CureIt.log
=============================================================================
Dr.Web® Сканер для Windows v4.44.5 (4.44.5.08080)
© 1992-2008 Игорь Данилов. Авторские права защищены.
Отчет от: 2008-09-29, 08:51:01 [CAFESRV][SEPULTURA]
Командная строка: "C:DOCUME~1rootLOCALS~1TempaRarSFX0setup.exe" /lng:ru-cureit.dwl /ini:setup_XP.ini
Операционная система: Windows 2003 Enterprise Edition x86 (Build 3790)
=============================================================================
DwShield запущен
Версия поискового модуля: 4.44 (4.44.0.09170)
Версия интерфейса поискового модуля: 2.02
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX07d2d389d - 2107 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0c3621448 - 1513 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX05d2633a1 - 1600 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0c5196b2a - 1831 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0631e59e0 - 2215 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX068293f6c - 1556 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0dc744ef6 - 1885 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX04a0c9617 - 2094 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0e33935ac - 1696 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX04f040a13 - 3067 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0c383e98a - 3544 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0dbcc2ea9 - 1752 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX04351bf65 - 1310 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0712d37d6 - 4653 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX098ad03bc - 7112 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0ecaea130 - 2300 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX00ece36c6 - 2532 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0410c0e1e - 2410 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX04402e2fb - 4202 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0ef5ff132 - 5939 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0bb66e709 - 1088 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX038d4c43d - 1646 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0519bcac3 - 3563 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0a7a8fed7 - 5179 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX083944bc2 - 2885 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0ce0b71d9 - 5080 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0f42b00ff - 16365 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX000d0c93d - 13612 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX01588e992 - 1725 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0b5074d9e - 4099 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX025141a90 - 1319 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0b74be003 - 3709 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0680a32c2 - 6097 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX065d711db - 1097 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0fb7c5328 - 3605 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX09b2bf917 - 7770 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX03cef1d18 - 4210 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0e44dd3e6 - 1010 вирусных записей
[Вирусная база] C:DOCUME~1rootLOCALS~1TempaRarSFX0d2c37723 - 421 вирусны
Вот только это.. Может где то записывается ограничение на количество проверок или запусков?? Так где его изменить или стереть?
CureIt не запускается
Автор
Hazar
, мар 27 2008 14:29
42 ответов в этой теме
#22
Borka
-
- Members
- 19 512 Сообщений:
Забанен за флуд
Отправлено 29 Сентябрь 2008 - 12:05
Нет, ограничений нет. Попробуйте удалить лог, скачать и запустить КуреИт заново. Судя по базам, КуреИт старый.Может где то записывается ограничение на количество проверок или запусков??
---
С уважением,
Borka.
#23
SepUltura
-
- Members
- 11 Сообщений:
Newbie
Отправлено 30 Сентябрь 2008 - 16:57
Тут дело точно не в базах. Потому что тот самий файл CureIt на одном ПК запускается прекрасно, а на втором нагло не хочет открывать основное окно программы и проверять. Вот и сейчас, только что скачал файл за 30 сентября, на одном запускается, а на этом не хочет, хотя где несколько недель назад запускался.... Не помогло также стирание логов...
#24
userr
-
- Members
- 16 310 Сообщений:
Newbie
Отправлено 30 Сентябрь 2008 - 18:52
Скачайте файл http://slil.ru/26188952 (переименованный RkUnhooker, авторский дистрибутив здесь http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar) Запускаете, переходите на вкладку Report, кнопка Scan, убираете птичку на Files, меню File-save report. Покажите здесь.Тут дело точно не в базах. Потому что тот самий файл CureIt на одном ПК запускается прекрасно, а на втором нагло не хочет открывать основное окно программы и проверять. Вот и сейчас, только что скачал файл за 30 сентября, на одном запускается, а на этом не хочет, хотя где несколько недель назад запускался....
Скачайте HiJackThis http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe покажите лог.
При лечении выдернуть шнур Интернета
Попробуйте запустить CureIt in safe mode.
#25
SepUltura
-
- Members
- 11 Сообщений:
Newbie
Отправлено 01 Октябрь 2008 - 10:10
RkUnhooker
Report
>SSDT State
>Shadow
>Processes
>Drivers
>Stealth
>Hooks
ntoskrnl.exe+0x00006AAA, Type: Inline - RelativeJump 0x804E4AAA [ntoskrnl.exe]
[10952]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[11044]qip.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[11880]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[11952]qip.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1348]lserver.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1348]lserver.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1348]lserver.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1376]tftpd.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1376]tftpd.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1376]tftpd.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1412]dfssvc.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1412]dfssvc.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[144]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[144]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1540]tcpsvcs.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1540]tcpsvcs.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1540]tcpsvcs.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1620]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1664]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1768]winlogon.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1768]winlogon.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1812]services.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1812]services.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1824]lsass.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1824]lsass.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1824]lsass.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1996]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1996]svchost.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1996]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[200]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[2060]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[2068]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[2228]winlogon.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[3380]alg.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[3832]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[4000]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[4000]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[4156]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[444]svchost.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[464]csrss.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[464]csrss.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[500]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[500]svchost.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[500]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[6072]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[692]spoolsv.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[692]spoolsv.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[692]spoolsv.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[7196]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[7804]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[7832]WINWORD.EXE-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DA102C [shimeng.dll]
[7832]WINWORD.EXE-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C0100C [shimeng.dll]
[7832]WINWORD.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x300013D0 [shimeng.dll]
[7832]WINWORD.EXE-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77381300 [shimeng.dll]
[7832]WINWORD.EXE-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D0119C [shimeng.dll]
[7832]WINWORD.EXE-->user32.dll-->SystemParametersInfoA, Type: IAT modification 0x30001750 [AcGenral.dll]
[8136]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[908]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[908]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[940]mdm.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[940]mdm.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[964]nod32krn.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[964]nod32krn.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[964]nod32krn.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
HiJackThis
Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:33, on 01.10.2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal
Running processes:
C:Documents and SettingsrootWINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32msdtc.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:Program FilesEsetnod32krn.exe
C:WINDOWSsystem32lserver.exe
C:WINDOWSsystem32tftpd.exe
C:WINDOWSsystem32Dfssvc.exe
C:WINDOWSsystem32tcpsvcs.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSexplorer.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:Program FilesEsetnod32kui.exe
C:WINDOWSsystem32ctfmon.exe
D:SOFTStatBarStatBar.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32utilman.exe
C:WINDOWSsystem32logon.scr
C:Program FilesWinRARWinRAR.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:Program FilesEsetnod32kui.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesQIPqip.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32scrnsave.scr
C:TechQIPqip.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsrootDesktopHiJackThis.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSsystem32blank.htm
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://kipesh.com/gate/gate.php
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigURL = http://www.eltech.com.ua/proxy.pac
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = ftp=212.1.102.50:3128
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
R3 - URLSearchHook: (no name) - {83821C2B-32A8-4DD7-B6D4-44309A78E668} - C:Documents and SettingsrootApplication DataMail.RuAgentMradllnewmrasearch.dll
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:WINDOWSsystem32userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_11binssv.dll
O2 - BHO: (no name) - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - (no file)
O4 - HKLM..Run: [igfxtray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [igfxpers] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [nod32kui] "C:Program FilesEsetnod32kui.exe" /WAITSERVICE
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [MAgent] C:Documents and SettingsrootApplication DataMail.RuAgentMAgent.exe -CU
O4 - HKUSS-1-5-19..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User '?')
O4 - HKUSS-1-5-20..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1010..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1010..Run: [ClamWin] "C:Program FilesClamWinbinClamTray.exe" --logon (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1010..Run: [Firewall auto setup] C:DOCUME~1rootLOCALS~1Temp6winlogon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1011..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1012..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1014..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1015..Run: [[system]] C:WINDOWSsystem32driversservices.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1016..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1025..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1032..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1033..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1036..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-500..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User '?')
O4 - HKUSS-1-5-18..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User '?')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - HKUS.DEFAULT..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User 'Default user')
O4 - S-1-5-21-345283527-3745612841-3797334058-1025 Startup: StatBar.exe.lnk = D:SOFTStatBarStatBar.exe (User '?')
O4 - Startup: StatBar.exe.lnk = D:SOFTStatBarStatBar.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:PROGRA~1MICROS~1Office10EXCEL.EXE/3000
O8 - Extra context menu item: Автоматическое определение шаблона тематики - C:Program FilesPRMT6PRMTIEaot.htm
O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmieall.htm
O8 - Extra context menu item: Закачать при помощи Download Master - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmie.htm
O8 - Extra context menu item: Настройка перевода - C:Program FilesPRMT6PRMTIEoptions.htm
O8 - Extra context menu item: Перевести - C:Program FilesPRMT6PRMTIEtranslat.htm
O8 - Extra context menu item: Перевести страницу - C:Program FilesPRMT6PRMTIEpage.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:TechVisualRoute 2008vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:TechVisualRoute 2008vrie.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_11binnpjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_11binnpjpi150_11.dll
O9 - Extra button: Web Development Studio - {5541FAF3-07B6-4582-8968-C5C8EE902447} - http://delphiworld.narod.ru/wds.html (file missing)
O9 - Extra 'Tools' menuitem: Web Development Studio - {5541FAF3-07B6-4582-8968-C5C8EE902447} - http://delphiworld.narod.ru/wds.html (file missing)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:Program FilesPRMT6PRMTIEprmtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:Program FilesPRMT6PRMTIEprmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:Program FilesPRMT6PRMTIEoptions.htm
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:Program FilesPRMT6PRMTIEoptions.htm
O9 - Extra button: Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmaster.exe (file missing)
O9 - Extra 'Tools' menuitem: &Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmaster.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:Documents and SettingsrootWINDOWSwebrelated.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:Documents and SettingsrootWINDOWSwebrelated.htm (file missing)
O9 - Extra button: Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:Documents and SettingsrootApplication DataMail.RuAgentmagent.exe (HKCU)
O9 - Extra 'Tools' menuitem: Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:Documents and SettingsrootApplication DataMail.RuAgentmagent.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:documents and settingsrootwindowssystem32mswsock.dll' missing
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLMSystemCCSServicesTcpip..{45D6C983-FF73-4DAF-BFCC-10E3425803B9}: NameServer = 10.0.0.2
O17 - HKLMSystemCCSServicesTcpip..{54448ED0-3359-404E-B2B8-6AF1E2B2419D}: NameServer = 10.0.0.2
O17 - HKLMSystemCCSServicesTcpip..{5855C288-3F64-455B-9771-54B22146FC63}: NameServer = 10.0.0.2
O17 - HKLMSystemCCSServicesTcpip..{CF274C4C-BE30-40C0-8BFE-E11AE575EA41}: NameServer = 10.0.0.2
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:Program FilesEsetnod32krn.exe
O23 - Service: PREVXAgent - Unknown owner - C:Program FilesPrevx2PXAgent.exe (file missing)
O23 - Service: PsViatau (PTsup5) - Trident Software - C:Program FilesTrident SoftwarePragmaptsup5.exe
--
End of file - 11471 bytes
Report
>SSDT State
>Shadow
>Processes
>Drivers
>Stealth
>Hooks
ntoskrnl.exe+0x00006AAA, Type: Inline - RelativeJump 0x804E4AAA [ntoskrnl.exe]
[10952]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[11044]qip.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[11880]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[11952]qip.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1348]lserver.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1348]lserver.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1348]lserver.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1348]lserver.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1376]tftpd.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1376]tftpd.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1376]tftpd.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1376]tftpd.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1412]dfssvc.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1412]dfssvc.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1412]dfssvc.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[144]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[144]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[144]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1540]tcpsvcs.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1540]tcpsvcs.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1540]tcpsvcs.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1540]tcpsvcs.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1620]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1664]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1768]winlogon.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1768]winlogon.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1768]winlogon.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1812]services.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1812]services.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1812]services.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1824]lsass.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1824]lsass.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1824]lsass.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1824]lsass.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[1996]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[1996]svchost.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[1996]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[1996]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[200]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[2060]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[2068]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[2228]winlogon.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[3380]alg.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[3832]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[4000]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[4000]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[4000]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[4156]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[444]svchost.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[464]csrss.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[464]csrss.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[464]csrss.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[500]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[500]svchost.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[500]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[500]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[6072]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[692]spoolsv.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[692]spoolsv.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[692]spoolsv.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[692]spoolsv.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[7196]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[7804]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[7832]WINWORD.EXE-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DA102C [shimeng.dll]
[7832]WINWORD.EXE-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C0100C [shimeng.dll]
[7832]WINWORD.EXE-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x300013D0 [shimeng.dll]
[7832]WINWORD.EXE-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77381300 [shimeng.dll]
[7832]WINWORD.EXE-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D0119C [shimeng.dll]
[7832]WINWORD.EXE-->user32.dll-->SystemParametersInfoA, Type: IAT modification 0x30001750 [AcGenral.dll]
[8136]firefox.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[908]svchost.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[908]svchost.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[908]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[940]mdm.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[940]mdm.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[940]mdm.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
[964]nod32krn.exe-->kernel32.dll+0x00008400, Type: Inline - RelativeJump 0x77E48400 [kernel32.dll]
[964]nod32krn.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT modification 0x77E41030 [imon.dll]
[964]nod32krn.exe-->ntdll.dll-->NtClose, Type: Inline - DirectJump 0x77F4238B [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtCreateFile, Type: Inline - DirectJump 0x77F42467 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtCreateKey, Type: Inline - DirectJump 0x77F424B7 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtCreateSection, Type: Inline - DirectJump 0x77F4256B [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtDeleteKey, Type: Inline - DirectJump 0x77F42683 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtDeleteValueKey, Type: Inline - DirectJump 0x77F426AB [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtRenameKey, Type: Inline - DirectJump 0x77F430E3 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtSetInformationFile, Type: Inline - DirectJump 0x77F43377 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - DirectJump 0x77F43543 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtTerminateProcess, Type: Inline - DirectJump 0x77F4360B [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtWriteFile, Type: Inline - DirectJump 0x77F43771 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtWriteFileGather, Type: Inline - DirectJump 0x77F43785 [unknown_code_page]
[964]nod32krn.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - DirectJump 0x77F437AD [unknown_code_page]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
HiJackThis
Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:33, on 01.10.2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal
Running processes:
C:Documents and SettingsrootWINDOWSSystem32smss.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32msdtc.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:Program FilesEsetnod32krn.exe
C:WINDOWSsystem32lserver.exe
C:WINDOWSsystem32tftpd.exe
C:WINDOWSsystem32Dfssvc.exe
C:WINDOWSsystem32tcpsvcs.exe
C:WINDOWSSystem32alg.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSexplorer.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxtray.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:Program FilesEsetnod32kui.exe
C:WINDOWSsystem32ctfmon.exe
D:SOFTStatBarStatBar.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32utilman.exe
C:WINDOWSsystem32logon.scr
C:Program FilesWinRARWinRAR.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:Program FilesEsetnod32kui.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32csrss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32rdpclip.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32igfxsrvc.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesQIPqip.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSsystem32scrnsave.scr
C:TechQIPqip.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsrootDesktopHiJackThis.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = C:WINDOWSsystem32blank.htm
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://kipesh.com/gate/gate.php
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,AutoConfigURL = http://www.eltech.com.ua/proxy.pac
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = ftp=212.1.102.50:3128
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Ссылки
R3 - URLSearchHook: (no name) - {83821C2B-32A8-4DD7-B6D4-44309A78E668} - C:Documents and SettingsrootApplication DataMail.RuAgentMradllnewmrasearch.dll
R3 - URLSearchHook: (no name) -
F2 - REG:system.ini: UserInit=C:WINDOWSsystem32userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocx
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_11binssv.dll
O2 - BHO: (no name) - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - (no file)
O4 - HKLM..Run: [igfxtray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [igfxhkcmd] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [igfxpers] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [nod32kui] "C:Program FilesEsetnod32kui.exe" /WAITSERVICE
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [MAgent] C:Documents and SettingsrootApplication DataMail.RuAgentMAgent.exe -CU
O4 - HKUSS-1-5-19..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User '?')
O4 - HKUSS-1-5-20..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1010..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1010..Run: [ClamWin] "C:Program FilesClamWinbinClamTray.exe" --logon (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1010..Run: [Firewall auto setup] C:DOCUME~1rootLOCALS~1Temp6winlogon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1011..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1012..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1014..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1015..Run: [[system]] C:WINDOWSsystem32driversservices.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1016..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1025..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1032..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1033..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-1036..Run: [] (User '?')
O4 - HKUSS-1-5-21-345283527-3745612841-3797334058-500..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe (User '?')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User '?')
O4 - HKUSS-1-5-18..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User '?')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - HKUS.DEFAULT..RunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe (User 'Default user')
O4 - S-1-5-21-345283527-3745612841-3797334058-1025 Startup: StatBar.exe.lnk = D:SOFTStatBarStatBar.exe (User '?')
O4 - Startup: StatBar.exe.lnk = D:SOFTStatBarStatBar.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:PROGRA~1MICROS~1Office10EXCEL.EXE/3000
O8 - Extra context menu item: Автоматическое определение шаблона тематики - C:Program FilesPRMT6PRMTIEaot.htm
O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmieall.htm
O8 - Extra context menu item: Закачать при помощи Download Master - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmie.htm
O8 - Extra context menu item: Настройка перевода - C:Program FilesPRMT6PRMTIEoptions.htm
O8 - Extra context menu item: Перевести - C:Program FilesPRMT6PRMTIEtranslat.htm
O8 - Extra context menu item: Перевести страницу - C:Program FilesPRMT6PRMTIEpage.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:TechVisualRoute 2008vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:TechVisualRoute 2008vrie.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_11binnpjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_11binnpjpi150_11.dll
O9 - Extra button: Web Development Studio - {5541FAF3-07B6-4582-8968-C5C8EE902447} - http://delphiworld.narod.ru/wds.html (file missing)
O9 - Extra 'Tools' menuitem: Web Development Studio - {5541FAF3-07B6-4582-8968-C5C8EE902447} - http://delphiworld.narod.ru/wds.html (file missing)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:Program FilesPRMT6PRMTIEprmtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:Program FilesPRMT6PRMTIEprmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:Program FilesPRMT6PRMTIEoptions.htm
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:Program FilesPRMT6PRMTIEoptions.htm
O9 - Extra button: Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmaster.exe (file missing)
O9 - Extra 'Tools' menuitem: &Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:Documents and SettingsDimentorMy DocumentsDownload Masterdmaster.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:Documents and SettingsrootWINDOWSwebrelated.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:Documents and SettingsrootWINDOWSwebrelated.htm (file missing)
O9 - Extra button: Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:Documents and SettingsrootApplication DataMail.RuAgentmagent.exe (HKCU)
O9 - Extra 'Tools' menuitem: Mail.Ru Агент - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:Documents and SettingsrootApplication DataMail.RuAgentmagent.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:documents and settingsrootwindowssystem32mswsock.dll' missing
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLMSystemCCSServicesTcpip..{45D6C983-FF73-4DAF-BFCC-10E3425803B9}: NameServer = 10.0.0.2
O17 - HKLMSystemCCSServicesTcpip..{54448ED0-3359-404E-B2B8-6AF1E2B2419D}: NameServer = 10.0.0.2
O17 - HKLMSystemCCSServicesTcpip..{5855C288-3F64-455B-9771-54B22146FC63}: NameServer = 10.0.0.2
O17 - HKLMSystemCCSServicesTcpip..{CF274C4C-BE30-40C0-8BFE-E11AE575EA41}: NameServer = 10.0.0.2
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:Program FilesEsetnod32krn.exe
O23 - Service: PREVXAgent - Unknown owner - C:Program FilesPrevx2PXAgent.exe (file missing)
O23 - Service: PsViatau (PTsup5) - Trident Software - C:Program FilesTrident SoftwarePragmaptsup5.exe
--
End of file - 11471 bytes
#26
account has been deleted
-
- Posters
- 2 837 Сообщений:
Massive Poster
Отправлено 01 Октябрь 2008 - 10:17
SepUltura, а лог не сутьпа приатачить к сообщению?, а то чуть колесико на мышке не отвалилось. Есть же какие то традиции, обычаи если хотите.
#27
v.martyanov
-
- Virus Analysts
-
- 8 308 Сообщений:
Guru
Отправлено 01 Октябрь 2008 - 10:55
Что-то там рассадник жестокий...
Присылайте в вирлаб файлы и номер тикета укажите потом:
C:Documents and SettingsrootWINDOWSSystem32smss.exe
C:WINDOWSsystem32scrnsave.scr
system32tscupgrd.exe - подозрительный он какой-то...
И как бы нехорошо держать СТОЛЬКО защитного софта одновременно. И ошметки от Prevx, и NOD и ClamAV... А тут еще и будный DrWeb должен с ними работать...
Присылайте в вирлаб файлы и номер тикета укажите потом:
C:Documents and SettingsrootWINDOWSSystem32smss.exe
C:WINDOWSsystem32scrnsave.scr
system32tscupgrd.exe - подозрительный он какой-то...
И как бы нехорошо держать СТОЛЬКО защитного софта одновременно. И ошметки от Prevx, и NOD и ClamAV... А тут еще и будный DrWeb должен с ними работать...
#28
Полимер
-
- Beta Testers
-
- 3 161 Сообщений:
Бетатестёр
Отправлено 01 Октябрь 2008 - 11:21
Еще вот это проверить:
C:DOCUME~1rootLOCALS~1Temp6winlogon.exe
C:DOCUME~1rootLOCALS~1Temp6winlogon.exe
#29
userr
-
- Members
- 16 310 Сообщений:
Newbie
Отправлено 01 Октябрь 2008 - 11:26
Я ведь просил - меню File-save report, а не из окна копировать. И разумеется в виде файла, как уже сказали.RkUnhooker
Report
У Вас древний Windows без SP, древний Internet Explorer, древняя Java, непонятно как организована АВ защита. И, разумеется, полно вредоносного программного обеспечения.Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
C:Program FilesJavajre1.5.0_11binssv.dll
CureIt в safe mode запускали ?
#30
SepUltura
-
- Members
- 11 Сообщений:
Newbie
Отправлено 01 Октябрь 2008 - 11:56
Дайте пожалуйста силку на этот вирлаб...
А на щет защитного софта, то у меня стоит только NOD, а ClamAV был раньше и я его снес кидроней бабушки, бо от него толку никакого....
Мхе))
А на щет защитного софта, то у меня стоит только NOD, а ClamAV был раньше и я его снес кидроней бабушки, бо от него толку никакого....
Мхе))
#31
v.martyanov
-
- Virus Analysts
-
- 8 308 Сообщений:
Guru
Отправлено 01 Октябрь 2008 - 11:57
Ну ClamAv в логах очень даже есть... Ссылка на вирлаб внизу каждой страницы.
#32
SepUltura
-
- Members
- 11 Сообщений:
Newbie
Отправлено 01 Октябрь 2008 - 11:59
Windows 2003 Server
IExplore заблокирован для пользователей. все пользуются только Firefox. В безопасном запускал - не запускается.
Мхе))
IExplore заблокирован для пользователей. все пользуются только Firefox. В безопасном запускал - не запускается.
Мхе))
#33
userr
-
- Members
- 16 310 Сообщений:
Newbie
Отправлено 01 Октябрь 2008 - 12:14
Для него давно уже SP2 вышел. У Вас машина как сервер используется или как рабочая станция? Зачем на сервере qip и Mail.Ru Агент ?Windows 2003 Server
Где лог RkUnhooker ? Вам предстоит долго и упорно лечиться. Вполне возможно, юзеры Вашего сервера тоже заражены.
#34
SepUltura
-
- Members
- 11 Сообщений:
Newbie
Отправлено 01 Октябрь 2008 - 17:25
ПК используется как сервер. QIP и Mail Agent нужны при работе пользователям.. NODом проверял, ничего такого не нашел. так что нащет долго лечится сомневаюсь.. хотя кто ево знает что єто такое, или "что" блокирует запуск CureIt. Лог RkUnhooker присоединяю
Мхе))
Мхе))
#35
userr
-
- Members
- 16 310 Сообщений:
Newbie
Отправлено 01 Октябрь 2008 - 18:35
Каким это пользователям нужны qip и Mail.Ru Агент НА СЕРВЕРЕ??ПК используется как сервер. QIP и Mail Agent нужны при работе пользователям..
Да сомневайтесь сколько хотите. Здесь принудительно лечат только тех, у кого drweb стоит. ;)NODом проверял, ничего такого не нашел. так что нащет долго лечится сомневаюсь..
Не надо больше никаких логов, и CureIt не надо больше запускать.
Пациент от лечения отказался.
#36
Borka
-
- Members
- 19 512 Сообщений:
Забанен за флуд
Отправлено 01 Октябрь 2008 - 18:54
Гы! :PЗдесь принудительно лечат только тех, у кого drweb стоит. ;)
---
С уважением,
Borka.
#37
SepUltura
-
- Members
- 11 Сообщений:
Newbie
Отправлено 02 Октябрь 2008 - 08:45
Ооо, еще как нужны!! Думаю для вас слово терминальный сервер что-то говорит ;). Вот в нас сервер на интернет кафе такой и стоит. Только вот что с CureIt делать.Каким это пользователям нужны qip и Mail.Ru Агент НА СЕРВЕРЕ??
Мхе))
#38
SergM
-
- Moderators
- 9 387 Сообщений:
Guru
Отправлено 02 Октябрь 2008 - 08:52
Да ничего не делайте. У вас стоит "авторитет" NOD32, которому вы безоговорочно верите, так к чему тут разговоры все.Только вот что с CureIt делать.
#39
Dmitry Ermolaev
-
- Posters
- 36 Сообщений:
Newbie
Отправлено 02 Октябрь 2008 - 08:57
Каким это пользователям нужны qip и Mail.Ru Агент НА СЕРВЕРЕ??
Сервер терминалов.
#40
SepUltura
-
- Members
- 11 Сообщений:
Newbie
Отправлено 02 Октябрь 2008 - 10:41
Пожалуйста, не надо ехидничать... для меня NOD вообще не показатель, мне он категорически не нравится, я наооборот хочу с временем на drweb перейти, но пока против директора ведь не пойдеш, вот мне и надо чтоби CureIt работал, бо только он пока сервер от вирусов спасал...Да ничего не делайте. У вас стоит "авторитет" NOD32, которому вы безоговорочно верите, так к чему тут разговоры все
Мхе))
