.dll (397683 bytes) (Avira GmbH) (1/21/2011 6:08:10 PM) (--A-) (165152efdc31f4046ede52116e403107) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aeoffice.dll (205178 bytes) (Avira GmbH) (1/19/2011 2:00:25 AM) (--A-) (8baa75903e65e4cdd742dc8c22c09924) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aepack.dll (512374 bytes) (Avira GmbH) (1/21/2011 6:09:09 PM) (--A-) (66f9f6f5817e42f478178cc44b95f096) (Modified)
C:\Program Files\Error Repair Professional\ErrorRepairProfessional.exe (756224 bytes) (
C:\Program Files\Error Repair Professional\unins000.exe (707354 bytes) (Unknown) (1/26/2011 4:30:43 PM) (--A-) (4e66abde2217634ed899f670968ea651) (Created)
C:\Program Files\Gabest\VobSub\auxsetup.exe (69632 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (666a1e7eb3dfadb5ece37b3e3b42fd06) (Created)
C:\Program Files\Gabest\VobSub\uninstall.exe (53043 bytes) (Unknown) (1/27/2011 6:29:10 PM) (--A-) (184d889ce1297bcd98d54dd83d284fad) (Created)
C:\Program Files\Gabest\VobSub\vdicmdrv.dll (69632 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (82bc6afc48dbbcc1278c8ee97f38ed4e) (Created)
C:\Program Files\Gabest\VobSub\vdremote.dll (73728 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (97d56ad27c8a00d675e904e9b8f861e3) (Created)
C:\Program Files\Gabest\VobSub\vdsvrlnk.dll (65536 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (e22d57c04b06e6c1c35b1910a5dc3336) (Created)
C:\Program Files\Gabest\VobSub\vdub.exe (8704 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (9d8e0c408c975ea24a2a94d8930f1132) (Created)
C:\Program Files\Gabest\VobSub\VirtualDub.exe (2670592 bytes) (Unknown) (1/27/2011 6:31:22 PM) (--A-) (bafd24e8bd9d6a0cdb347809d4a68093) (Created)
C:\Program Files\Internet Download Manager\idmbrbtn.dll (79040 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (4cc8015a3602710e7701328273bca511) (Created)
C:\Program Files\Internet Download Manager\IDMShellExt.dll (67680 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (c2752cffb1418b0b2174eff338414934) (Created)
C:\Program Files\Internet Download Manager\idmtdi32.sys (97112 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (0ded5397f34f5b4ae61674d7303557d9) (Created)
C:\Program Files\Internet Download Manager\idmwfp32.sys (85768 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (a99b28d267c4d661d976975db9c6726f) (Created)
C:\Program Files\Internet Download Manager\Uninstall.exe (147808 bytes) (Tonec Inc.) (1/24/2011 10:29:26 PM) (--A-) (826658235b00b2976291fc58f0b3a4ef) (Created)
C:\Program Files\NoVirusThanks\Hijack Hunter\HijackHunter.exe (628736 bytes) (NoVirusThanks Company Srl) (1/29/2011 9:45:25 PM) (--A-) (b6ffa83b91d78a0369fe0e15e4dba69c) (Created)
C:\Program Files\NoVirusThanks\Hijack Hunter\nhdrv.sys (4608 bytes) (NoVirusThanks Company Srl) (1/29/2011 9:45:28 PM) (--A-) (8f40312ac7b0f3d0246fe52105e4f1d7) (Created)
C:\Program Files\NoVirusThanks\Hijack Hunter\unins000.exe (707354 bytes) (Unknown) (1/29/2011 9:45:24 PM) (--A-) (eecf7fe501b410aa3733bb0b23ab678a) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5B.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5C.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5D.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5E.tmp (706048 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (27d9ed8cb8b62d1e0a8e5ace6cf52e2f) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5F.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np60.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np61.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np62.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np63.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np64.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np65.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\Uninstall.exe (85844 bytes) (Unknown) (1/19/2011 5:30:56 AM) (--A-) (722e74daa9eb2f1d5a1cb996282687be) (Modified)
C:\DOCUME~1\USER\LOCALS~1\Temp\_ir_sf7_temp_0\irse tup.exe (451072 bytes) (Unknown) (1/28/2011 11:50:21 PM) (--A-) (75ca7ff96bf5a316c3af2de6a412bd54) (Created)
[+] Hidden files in suspicious folders
[+] Suspicious Registry Keys
[+] Suspicious folders
[+] Drivers
c:\program files\avira\antivir desktop\avgio.sys (avgio) (avgio) (Avira GmbH) (0b497c79824f8e1bf22fa6aacd3de3a0)
C:\WINDOWS\system32\drivers\avgntflt.sys (avgntflt) (avgntflt) (Avira GmbH) (47b879406246ffdced59e18d331a0e7d)
C:\WINDOWS\system32\drivers\avipbb.sys (avipbb) (avipbb) (Avira GmbH) (da39805e2bad99d37fce9477dd94e7f2)
c:\windows\system32\drivers\cpuz135_x32.sys (cpuz135) (cpuz135) (CPUID) (c2eb4539a4f6ab6edd01bdc191619975)
C:\WINDOWS\system32\drivers\hdaudbus.sys (HDAudBus) (Microsoft UAA Bus Driver for High Definition Audio) (Windows (R) Server 2003 DDK provider) (573c7d0a32852b48f3058cfd8026f511)
C:\WINDOWS\system32\drivers\idmtdi.sys (IDMTDI) (IDMTDI) (Tonec Inc.) (0ded5397f34f5b4ae61674d7303557d9)
C:\WINDOWS\system32\drivers\rtkhdaud.sys (IntcAzAudAddService) (Service for Realtek HD Audio (WDM)) (Realtek Semiconductor Corp.) (fb4293b1eab313c28d4a1b8db61aca72)
C:\WINDOWS\system32\drivers\rthdmi.sys (RTHDMIAzAudService) (Service for HDMI) (Realtek Semiconductor Corp.) (8d9794c6ff5b66bc38d5e66a4b0e3b4f)
C:\WINDOWS\system32\drivers\ssmdrv.sys (ssmdrv) (ssmdrv) (Avira GmbH) (a36ee93698802cd899f98bfd553d8185)
C:\WINDOWS\system32\drivers\syslib0.sys (SysLib0) (SysLib0) (Unknown) (a7190e64e9311d27ae280f5ac52e8ee4)
C:\WINDOWS\system32\drivers\syslib1.sys (SysLib1) (SysLib1) (Unknown) (327849bd00621d6c86ccbb6ff0ed95ac)
[+] Drivers -> FSFilter Anti-Virus
Driver Name: avgntflt
Driver File: system32\DRIVERS\avgntflt.sys
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\avgntflt
[+] Services
c:\program files\avira\antivir desktop\sched.exe (AntiVirSchedulerService) (Avira AntiVir Scheduler) (Avira GmbH) (ca8a0e78c3bbbad05a9a132bc468df9c)
c:\program files\avira\antivir desktop\avguard.exe (AntiVirService) (Avira AntiVir Guard) (Avira GmbH) (48be1fcff1c929c899f29bcdc8659d9f)
c:\windows\system32\ati2evxx.exe (Ati HotKey Poller) (Ati HotKey Poller) (ATI Technologies Inc.) (eca673779ecd27d674953d692fe070f6)
c:\program files\java\jre6\bin\jqs.exe (JavaQuickStarterService) (Java Quick Starter) (Sun Microsystems, Inc.) (112325f53ab720ca77825726d427fbdc)
c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe (MSSQL$SQLEXPRESS) (SQL Server (SQLEXPRESS)) (Microsoft Corporation) (4263dcf845b089e397c7c3bfc74f04fe)
c:\windows\system32\pnkbstra.exe (PnkBstrA) (PnkBstrA) (Unknown) (831883b107684301f48ace752c963984)
c:\program files\microsoft sql server\90\shared\sqlwriter.exe (SQLWriter) (SQL Server VSS Writer) (Microsoft Corporation) (d2f4f32b59440011174b4f8137af4e0c)
c:\program files\yahoo!\softwareupdate\yahooauservice.exe (YahooAUService) (Yahoo! Updater) (Yahoo! Inc.) (dd0042f0c3b606a6a8b92d49afb18ad6)
[+] ServiceDll
[+] Unknown files in Winsock LSP
[+] Unknown files in CLSID
C:\WINDOWS\system32\DVobSub.ax (249856 bytes) (Gabest) (12/11/2002 3:19:59 PM) (--A-) (9b8413cad2279f7d2c92506270fd820e)
C:\WINDOWS\system32\ImagXpr7.dll (476320 bytes) (Pegasus Imaging Corp.) (10/6/2009 8:44:52 PM) (----) (8f03fd1c3bd8f6b575e6cf5e0e89ff13)
C:\WINDOWS\system32\hypertrm.dll (347136 bytes) (Hilgraeve, Inc.) (10/6/2009 6:12:51 PM) (--A-) (277bdf16a94be0d063988d692541650b)
C:\WINDOWS\system32\NCTAudioRecord2.dll (311296 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (b387a235ef3d1738e5568d710a2d665e)
C:\WINDOWS\system32\ir50_32.dll (755200 bytes) (Intel Corporation) (4/14/2008 10:41:56 AM) (--A-) (5f10dc19d92ccf6b719b494572f4f74b)
C:\WINDOWS\system32\VSFLEX3.OCX (225280 bytes) (VideoSoft) (1/5/1999 5:30:02 PM) (--A-) (c758ebc719c0d07b1b0e251c77f11bfd)
C:\WINDOWS\system32\ir41_32.ax (848384 bytes) (Intel Corporation) (4/14/2008 10:42:44 AM) (--A-) (948e1498c6438625247f94534aaa82fe)
C:\WINDOWS\system32\NCTAudioFile2.dll (1843200 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (c3b700291807619d95cd185be6621444)
C:\WINDOWS\system32\l3codecx.ax (83456 bytes) (Fraunhofer Institut Integrierte Schaltungen IIS) (8/23/2001 7:00:00 PM) (--A-) (b5a7a5a67ecc144117d1e7d5352a2f6a)
C:\WINDOWS\system32\acelpdec.ax (61952 bytes) (Sipro Lab Telecom Inc.) (8/23/2001 7:00:00 PM) (--A-) (d0a33c77354a6f12ccd8034e4429a30d)
C:\WINDOWS\system32\AniGIF.ocx (172032 bytes) (Jin Hui E-mail: [email protected] Web:
C:\WINDOWS\system32\NCTWMAFile2.dll (196608 bytes) (NCT Company Ltd.) (12/14/2010 2:56:25 AM) (--A-) (fbd2c562b4cd14c0107804433acf7fe2)
C:\WINDOWS\system32\l3codeca.acm (290816 bytes) (Fraunhofer Institut Integrierte Schaltungen IIS) (4/14/2008 10:39:58 AM) (--A-) (452705ac9e4c0dde91a61f0e02292423)
C:\WINDOWS\system32\NCTAudioPlayer2.dll (315392 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (13073ceca55e0c35a62ffe9518505e6e)
C:\WINDOWS\system32\hticons.dll (44544 bytes) (Hilgraeve, Inc.) (10/6/2009 6:13:19 PM) (--A-) (f759a6e14403bc3d7a55ccad1b8f7b4a)
C:\WINDOWS\system32\RTCOM\RTCOMDLL.dll (266240 bytes) (Unknown) (6/28/2010 8:56:20 AM) (--A-) (bd47529c036933881b6d651d6a046e38)
C:\WINDOWS\system32\NCTAudioInformation2.dll (1040384 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (f8d0e33605ede0f5c5d83215bae3ab55)
C:\WINDOWS\system32\iac25_32.ax (199680 bytes) (Intel Corporation) (4/14/2008 10:42:44 AM) (--A-) (877c90686858d899b042bba45e9b7f2c)
C:\WINDOWS\system32\deploytk.dll (411368 bytes) (Sun Microsystems, Inc.) (10/6/2009 7:42:37 PM) (--A-) (fea9e1745f7a500b1046012131c78227)
C:\WINDOWS\system32\RTCOM\RTLCPAPI.dll (131072 bytes) (Unknown) (6/28/2010 8:56:20 AM) (--A-) (05229a9335934a9414c9ee1696b11f2c)
[+] TCP Connections
svchost.exe -> 0.0.0.0:135 -> 0.0.0.0:41026 -> LISTENING
N/A -> 0.0.0.0:445 -> 0.0.0.0:39006 -> LISTENING
alg.exe -> 127.0.0.1:1029 -> 0.0.0.0:24676 -> LISTENING
jqs.exe -> 127.0.0.1:5152 -> 0.0.0.0:55412 -> LISTENING
N/A -> 192.168.1.50:139 -> 0.0.0.0:2176 -> LISTENING
chrome.exe -> 192.168.1.50:1619 -> 74.125.71.165:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1624 -> 74.125.71.139:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1628 -> 74.125.71.156:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1644 -> 63.150.131.16:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1665 -> 74.125.71.138:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1666 -> 222.255.27.197:80 -> ESTABLISHED
N/A -> 192.168.1.50:1737 -> 208.94.3.144:80 -> TIME_WAIT
chrome.exe -> 192.168.1.50:1740 -> 208.94.1.99:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1741 -> 208.94.3.144:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1745 -> 74.125.71.138:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1748 -> 74.125.71.113:80 -> ESTABLISHED
[+] UDP Connections
N/A -> 0.0.0.0:445 -> *.*
lsass.exe -> 0.0.0.0:500 -> *.*
lsass.exe -> 0.0.0.0:4500 -> *.*
svchost.exe -> 127.0.0.1:123 -> *.*
svchost.exe -> 127.0.0.1:1038 -> *.*
svchost.exe -> 127.0.0.1:1900 -> *.*
PnkBstrA.exe -> 127.0.0.1:44301 -> *.*
svchost.exe -> 192.168.1.50:123 -> *.*
N/A -> 192.168.1.50:137 -> *.*
N/A -> 192.168.1.50:138 -> *.*
svchost.exe -> 192.168.1.50:1900 -> *.*
[+] Hosts file
205.199.44.156 registeridm.com
205.199.44.16 registeridm.com
127.0.0.1
[+] Ring3 API Hooks
C:\WINDOWS\Explorer.EXE -> KERNEL32.DLL->GetProcAddress -> ShimEng.dll -> IAT
[+] Kernel Mode Info
[SSDT] NtCreateKey -> 0xBA7B159E -> 0x80623786 -> N/A
[SSDT] NtCreateThread -> 0xBA7B1594 -> 0x805D0FD4 -> N/A
[SSDT] NtDeleteKey -> 0xBA7B15A3 -> 0x80623C16 -> N/A
[SSDT] NtDeleteValueKey -> 0xBA7B15AD -> 0x80623DE6 -> N/A
[SSDT] NtLoadKey -> 0xBA7B15B2 -> 0x80625982 -> N/A
[SSDT] NtOpenProcess -> 0xBA7B1580 -> 0x805CB3FC -> N/A
[SSDT] NtOpenThread -> 0xBA7B1585 -> 0x805CB688 -> N/A
[SSDT] NtReplaceKey -> 0xBA7B15BC -> 0x80625832 -> N/A
[SSDT] NtRestoreKey -> 0xBA7B15B7 -> 0x8062513E -> N/A
[SSDT] NtSetValueKey -> 0xBA7B15A8 -> 0x80621D0C -> N/A
---
Finish [ 0:13:22 ]
You must be registered for see links
Log created on 1/29/2011 at 9:48:22 PM
[+] Generic system info
Operating System: Microsoft Windows XP Service Pack 3 32-bit
Build Version: 2600.xpsp.080413-2111
Internet Explorer: 8.0.6001.18702
System Folder: C:\WINDOWS\system32
[+] Running processes
[System Process] (0 bytes) (Unknown) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
System (0 bytes) (Unknown) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
C:\WINDOWS\system32\Ati2evxx.exe (598016 bytes) (ATI Technologies Inc.) (6/28/2010 8:56:06 AM) (--A-) (eca673779ecd27d674953d692fe070f6)
C:\Program Files\Avira\AntiVir Desktop\sched.exe (135336 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (ca8a0e78c3bbbad05a9a132bc468df9c)
C:\Program Files\Avira\AntiVir Desktop\avguard.exe (267944 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (48be1fcff1c929c899f29bcdc8659d9f)
C:\Program Files\Java\jre6\bin\jqs.exe (153376 bytes) (Sun Microsystems, Inc.) (10/6/2009 7:42:28 PM) (--A-) (112325f53ab720ca77825726d427fbdc)
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (29263712 bytes) (Microsoft Corporation) (11/24/2008 10:31:10 PM) (--A-) (4263dcf845b089e397c7c3bfc74f04fe)
C:\WINDOWS\system32\PnkBstrA.exe (66872 bytes) (Unknown) (9/28/2010 5:11:03 PM) (--A-) (831883b107684301f48ace752c963984)
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (76968 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (8c91bd35ae9aa8b628eec5e637bb1d0f)
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (87904 bytes) (Microsoft Corporation) (11/24/2008 10:31:12 PM) (--A-) (d2f4f32b59440011174b4f8137af4e0c)
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (602392 bytes) (Yahoo! Inc.) (11/10/2008 3:48:14 AM) (--A-) (dd0042f0c3b606a6a8b92d49afb18ad6)
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (56928 bytes) (Cyberlink Corp.) (10/6/2009 10:54:28 PM) (----) (56f676060d70ba066459478824510bea)
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (281768 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (c983e62b6fb74457d173ba93f66f6068)
C:\WINDOWS\RTHDCPL.EXE (17676288 bytes) (Realtek Semiconductor Corp.) (6/28/2010 8:56:16 AM) (--A-) (3b1764f98494b0c93f0df5572c7629e8)
C:\Program Files\Unikey32\UniKeyNT.exe (261632 bytes) (Unknown) (7/3/2010 8:38:38 PM) (--A-) (862fc3dd4330b4678a864e657140e1b4)
C:\Program Files\Internet Download Manager\IEMonitor.exe (263600 bytes) (Tonec Inc.) (5/25/2010 10:28:58 PM) (--A-) (207b16fa69f61d1895f8d8532f587e4b)
C:\Program Files\Avira\AntiVir Desktop\avscan.exe (435368 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (9469a0ce83b9656e7ca6f940daf965fb)
chrome.exe (0 bytes) (Unknown) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
C:\Program Files\Internet Download Manager\IDMan.exe (3270040 bytes) (Tonec Inc.) (1/24/2011 8:13:12 AM) (--A-) (0ab4577560d3f1b98c8de691a201326c)
C:\Program Files\NoVirusThanks\Hijack Hunter\HijackHunter.exe (628736 bytes) (NoVirusThanks Company Srl) (1/29/2011 9:45:25 PM) (--A-) (b6ffa83b91d78a0369fe0e15e4dba69c)
msfeedssync.exe (0 bytes) (Microsoft Corporation) () (HSAR) (d41d8cd98f00b204e9800998ecf8427e)
[+] Loaded Modules
C:\WINDOWS\system32\Ati2evxx.dll (143360 bytes) (ATI Technologies Inc.) (6/28/2010 8:56:07 AM) (--A-) (db326a97e844964af487d6ffde28256b)
C:\WINDOWS\system32\msacm32.drv (20480 bytes) (Microsoft Corporation) (8/23/2001 7:00:00 PM) (--A-) (9a3bd5f55aadff859539142f6328a66e)
C:\WINDOWS\AppPatch\AcAdProc.dll (39424 bytes) (Microsoft Corporation) (4/14/2008 10:41:50 AM) (--A-) (ea9ee60b408878e5f2012f9c783836db)
C:\WINDOWS\system32\Ati2edxx.dll (43520 bytes) (ATI Technologies, Inc.) (6/28/2010 8:56:07 AM) (--A-) (68169471fa71b327ed009b80cddc82de)
C:\WINDOWS\system32\atipdlxx.dll (188416 bytes) (ATI Technologies, Inc.) (6/28/2010 8:56:07 AM) (--A-) (df585de3b2ae3ce0fb72eb562bb989a7)
C:\WINDOWS\system32\Normaliz.dll (23552 bytes) (Microsoft Corporation) (1/7/2009 6:20:36 PM) (--A-) (10753a3adc3e39a3b10cc3f08e98e6b4)
C:\WINDOWS\system32\iertutil.dll (1985536 bytes) (Microsoft Corporation) (3/8/2009 4:32:22 AM) (--A-) (803a6176020d97e68704b211bfe7d255)
C:\WINDOWS\system32\mdimon.dll (17920 bytes) (Microsoft Corporation) (10/6/2009 9:22:05 PM) (--A-) (cf0376023360aadd55c89ba50564afdc)
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.d ll (18944 bytes) (Microsoft Corporation) (10/6/2009 9:22:05 PM) (--A-) (58e13a2292839321d3cdc918d5a4f5ae)
C:\WINDOWS\system32\odbcbcp.dll (24576 bytes) (Microsoft Corporation) (4/14/2008 10:42:04 AM) (--A-) (369f7b1a4f358b976176556a1a331f36)
C:\WINDOWS\system32\MSCOREE.DLL (270848 bytes) (Microsoft Corporation) (9/23/2005 7:28:52 AM) (--A-) (c749f552cba8e0dd2a0268df044985f4)
C:\WINDOWS\system32\sqlncli.dll (2248544 bytes) (Microsoft Corporation) (11/24/2008 10:31:10 PM) (--A-) (1f5585ee39c5b6629ae82205d5c7e84b)
C:\WINDOWS\system32\SQLNCLIR.RLL (205528 bytes) (Microsoft Corporation) (10/14/2005 2:48:56 AM) (--A-) (19e8e01fa6bfedd71f92e2adf3725d50)
C:\WINDOWS\system32\ieframe.dll (11067392 bytes) (Microsoft Corporation) (3/8/2009 4:39:48 AM) (--A-) (964fe5abad6d9a1e38797219514db5b2)
C:\WINDOWS\system32\WPDShServiceObj.dll (52224 bytes) (Microsoft Corporation) (4/19/2006 1:01:34 AM) (----) (9ba50416b769387c619c3ec6bf3cbb85)
C:\WINDOWS\system32\PortableDeviceTypes.dll (168960 bytes) (Microsoft Corporation) (4/19/2006 1:01:20 AM) (----) (36bf42ca5ae8bf8d1e1bc00ed5068abb)
C:\WINDOWS\system32\PortableDeviceApi.dll (345600 bytes) (Microsoft Corporation) (4/19/2006 1:01:28 AM) (----) (1f8c6bbebecbed21e002f45c18d523e9)
C:\WINDOWS\system32\CmdLineExt.dll (98304 bytes) (Sony DADC Austria AG.) (6/30/2010 3:31:19 PM) (--A-) (0aa300b8dcf8b4324ec491d6a44d4dab)
[+] Registry startups
Value: RemoteControl
Data: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: LanguageShortcut
Data: "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: avgnt
Data: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: Adobe Reader Speed Launcher
Data: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: Adobe ARM
Data: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: RTHDCPL
Data: RTHDCPL.EXE
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: Alcmtr
Data: ALCMTR.EXE
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Value: UniKey
Data: C:\Program Files\Unikey32\UniKeyNT.exe
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: ctfmon.exe
Data: C:\WINDOWS\system32\ctfmon.exe
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: Google Update
Data: "C:\Documents and Settings\USER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: SpeedBitVideoAccelerator
Data: "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" /startup
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: IDMan
Data: C:\Program Files\Internet Download Manager\IDMan.exe /onboot
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
Value: StubPath
Data: C:\WINDOWS\system32\ieudinit.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}
Value: SCRNSAVE.EXE
Data: C:\WINDOWS\system32\ssflwbox.scr
Key: HKEY_CURRENT_USER\Control Panel\Desktop
Value: {0055C089-8582-441B-A0BF-17B458C2A3A8}
Data: C:\Program Files\Internet Download Manager\IDMIECC.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}
Value: {02478D38-C3F9-4efb-9B51-7695ECA05670}
Data: C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Value: {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Data: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value: {d2ce3e00-f94a-4740-988e-03dc2f38c34f}
Data: C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}
Value: {DBC80044-A445-435b-BC74-9C25C1C588A9}
Data: C:\Program Files\Java\jre6\bin\jp2ssv.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}
Value: {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
Data: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
Value: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
Data: C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
[+] Other Startups Methods
Value: WPDShServiceObj
Data: C:\WINDOWS\system32\WPDShServiceObj.dll
CLSID: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad
Value: DLLName
Data: Ati2evxx.dll
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
[+] Startup folders
[+] TCPIP nameservers
[+] Internet Explorer settings
Value: Start Page
Data:
You must be registered for see links
Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value: ProxyOverride
Data: local
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings
[+] Internet Explorer Trusted Sites
[+] Windows Firewall allowed programs
Value: %windir%\Network Diagnostic\xpnetdiag.exe
Data: %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
Data: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enable d:Yahoo! Messenger
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Launcher.atm
Data: E:\Phi Doi(game)\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Res-Voip\SCVoIP.exe
Data: E:\Phi Doi(game)\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Music\Launcher.atm
Data: E:\Phi Doi(game)\Music\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\Phi Doi(game)\Music\Res-Voip\SCVoIP.exe
Data: E:\Phi Doi(game)\Music\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\phidoi test\Launcher.atm
Data: D:\phidoi test\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\phidoi test\Res-Voip\SCVoIP.exe
Data: D:\phidoi test\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\ACE Online\Launcher.atm
Data: D:\ACE Online\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: D:\ACE Online\Res-Voip\SCVoIP.exe
Data: D:\ACE Online\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\ACE Online\Launcher.atm
Data: E:\ACE Online\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\ACE Online\Res-Voip\SCVoIP.exe
Data: E:\ACE Online\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\WINDOWS\system32\PnkBstrA.exe
Data: C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled
nkBstr AKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\WINDOWS\system32\PnkBstrB.exe
Data: C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled
nkBstr BKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\BoomSpeed\NMService.exe
Data: E:\BoomSpeed\NMService.exe:*:Enabled:Nexon Messenger Core
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\Documents and Settings\USER\Local Settings\Temp\7ZipSfx.000\CF_Downloader.exe
Data: C:\Documents and Settings\USER\Local Settings\Temp\7ZipSfx.000\CF_Downloader.exe:*:Enab led
T2DownloaderKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\cod 5\CoDWaWmp.exe
Data: E:\cod 5\CoDWaWmp.exe:*
isabled:Call of Duty(R) - World at War(TM)Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\cod 5\CoDWaW.exe
Data: E:\cod 5\CoDWaW.exe:*
isabled:Call of Duty(R) - World at War(TM)Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\GenesisAD\GenesisAD\AnotherDay.exe
Data: E:\GenesisAD\GenesisAD\AnotherDay.exe:*:Enabled:An otherDay
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\GenesisAD\GenesisAD\GameConsole.bin
Data: E:\GenesisAD\GenesisAD\GameConsole.bin:*:Enabled:a dhost
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: C:\Program Files\uTorrent\uTorrent.exe
Data: C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\AirRivals_EN\New Folder\Launcher.atm
Data: E:\AirRivals_EN\New Folder\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\AirRivals_EN\New Folder\Res-Voip\SCVoIP.exe
Data: E:\AirRivals_EN\New Folder\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\DRivals\Launcher.atm
Data: E:\DRivals\Launcher.atm:Enabled:GameExe2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: E:\DRivals\Res-Voip\SCVoIP.exe
Data: E:\DRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List
Value: %windir%\Network Diagnostic\xpnetdiag.exe
Data: %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List
[+] Windows Firewall allowed ports
Value: 1900:UDP
Data: 1900:UDP:LocalSubNet:Enabled
xpsp2res.dll,-22007Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List
Value: 2869:TCP
Data: 2869:TCP:LocalSubNet:Enabled
xpsp2res.dll,-22008Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List
[+] System Hijack
Value: DisableSR
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Value: Hidden
Data: 2
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced
Value: ShowSuperHidden
Data: 0
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Advanced
Value: FirstRunDisabled
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: AntiVirusDisableNotify
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: FirewallDisableNotify
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: UpdatesDisableNotify
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
Value: EnableDCOM
Data: Y
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
Value: Start
Data: 2
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RemoteRegistry
Value: Start
Data: 4
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\wuauserv
Value: Wallpaper
Data: C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Key: HKEY_CURRENT_USER\Control Panel\Desktop
Value: OriginalWallpaper
Data: C:\Documents and Settings\USER\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Key: HKEY_CURRENT_USER\Control Panel\Desktop
Value: ConvertedWallpaper
Data: D:\wallpaper giáng sinh\White_Christmas_by_adni18.jpg
Key: HKEY_CURRENT_USER\Control Panel\Desktop
[+] Executables in Temp folders
C:\DOCUME~1\USER\LOCALS~1\Temp\cabex.dll (94208 bytes) (Unknown) (1/10/2011 6:25:29 PM) (--A-) (580affd9e4c729204ebb193808382bd4)
C:\DOCUME~1\USER\LOCALS~1\Temp\CmdLineExt02.dll (36864 bytes) (Unknown) (10/22/2010 9:14:32 PM) (--A-) (e60a8e3889df3c95e5f8fe2473db889e)
C:\DOCUME~1\USER\LOCALS~1\Temp\dwmapi.dll (37376 bytes) (Microsoft Corporation) (7/29/2009 9:06:38 AM) (--A-) (7ac53e9745beaa47568c7766a01e112e)
C:\DOCUME~1\USER\LOCALS~1\Temp\GLFB.tmp.tbHero.dll (2349080 bytes) (Conduit Ltd.) (8/3/2010 9:29:29 AM) (--A-) (455e61a2cf37f7210df685e2b77bfbe3)
C:\DOCUME~1\USER\LOCALS~1\Temp\LF2_v20a_Setup.exe (29471591 bytes) (Unknown) (11/4/2010 2:12:17 AM) (--A-) (cf0ae7424106d23c3759217b87fb5943)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@188@C592A8.### (2048 bytes) (Unknown) (11/15/2010 3:45:57 PM) (--A-) (b6f864ac519e0f07dc368281bc854bfd)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@418@C592A8.### (2048 bytes) (Unknown) (11/14/2010 5:16:54 PM) (--A-) (761ee2a769784275569e2ce9e9ae93f0)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@630@C592A8.### (2048 bytes) (Unknown) (11/15/2010 3:45:04 PM) (--A-) (d36e622ce83ccc015cf73b9f21829647)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@68C@C592A8.### (2048 bytes) (Unknown) (11/15/2010 3:45:28 PM) (--A-) (fa59106ef84669d4b5025563f6471a54)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@7CC@C592A8.### (2048 bytes) (Unknown) (11/16/2010 2:44:35 PM) (--A-) (d4ba87ee397ae5e807e0682b4d290b7c)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@9B0@C592A8.### (2048 bytes) (Unknown) (9/15/2010 12:10:06 PM) (--A-) (7b117a35f7151c73de8dda098b184833)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@B18@C592A8.### (2048 bytes) (Unknown) (11/15/2010 6:22:40 PM) (--A-) (76fb454d9f6f7826b2526ea75c4e40cb)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D30@C592A8.### (2048 bytes) (Unknown) (11/24/2010 9:47:45 AM) (--A-) (100af056d29da18fcc72b0fb9875f8d8)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D34@C592A8.### (2048 bytes) (Unknown) (11/20/2010 4:43:40 PM) (--A-) (b66efa21735d8177f79125d868e0da1f)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D38@C592A8.### (2048 bytes) (Unknown) (11/24/2010 7:30:48 AM) (--A-) (e2900183dda62dda8b9c2ba6dfe56a5d)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@D74@C592A8.### (2048 bytes) (Unknown) (11/14/2010 5:09:40 PM) (--A-) (09c077365c42fd15a0655f0f0f7a6da7)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@DE8@27568D0.### (2048 bytes) (Unknown) (7/24/2010 3:32:20 AM) (--A-) (b8b9313295fb24d84a9a37ce93cfad86)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@E88@C592A8.### (2048 bytes) (Unknown) (11/16/2010 2:32:39 PM) (--A-) (d413ff02fdb8929214b1c1c4b4ef3c2d)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EA8@C592A8.### (2048 bytes) (Unknown) (11/13/2010 10:41:21 AM) (--A-) (f9866cdec5515d380850dea06883ba79)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EB4@C592A8.### (2048 bytes) (Unknown) (11/22/2010 11:04:49 AM) (--A-) (707c4f2dfb92449728a30a7ff67befe4)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EE8@C592D0.### (2048 bytes) (Unknown) (11/15/2010 3:49:27 PM) (--A-) (b0c1dec4bb9d6ce0307a7e4b7b56665d)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@EEC@C592A8.### (2048 bytes) (Unknown) (11/26/2010 8:01:28 AM) (--A-) (8664533e89d7dd5f9a733aadcbf60454)
C:\DOCUME~1\USER\LOCALS~1\Temp\MBX@F74@C592A8.### (2048 bytes) (Unknown) (11/20/2010 4:44:03 PM) (--A-) (daf4458bee8bf0de086eb8364af78dd8)
C:\DOCUME~1\USER\LOCALS~1\Temp\msvcp71.dll (499712 bytes) (Microsoft Corporation) (7/29/2009 9:06:38 AM) (--A-) (561fa2abb31dfa8fab762145f81667c2)
C:\DOCUME~1\USER\LOCALS~1\Temp\msxml6-KB927977-enu-x86.exe (910080 bytes) (Microsoft Corporation) (6/28/2010 10:22:11 AM) (--A-) (ecf7b649bc6a5794621c78bbce88159a)
C:\DOCUME~1\USER\LOCALS~1\Temp\mtasa-1.0.4-rc-02033-0-000-nsis.exe (2734467 bytes) (Unknown) (10/13/2010 6:15:21 AM) (--A-) (6ad7a7799b070ca6b32201375d3dae9a)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5B.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5C.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5D.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5E.tmp (706048 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (27d9ed8cb8b62d1e0a8e5ace6cf52e2f)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5F.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np60.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np61.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b)
C:\DOCUME~1\USER\LOCALS~1\Temp\np62.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92)
C:\DOCUME~1\USER\LOCALS~1\Temp\np63.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d)
C:\DOCUME~1\USER\LOCALS~1\Temp\np64.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b)
C:\DOCUME~1\USER\LOCALS~1\Temp\np65.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92)
C:\DOCUME~1\USER\LOCALS~1\Temp\Psapi.Dll (18192 bytes) (Microsoft Corporation) (7/29/2009 9:06:38 AM) (--A-) (b3d22a483875a61cb2060c7d518effc2)
C:\DOCUME~1\USER\LOCALS~1\Temp\SecurityScan_Releas e.exe (3598224 bytes) (McAfee, Inc.) (10/10/2010 1:40:22 AM) (--A-) (b2c46c7064c867f4722a0f51cf18fb62)
C:\DOCUME~1\USER\LOCALS~1\Temp\SIntf32.dll (19924 bytes) (Unknown) (10/22/2010 9:14:32 PM) (--A-) (36058fd9c9713188411f783dcc0ac500)
C:\DOCUME~1\USER\LOCALS~1\Temp\SIntfNT.dll (24516 bytes) (Unknown) (10/22/2010 9:14:32 PM) (--A-) (42c9db97bb3c55ecd6ba50e77aca4f49)
C:\DOCUME~1\USER\LOCALS~1\Temp\Uninstall.exe (85844 bytes) (Unknown) (12/27/2010 5:56:58 AM) (--A-) (722e74daa9eb2f1d5a1cb996282687be)
C:\DOCUME~1\USER\LOCALS~1\Temp\vcredist_x86.exe (4216840 bytes) (Microsoft Corporation) (8/24/2010 8:08:55 PM) (--A-) (5689d43c3b201dd3810fa3bba4a6476a)
C:\DOCUME~1\USER\LOCALS~1\Temp\wPQr_p9U.exe.part (567664 bytes) (Google Inc.) (9/16/2010 3:21:16 AM) (--A-) (f995e950cf5de1c816f84905f32c772d)
C:\DOCUME~1\USER\LOCALS~1\Temp\zing_ui_skin.dat (377856 bytes) (Unknown) (7/29/2009 9:06:38 AM) (--A-) (60af708ad4f0bc03dd888b1ceafca0cd)
C:\DOCUME~1\USER\LOCALS~1\Temp\~e5.0001 (59392 bytes) (Macrovision Europe Ltd.) (10/22/2010 10:05:07 PM) (--A-) (388bc430a34394a2b8ebfd16508ab3ac)
[+] Executables in suspicious folders
C:\WINDOWS\Temp\contentDATs.exe (497296 bytes) (McAfee, Inc.) (10/10/2010 1:41:01 AM) (--A-) (48176f75d6d125a4d345d78cb94a6c48)
C:\Documents and Settings\USER\Application Data\PnkBstrK.sys (22328 bytes) (Unknown) (9/28/2010 5:11:40 PM) (--A-) (c3e33580a3a85be28612b83d0c321e20)
C:\WINDOWS\system32\npptNT2.sys (4682 bytes) (INCA Internet Co., Ltd.) (8/19/2010 3:02:29 AM) (--A-) (9131fe60adfab595c8da53ad6a06aa31)
C:\WINDOWS\system32\TesSafe.sys (541824 bytes) (TENCENT) (7/8/2010 1:15:26 AM) (--A-) (c1f511d49c2902ba21ca1a974bf3835a)
C:\Program Files\windows nt\hypertrm.exe (28160 bytes) (Hilgraeve, Inc.) (10/6/2009 6:13:19 PM) (--A-) (9dbb82fb602aa42b131c55c5d136dc9c)
[+] Autorun.ini
[+] Unknown .SYS files
C:\WINDOWS\system32\drivers\ahcix86.sys (183824 bytes) (AMD Technologies Inc.) (12/1/2008 5:21:39 PM) (--A-) (bfed486888067b7935b3c9f5951c41be)
C:\WINDOWS\system32\drivers\Ambfilt.sys (1684736 bytes) (Creative) (6/28/2010 8:56:20 AM) (--A-) (f6af59d6eee5e1c304f7f73706ad11d8)
C:\WINDOWS\system32\drivers\amdk8.sys (41984 bytes) (Advanced Micro Devices) (12/1/2008 5:21:38 PM) (--A-) (1b0806a92432bf6e9def9fbf0494f67d)
C:\WINDOWS\system32\drivers\ati2erec.dll (53248 bytes) (ATI Technologies Inc.) (6/28/2010 8:56:07 AM) (--A-) (96cb5f6bde6aae00be45d9fcf1f88a84)
C:\WINDOWS\system32\drivers\avgntdd.sys (45416 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (5b44c214f9cd9f590be9125347610380)
C:\WINDOWS\system32\drivers\avgntflt.sys (61960 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (47b879406246ffdced59e18d331a0e7d)
C:\WINDOWS\system32\drivers\avgntmgr.sys (22360 bytes) (Avira GmbH) (6/28/2010 10:45:54 AM) (--A-) (87451aa7cc6b6a590ebcea05e755075a)
C:\WINDOWS\system32\drivers\avipbb.sys (135096 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (da39805e2bad99d37fce9477dd94e7f2)
C:\WINDOWS\system32\drivers\BkavAuto.sys (33798 bytes) (Unknown) (10/6/2009 10:14:24 PM) (--A-) (68d68d16ee1af3388a5b56345171f9f7)
C:\WINDOWS\system32\drivers\cpuz135_x32.sys (21992 bytes) (CPUID) (12/16/2010 11:13:42 PM) (--A-) (c2eb4539a4f6ab6edd01bdc191619975)
C:\WINDOWS\system32\drivers\hdaudbus.sys (144384 bytes) (Windows (R) Server 2003 DDK provider) (4/14/2008 3:06:06 AM) (--A-) (573c7d0a32852b48f3058cfd8026f511)
C:\WINDOWS\system32\drivers\iastor5.sys (874240 bytes) (Intel Corporation) (12/1/2008 5:21:39 PM) (--A-) (309c4d86d989fb1fcf64bd30dc81c51b)
C:\WINDOWS\system32\drivers\iastor7.sys (277784 bytes) (Intel Corporation) (12/1/2008 5:21:39 PM) (--A-) (fd7f9d74c2b35dbda400804a3f5ed5d8)
C:\WINDOWS\system32\drivers\iastor8.sys (328728 bytes) (Intel Corporation) (12/1/2008 5:21:39 PM) (--A-) (baabb0301949774a66b955c65319635a)
C:\WINDOWS\system32\drivers\idmtdi.sys (97112 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (0ded5397f34f5b4ae61674d7303557d9)
C:\WINDOWS\system32\drivers\imagedrv.sys (5504 bytes) (Ahead Software AG) (10/6/2009 8:45:28 PM) (----) (0a7c49b48c772591a2d362daa00246c8)
C:\WINDOWS\system32\drivers\imagesrv.sys (125184 bytes) (Ahead Software AG) (10/6/2009 8:45:28 PM) (----) (549ba4f539e7b8d8129500b96dd7b27a)
C:\WINDOWS\system32\drivers\iteatapi.sys (27648 bytes) (Integrated Technology Express, Inc.) (12/1/2008 5:21:39 PM) (--A-) (39a2f7ebcb6817c4a016b544921c7982)
C:\WINDOWS\system32\drivers\iteraid.sys (26112 bytes) (Integrated Technology Express, Inc.) (12/1/2008 5:21:39 PM) (--A-) (979836fc6dc05218b4e93e5ccea5654b)
C:\WINDOWS\system32\drivers\Jraid.sys (79960 bytes) (JMicron Technology Corp.) (12/1/2008 5:21:39 PM) (--A-) (b07084095f8c03aadb9811c9df14b5e4)
C:\WINDOWS\system32\drivers\m5228.sys (45069 bytes) (ALi Corporation.) (12/1/2008 5:21:39 PM) (--A-) (06c174e5c7845055c3d6317709af6423)
C:\WINDOWS\system32\drivers\m5281.sys (51072 bytes) (ALi Corporation) (12/1/2008 5:21:39 PM) (--A-) (a51cd61975297508d4483fcbf931d86c)
C:\WINDOWS\system32\drivers\m5287.sys (103680 bytes) (ULi Electronics Inc.) (12/1/2008 5:21:39 PM) (--A-) (87cf2d570f452a5c1b9fc5c5a44389a5)
C:\WINDOWS\system32\drivers\m5288.sys (210304 bytes) (ULi Electronics Inc.) (12/1/2008 5:21:39 PM) (--A-) (485ed377977dc9661626aaab614504cf)
C:\WINDOWS\system32\drivers\m5289.sys (52480 bytes) (ULi Electronics Inc.) (12/1/2008 5:21:39 PM) (--A-) (e1ca1ea9ad7c8c50ea533829a6854d63)
C:\WINDOWS\system32\drivers\Monfilt.sys (1389056 bytes) (Creative Technology Ltd.) (6/28/2010 8:56:20 AM) (--A-) (9fa7207d1b1adead88ae8eed9cdbbaa5)
C:\WINDOWS\system32\drivers\nvatabus.sys (100736 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (c03e15101f6d9e82cd9b0e7d715f5de3)
C:\WINDOWS\system32\drivers\nvgts.sys (145952 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (37954cd1d0afc11becd149f7c3ec88c2)
C:\WINDOWS\system32\drivers\nvraid.sys (82944 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (b65ce56c36f573113ff2f6d0f07b7563)
C:\WINDOWS\system32\drivers\nvrd32.sys (133152 bytes) (NVIDIA Corporation) (12/1/2008 5:21:39 PM) (--A-) (bef704aa9e17d176a46ddf77c6a52194)
C:\WINDOWS\system32\drivers\PnkBstrK.sys (138464 bytes) (Unknown) (9/28/2010 5:11:40 PM) (--A-) (6d2dbe236cf5ef94e4be1969d1b6d304)
C:\WINDOWS\system32\drivers\rndismpk.sys (27264 bytes) (Microsoft Corporation) (12/7/2010 10:40:52 AM) (--A-) (af79f98e2a9720995badd93cca1d4e01)
C:\WINDOWS\system32\drivers\Rtenicxp.sys (117888 bytes) (Realtek Semiconductor Corporation) (6/28/2010 8:56:23 AM) (--A-) (839141088ad7ee90f5b441b2d1afd22c)
C:\WINDOWS\system32\drivers\RtHDMI.sys (3720832 bytes) (Realtek Semiconductor Corp.) (6/28/2010 8:56:20 AM) (--A-) (8d9794c6ff5b66bc38d5e66a4b0e3b4f)
C:\WINDOWS\system32\drivers\RtkHDAud.sys (4952576 bytes) (Realtek Semiconductor Corp.) (6/28/2010 8:56:20 AM) (--A-) (fb4293b1eab313c28d4a1b8db61aca72)
C:\WINDOWS\system32\drivers\RTL8187B.sys (275968 bytes) (Realtek Semiconductor Corporation) (10/6/2009 7:37:45 PM) (--AR) (56b331a3e315c53532cc7084e5b6dfc4)
C:\WINDOWS\system32\drivers\secdrv.sys (20480 bytes) (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) (4/14/2008 3:09:16 AM) (--A-) (90a3935d05b494a5a39d37e71f09a677)
C:\WINDOWS\system32\drivers\sffp_mmc.sys (10240 bytes) (Microsoft Corporation) (4/14/2008 5:10:50 AM) (--A-) (d66d22d76878bf3483a6be30183fb648)
C:\WINDOWS\system32\drivers\si3112r.sys (102528 bytes) (Silicon Image, Inc) (12/1/2008 5:21:39 PM) (--A-) (c82f9b4993f502361067e3ab61d46f7a)
C:\WINDOWS\system32\drivers\sisraid.sys (48128 bytes) (Silicon Integrated Systems) (12/1/2008 5:21:39 PM) (--A-) (826b83cdaafb6e164bbc1d77cb99e2ce)
C:\WINDOWS\system32\drivers\sisraid2.sys (30976 bytes) (Silicon Integrated Systems Corp) (12/1/2008 5:21:39 PM) (--A-) (b8a2f8dcdc75f19962d975727f393920)
C:\WINDOWS\system32\drivers\sisraid4.sys (68864 bytes) (Silicon Integrated Systems) (12/1/2008 5:21:39 PM) (--A-) (af43fbb04fd9acc46a115b50d7c11e1a)
C:\WINDOWS\system32\drivers\siwinacc.sys (10368 bytes) (Silicon Image, Inc.) (12/1/2008 5:21:39 PM) (--A-) (72cf151fb410e544904dbc7d7f29b796)
C:\WINDOWS\system32\drivers\SRS_SSCFilter_i386.sys (268912 bytes) (Unknown) (6/28/2010 2:38:36 PM) (--AR) (25ecea986742275ecb23a1cb6bc87a61)
C:\WINDOWS\system32\drivers\ssmdrv.sys (28520 bytes) (Avira GmbH) (6/28/2010 10:45:55 AM) (--A-) (a36ee93698802cd899f98bfd553d8185)
C:\WINDOWS\system32\drivers\SysLib.sys (57857143 bytes) (Unknown) (10/6/2009 10:14:24 PM) (--A-) (252593a7867287721a19d55c41f3f83e)
C:\WINDOWS\system32\drivers\SysLib0.sys (33713664 bytes) (Unknown) (10/6/2009 10:14:49 PM) (--A-) (a7190e64e9311d27ae280f5ac52e8ee4)
C:\WINDOWS\system32\drivers\SysLib1.sys (9450496 bytes) (Unknown) (10/6/2009 10:14:54 PM) (--A-) (327849bd00621d6c86ccbb6ff0ed95ac)
C:\WINDOWS\system32\drivers\usb8023k.sys (11136 bytes) (Microsoft Corporation) (12/7/2010 10:40:52 AM) (--A-) (f39039d5c96c1d3ac2a637a659dbf282)
C:\WINDOWS\system32\drivers\viamraid.sys (117248 bytes) (VIA Technologies inc,.ltd) (12/1/2008 5:21:39 PM) (--A-) (00046aa2e396edc2238556e740a8e5af)
C:\WINDOWS\system32\drivers\vmscsi.sys (17968 bytes) (VMware, Inc.) (12/1/2008 5:21:39 PM) (--A-) (82132036ee4d3e8aa3e73feebe1a9741)
C:\WINDOWS\system32\drivers\wpdusb.sys (40704 bytes) (Microsoft Corporation) (4/19/2006 1:01:26 AM) (----) (f6c0eb46c66c7be80f22115ecb44b1f0)
[+] Non accessible files
[+] Executables in Internet Explorer Folder
C:\Program Files\Internet Explorer\ExtExport.exe (144384 bytes) (Microsoft Corporation) (3/8/2009 4:35:04 AM) (----) (44d37a87f00d8684ad907dae295f67fb)
C:\Program Files\Internet Explorer\iecompat.dll (100352 bytes) (Microsoft Corporation) (3/8/2009 4:35:04 AM) (----) (eed9645cfc825b42d1178d8ae2392cc4)
C:\Program Files\Internet Explorer\iedvtool.dll (742912 bytes) (Microsoft Corporation) (3/8/2009 4:35:32 AM) (----) (bd3c4101b9340e697c9eb0c9c7c9fedf)
C:\Program Files\Internet Explorer\ieproxy.dll (246272 bytes) (Microsoft Corporation) (3/8/2009 4:33:50 AM) (----) (1424612f4eed15fef3c216db72d18e3e)
C:\Program Files\Internet Explorer\iexplore.exe.mui (12288 bytes) (Microsoft Corporation) (3/8/2009 2:21:44 PM) (----) (943030b55fdb56fb8b8fcc086071e119)
C:\Program Files\Internet Explorer\jsdbgui.dll (521216 bytes) (Microsoft Corporation) (3/8/2009 4:35:02 AM) (----) (33db6e706fd3a2271033c5d29b3d6f76)
C:\Program Files\Internet Explorer\jsdebuggeride.dll (121344 bytes) (Microsoft Corporation) (3/8/2009 4:35:02 AM) (----) (3494af094cfb1d1b9a3c1ce255492b6c)
C:\Program Files\Internet Explorer\JSProfilerCore.dll (118272 bytes) (Microsoft Corporation) (3/8/2009 4:35:04 AM) (----) (d68cc4e775420716b6abc4d188d5d316)
C:\Program Files\Internet Explorer\jsprofilerui.dll (233984 bytes) (Microsoft Corporation) (3/8/2009 4:35:12 AM) (----) (0f6a0675181d3ae76755986f3bf9e598)
C:\Program Files\Internet Explorer\pdm.dll (355832 bytes) (Microsoft Corporation) (1/7/2009 6:20:18 PM) (----) (3ca2dfd1ee857cde7dccf4235f52d142)
C:\Program Files\Internet Explorer\sqmapi.dll (134144 bytes) (Microsoft Corporation) (1/7/2009 6:20:54 PM) (----) (5eb87ba0b93ca7e894fc8002e3ce4c2a)
C:\Program Files\Internet Explorer\xpshims.dll (12800 bytes) (Microsoft Corporation) (3/8/2009 4:33:18 AM) (----) (64c5c0f1a40c26fe6362825c044578c5)
[+] Files created/modified 15 days ago
C:\WINDOWS\system32\drivers\idmtdi.sys (97112 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (0ded5397f34f5b4ae61674d7303557d9) (Created)
C:\Program Files\Avira\AntiVir Desktop\aecore.dll (196983 bytes) (Avira GmbH) (1/21/2011 6:08:03 PM) (--A-) (afff0fff53ae04747c340868ab1cfa27) (Modified)
C:\Program Files\Avira\AntiVir Desktop\aegen.dll (397683 bytes) (Avira GmbH) (1/21/2011 6:08:10 PM) (--A-) (165152efdc31f4046ede52116e403107) (Modified)
C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll (205178 bytes) (Avira GmbH) (1/19/2011 2:00:25 AM) (--A-) (8baa75903e65e4cdd742dc8c22c09924) (Modified)
C:\Program Files\Avira\AntiVir Desktop\aepack.dll (512374 bytes) (Avira GmbH) (1/21/2011 6:09:09 PM) (--A-) (66f9f6f5817e42f478178cc44b95f096) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aecore.dll (196983 bytes) (Avira GmbH) (1/21/2011 6:08:03 PM) (--A-) (afff0fff53ae04747c340868ab1cfa27) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aegen.dll (397683 bytes) (Avira GmbH) (1/21/2011 6:08:10 PM) (--A-) (165152efdc31f4046ede52116e403107) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aeoffice.dll (205178 bytes) (Avira GmbH) (1/19/2011 2:00:25 AM) (--A-) (8baa75903e65e4cdd742dc8c22c09924) (Modified)
C:\Program Files\Avira\AntiVir Desktop\FAILSAFE\aepack.dll (512374 bytes) (Avira GmbH) (1/21/2011 6:09:09 PM) (--A-) (66f9f6f5817e42f478178cc44b95f096) (Modified)
C:\Program Files\Error Repair Professional\ErrorRepairProfessional.exe (756224 bytes) (
You must be registered for see links
) (1/26/2011 4:30:43 PM) (--A-) (a953d9a94da28d4d17cb298ecfb58629) (Created)C:\Program Files\Error Repair Professional\unins000.exe (707354 bytes) (Unknown) (1/26/2011 4:30:43 PM) (--A-) (4e66abde2217634ed899f670968ea651) (Created)
C:\Program Files\Gabest\VobSub\auxsetup.exe (69632 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (666a1e7eb3dfadb5ece37b3e3b42fd06) (Created)
C:\Program Files\Gabest\VobSub\uninstall.exe (53043 bytes) (Unknown) (1/27/2011 6:29:10 PM) (--A-) (184d889ce1297bcd98d54dd83d284fad) (Created)
C:\Program Files\Gabest\VobSub\vdicmdrv.dll (69632 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (82bc6afc48dbbcc1278c8ee97f38ed4e) (Created)
C:\Program Files\Gabest\VobSub\vdremote.dll (73728 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (97d56ad27c8a00d675e904e9b8f861e3) (Created)
C:\Program Files\Gabest\VobSub\vdsvrlnk.dll (65536 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (e22d57c04b06e6c1c35b1910a5dc3336) (Created)
C:\Program Files\Gabest\VobSub\vdub.exe (8704 bytes) (Unknown) (1/27/2011 6:31:23 PM) (--A-) (9d8e0c408c975ea24a2a94d8930f1132) (Created)
C:\Program Files\Gabest\VobSub\VirtualDub.exe (2670592 bytes) (Unknown) (1/27/2011 6:31:22 PM) (--A-) (bafd24e8bd9d6a0cdb347809d4a68093) (Created)
C:\Program Files\Internet Download Manager\idmbrbtn.dll (79040 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (4cc8015a3602710e7701328273bca511) (Created)
C:\Program Files\Internet Download Manager\IDMShellExt.dll (67680 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (c2752cffb1418b0b2174eff338414934) (Created)
C:\Program Files\Internet Download Manager\idmtdi32.sys (97112 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (0ded5397f34f5b4ae61674d7303557d9) (Created)
C:\Program Files\Internet Download Manager\idmwfp32.sys (85768 bytes) (Tonec Inc.) (1/25/2011 5:40:06 PM) (--A-) (a99b28d267c4d661d976975db9c6726f) (Created)
C:\Program Files\Internet Download Manager\Uninstall.exe (147808 bytes) (Tonec Inc.) (1/24/2011 10:29:26 PM) (--A-) (826658235b00b2976291fc58f0b3a4ef) (Created)
C:\Program Files\NoVirusThanks\Hijack Hunter\HijackHunter.exe (628736 bytes) (NoVirusThanks Company Srl) (1/29/2011 9:45:25 PM) (--A-) (b6ffa83b91d78a0369fe0e15e4dba69c) (Created)
C:\Program Files\NoVirusThanks\Hijack Hunter\nhdrv.sys (4608 bytes) (NoVirusThanks Company Srl) (1/29/2011 9:45:28 PM) (--A-) (8f40312ac7b0f3d0246fe52105e4f1d7) (Created)
C:\Program Files\NoVirusThanks\Hijack Hunter\unins000.exe (707354 bytes) (Unknown) (1/29/2011 9:45:24 PM) (--A-) (eecf7fe501b410aa3733bb0b23ab678a) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5B.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5C.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5D.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:50 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5E.tmp (706048 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (27d9ed8cb8b62d1e0a8e5ace6cf52e2f) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np5F.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np60.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np61.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np62.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:55 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np63.tmp (989696 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (c24b983d211c34da8fcc1ac38477971d) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np64.tmp (578560 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (b26b135ff1b9f60c9388b4a7d16f600b) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\np65.tmp (617472 bytes) (Microsoft Corporation) (1/29/2011 12:34:58 PM) (--A-) (bab489a5fe26f2d0c910cf7af7e4cf92) (Created)
C:\DOCUME~1\USER\LOCALS~1\Temp\Uninstall.exe (85844 bytes) (Unknown) (1/19/2011 5:30:56 AM) (--A-) (722e74daa9eb2f1d5a1cb996282687be) (Modified)
C:\DOCUME~1\USER\LOCALS~1\Temp\_ir_sf7_temp_0\irse tup.exe (451072 bytes) (Unknown) (1/28/2011 11:50:21 PM) (--A-) (75ca7ff96bf5a316c3af2de6a412bd54) (Created)
[+] Hidden files in suspicious folders
[+] Suspicious Registry Keys
[+] Suspicious folders
[+] Drivers
c:\program files\avira\antivir desktop\avgio.sys (avgio) (avgio) (Avira GmbH) (0b497c79824f8e1bf22fa6aacd3de3a0)
C:\WINDOWS\system32\drivers\avgntflt.sys (avgntflt) (avgntflt) (Avira GmbH) (47b879406246ffdced59e18d331a0e7d)
C:\WINDOWS\system32\drivers\avipbb.sys (avipbb) (avipbb) (Avira GmbH) (da39805e2bad99d37fce9477dd94e7f2)
c:\windows\system32\drivers\cpuz135_x32.sys (cpuz135) (cpuz135) (CPUID) (c2eb4539a4f6ab6edd01bdc191619975)
C:\WINDOWS\system32\drivers\hdaudbus.sys (HDAudBus) (Microsoft UAA Bus Driver for High Definition Audio) (Windows (R) Server 2003 DDK provider) (573c7d0a32852b48f3058cfd8026f511)
C:\WINDOWS\system32\drivers\idmtdi.sys (IDMTDI) (IDMTDI) (Tonec Inc.) (0ded5397f34f5b4ae61674d7303557d9)
C:\WINDOWS\system32\drivers\rtkhdaud.sys (IntcAzAudAddService) (Service for Realtek HD Audio (WDM)) (Realtek Semiconductor Corp.) (fb4293b1eab313c28d4a1b8db61aca72)
C:\WINDOWS\system32\drivers\rthdmi.sys (RTHDMIAzAudService) (Service for HDMI) (Realtek Semiconductor Corp.) (8d9794c6ff5b66bc38d5e66a4b0e3b4f)
C:\WINDOWS\system32\drivers\ssmdrv.sys (ssmdrv) (ssmdrv) (Avira GmbH) (a36ee93698802cd899f98bfd553d8185)
C:\WINDOWS\system32\drivers\syslib0.sys (SysLib0) (SysLib0) (Unknown) (a7190e64e9311d27ae280f5ac52e8ee4)
C:\WINDOWS\system32\drivers\syslib1.sys (SysLib1) (SysLib1) (Unknown) (327849bd00621d6c86ccbb6ff0ed95ac)
[+] Drivers -> FSFilter Anti-Virus
Driver Name: avgntflt
Driver File: system32\DRIVERS\avgntflt.sys
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\avgntflt
[+] Services
c:\program files\avira\antivir desktop\sched.exe (AntiVirSchedulerService) (Avira AntiVir Scheduler) (Avira GmbH) (ca8a0e78c3bbbad05a9a132bc468df9c)
c:\program files\avira\antivir desktop\avguard.exe (AntiVirService) (Avira AntiVir Guard) (Avira GmbH) (48be1fcff1c929c899f29bcdc8659d9f)
c:\windows\system32\ati2evxx.exe (Ati HotKey Poller) (Ati HotKey Poller) (ATI Technologies Inc.) (eca673779ecd27d674953d692fe070f6)
c:\program files\java\jre6\bin\jqs.exe (JavaQuickStarterService) (Java Quick Starter) (Sun Microsystems, Inc.) (112325f53ab720ca77825726d427fbdc)
c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe (MSSQL$SQLEXPRESS) (SQL Server (SQLEXPRESS)) (Microsoft Corporation) (4263dcf845b089e397c7c3bfc74f04fe)
c:\windows\system32\pnkbstra.exe (PnkBstrA) (PnkBstrA) (Unknown) (831883b107684301f48ace752c963984)
c:\program files\microsoft sql server\90\shared\sqlwriter.exe (SQLWriter) (SQL Server VSS Writer) (Microsoft Corporation) (d2f4f32b59440011174b4f8137af4e0c)
c:\program files\yahoo!\softwareupdate\yahooauservice.exe (YahooAUService) (Yahoo! Updater) (Yahoo! Inc.) (dd0042f0c3b606a6a8b92d49afb18ad6)
[+] ServiceDll
[+] Unknown files in Winsock LSP
[+] Unknown files in CLSID
C:\WINDOWS\system32\DVobSub.ax (249856 bytes) (Gabest) (12/11/2002 3:19:59 PM) (--A-) (9b8413cad2279f7d2c92506270fd820e)
C:\WINDOWS\system32\ImagXpr7.dll (476320 bytes) (Pegasus Imaging Corp.) (10/6/2009 8:44:52 PM) (----) (8f03fd1c3bd8f6b575e6cf5e0e89ff13)
C:\WINDOWS\system32\hypertrm.dll (347136 bytes) (Hilgraeve, Inc.) (10/6/2009 6:12:51 PM) (--A-) (277bdf16a94be0d063988d692541650b)
C:\WINDOWS\system32\NCTAudioRecord2.dll (311296 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (b387a235ef3d1738e5568d710a2d665e)
C:\WINDOWS\system32\ir50_32.dll (755200 bytes) (Intel Corporation) (4/14/2008 10:41:56 AM) (--A-) (5f10dc19d92ccf6b719b494572f4f74b)
C:\WINDOWS\system32\VSFLEX3.OCX (225280 bytes) (VideoSoft) (1/5/1999 5:30:02 PM) (--A-) (c758ebc719c0d07b1b0e251c77f11bfd)
C:\WINDOWS\system32\ir41_32.ax (848384 bytes) (Intel Corporation) (4/14/2008 10:42:44 AM) (--A-) (948e1498c6438625247f94534aaa82fe)
C:\WINDOWS\system32\NCTAudioFile2.dll (1843200 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (c3b700291807619d95cd185be6621444)
C:\WINDOWS\system32\l3codecx.ax (83456 bytes) (Fraunhofer Institut Integrierte Schaltungen IIS) (8/23/2001 7:00:00 PM) (--A-) (b5a7a5a67ecc144117d1e7d5352a2f6a)
C:\WINDOWS\system32\acelpdec.ax (61952 bytes) (Sipro Lab Telecom Inc.) (8/23/2001 7:00:00 PM) (--A-) (d0a33c77354a6f12ccd8034e4429a30d)
C:\WINDOWS\system32\AniGIF.ocx (172032 bytes) (Jin Hui E-mail: [email protected] Web:
You must be registered for see links
) (1/10/2011 6:25:40 PM) (--A-) (45960b40c1ecb75ed5549a80049879e1)C:\WINDOWS\system32\NCTWMAFile2.dll (196608 bytes) (NCT Company Ltd.) (12/14/2010 2:56:25 AM) (--A-) (fbd2c562b4cd14c0107804433acf7fe2)
C:\WINDOWS\system32\l3codeca.acm (290816 bytes) (Fraunhofer Institut Integrierte Schaltungen IIS) (4/14/2008 10:39:58 AM) (--A-) (452705ac9e4c0dde91a61f0e02292423)
C:\WINDOWS\system32\NCTAudioPlayer2.dll (315392 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (13073ceca55e0c35a62ffe9518505e6e)
C:\WINDOWS\system32\hticons.dll (44544 bytes) (Hilgraeve, Inc.) (10/6/2009 6:13:19 PM) (--A-) (f759a6e14403bc3d7a55ccad1b8f7b4a)
C:\WINDOWS\system32\RTCOM\RTCOMDLL.dll (266240 bytes) (Unknown) (6/28/2010 8:56:20 AM) (--A-) (bd47529c036933881b6d651d6a046e38)
C:\WINDOWS\system32\NCTAudioInformation2.dll (1040384 bytes) (NCT Company Ltd.) (12/14/2010 2:56:24 AM) (--A-) (f8d0e33605ede0f5c5d83215bae3ab55)
C:\WINDOWS\system32\iac25_32.ax (199680 bytes) (Intel Corporation) (4/14/2008 10:42:44 AM) (--A-) (877c90686858d899b042bba45e9b7f2c)
C:\WINDOWS\system32\deploytk.dll (411368 bytes) (Sun Microsystems, Inc.) (10/6/2009 7:42:37 PM) (--A-) (fea9e1745f7a500b1046012131c78227)
C:\WINDOWS\system32\RTCOM\RTLCPAPI.dll (131072 bytes) (Unknown) (6/28/2010 8:56:20 AM) (--A-) (05229a9335934a9414c9ee1696b11f2c)
[+] TCP Connections
svchost.exe -> 0.0.0.0:135 -> 0.0.0.0:41026 -> LISTENING
N/A -> 0.0.0.0:445 -> 0.0.0.0:39006 -> LISTENING
alg.exe -> 127.0.0.1:1029 -> 0.0.0.0:24676 -> LISTENING
jqs.exe -> 127.0.0.1:5152 -> 0.0.0.0:55412 -> LISTENING
N/A -> 192.168.1.50:139 -> 0.0.0.0:2176 -> LISTENING
chrome.exe -> 192.168.1.50:1619 -> 74.125.71.165:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1624 -> 74.125.71.139:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1628 -> 74.125.71.156:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1644 -> 63.150.131.16:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1665 -> 74.125.71.138:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1666 -> 222.255.27.197:80 -> ESTABLISHED
N/A -> 192.168.1.50:1737 -> 208.94.3.144:80 -> TIME_WAIT
chrome.exe -> 192.168.1.50:1740 -> 208.94.1.99:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1741 -> 208.94.3.144:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1745 -> 74.125.71.138:80 -> ESTABLISHED
chrome.exe -> 192.168.1.50:1748 -> 74.125.71.113:80 -> ESTABLISHED
[+] UDP Connections
N/A -> 0.0.0.0:445 -> *.*
lsass.exe -> 0.0.0.0:500 -> *.*
lsass.exe -> 0.0.0.0:4500 -> *.*
svchost.exe -> 127.0.0.1:123 -> *.*
svchost.exe -> 127.0.0.1:1038 -> *.*
svchost.exe -> 127.0.0.1:1900 -> *.*
PnkBstrA.exe -> 127.0.0.1:44301 -> *.*
svchost.exe -> 192.168.1.50:123 -> *.*
N/A -> 192.168.1.50:137 -> *.*
N/A -> 192.168.1.50:138 -> *.*
svchost.exe -> 192.168.1.50:1900 -> *.*
[+] Hosts file
205.199.44.156 registeridm.com
205.199.44.16 registeridm.com
127.0.0.1
You must be registered for see links
[+] Ring3 API Hooks
C:\WINDOWS\Explorer.EXE -> KERNEL32.DLL->GetProcAddress -> ShimEng.dll -> IAT
[+] Kernel Mode Info
[SSDT] NtCreateKey -> 0xBA7B159E -> 0x80623786 -> N/A
[SSDT] NtCreateThread -> 0xBA7B1594 -> 0x805D0FD4 -> N/A
[SSDT] NtDeleteKey -> 0xBA7B15A3 -> 0x80623C16 -> N/A
[SSDT] NtDeleteValueKey -> 0xBA7B15AD -> 0x80623DE6 -> N/A
[SSDT] NtLoadKey -> 0xBA7B15B2 -> 0x80625982 -> N/A
[SSDT] NtOpenProcess -> 0xBA7B1580 -> 0x805CB3FC -> N/A
[SSDT] NtOpenThread -> 0xBA7B1585 -> 0x805CB688 -> N/A
[SSDT] NtReplaceKey -> 0xBA7B15BC -> 0x80625832 -> N/A
[SSDT] NtRestoreKey -> 0xBA7B15B7 -> 0x8062513E -> N/A
[SSDT] NtSetValueKey -> 0xBA7B15A8 -> 0x80621D0C -> N/A
---
Finish [ 0:13:22 ]
