Firefox tab pops

By hyperdrive
Jun 12, 2008
Topic Status:
Not open for further replies.
  1. i have a problem. while using firefox a new tab appears with a complicated address that starts with

    89.188.16.23/go//

    it seems to have no content, but it just pops in a new tab.

    also browser helper objects always reappear every startup even if i've already removed the .dll file with regrun from the startup before.

    also trojan.agent reappears everytime even after i've removed them using spyware doctor. the registry entries of this trojan are

    HKEY_Local_Machine\software\microsoft\aoprndtws
    ..... software\microsoft\rdfa
  2. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    http://whois.domaintools.com/89.188.16.23

    I need to see a Hijackthis log
    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    here is the hijack log
  4. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    before we continue did you have IE7 and uninstall it? or did you have problems installing it?
  5. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    yes, i installed it before but i uninstalled it recently coz i thought it might help remove the bho's
  6. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Ok your log looks ok. Are you located in the Phillipenes?

    It is up to you but I recommend installing IE7 when we are done.

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  7. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    yup from the Philippines

    i reinstalled IE7 already as you suggested

    that's weird, in the automated email that was sent to me you suggested that i use kaspersky online av scanner. but in this forum, you suggested malwarebytes.

    anyway, i used the malwarebytes instead of kaspersky.

    i already scanned and deleted, the log is attached.

    it asked me to reboot so that one file could be removed after reboot.

    i thought you should also know that when i restarted, my spyware doctor which is set to automatically scan at startup still found trojan.vundo that is located in the temporary internet files. it's low threat according to spyware doc. however, these files always appear everytime I scan.

    waiting for your next instructions....=)
  8. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    -----------------------------------------------------------------

    Manually clear cache

    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

    ----------------------------------------------------

    Disable any real time protection by right clicking it in the system tray and disabling. After we are done be sure to turn back on

    -----------------------------------------------------

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  9. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    that's weird. i can't attach files anymore.

    so im just posting the text of the combofix and HJT.
  10. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    sorry forgot to paste.

    ---------------


    ComboFix 08-06-12.2 - Jay Garcia 2008-06-14 5:14:15.1 - NTFSx86
    Running from: C:\Documents and Settings\Jay Garcia\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ------------


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 05:31, on 2008-06-14
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Elantech\ktp.exe
    C:\WINDOWS\vsnp2std.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/se...uct=Norton 360&version=1.0.0.0&build=Symantec
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
    O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
    O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
    O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1211322666015
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CCCBD78E-AD40-4064-BC83-70652C56FB72}: NameServer = 58.69.254.104,58.69.254.140
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 7570 bytes
  11. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Where is the rest of the combofix log
  12. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    that was the only thing inside the text file.

    the txt file was on C:\ComboFix\ComboFix.txt

    there wasn't any txt file on C:\ itself
  13. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    If you already have IE7 please remove the following Hijackthis entries
    O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
    O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe



    Please attempt to run combofix again and attach or copy/paste the log for me

    I would also like to see this file if present

    C:\ComboFix-quarantined-files.txt
     
  14. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    ok i tried to run the combofix again, and this time it produced a log. before i ran combofix, i disabled norton, spyware doc, regrun.

    i've attached the log.txt from combofix.

    after combofix, i also ran HJT again. i also attached the hijack file.

    regarding the deleting of the entries, i'm not sure what you mean by that and know how to do it. do you mean delete it from the hijack.log text file or something else?

    anyway, i think it's still in the new hijack log.

    thanx btw =)
  15. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I will work up a fix from this, but it's not going to be easy, you have some nasties on here. Forget about fixing with Hijackthis for now. I will give instructions with more details shortely

    For the mean time please do the following.

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
  16. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    i did everything.

    here's the report.txt
  17. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Only run option 1 for now!!!!

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Double-click SmitfraudFix.exe
    • Select 1 and hit Enter
    • The report can be found at the root of the system drive, usually at C:\rapport.txt

    I am almost certain that winlogon is infected
  18. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    ok, i only chose 1

    the rapport is here
  19. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Open notepad and copy and paste next bold in it:

    regedit /e peek1.txt
    "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon"
    type peek1.txt >> look.txt
    del peek*.txt
    start notepad look.txt


    Make sure there are no spaces in winlogon ^^

    Save this as look.bat , choose to save as *all files and place it on your desktop.

    It should look like this on your desktop: [​IMG]

    Doubleclick look.bat
    Notepad will open with some txt in it. Copy and paste the contents in your next reply.
  20. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    the resulting look.txt was 68.7 MB large. i can't attach it nor can i select all and copy.

    man, this is complicated.

    i'll try to copy the text in segments in my reply
  21. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    just click on my name and send it as an attachment to an email
  22. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    i've already sent the look.txt
  23. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Hi hyperdrive,

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\WINDOWS\system32\winlogon.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
  24. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    ok, here it is
    ----------------------------------------


    Antivirus Version Last Update Result
    AhnLab-V3 2008.5.30.1 2008.05.30 -
    AntiVir 7.8.0.24 2008.05.30 -
    Authentium 5.1.0.4 2008.05.29 -
    Avast 4.8.1195.0 2008.05.30 -
    AVG 7.5.0.516 2008.05.30 -
    BitDefender 7.2 2008.05.30 -
    CAT-QuickHeal 9.50 2008.05.29 -
    ClamAV 0.92.1 2008.05.30 -
    DrWeb 4.44.0.09170 2008.05.30 -
    eSafe 7.0.15.0 2008.05.29 -
    eTrust-Vet 31.4.5835 2008.05.30 -
    Ewido 4.0 2008.05.30 -
    F-Prot 4.4.4.56 2008.05.29 -
    F-Secure 6.70.13260.0 2008.05.30 -
    Fortinet 3.14.0.0 2008.05.30 -
    GData 2.0.7306.1023 2008.05.30 -
    Ikarus T3.1.1.26.0 2008.05.30 -
    Kaspersky 7.0.0.125 2008.05.30 -
    McAfee 5306 2008.05.29 -
    Microsoft 1.3520 2008.05.30 -
    NOD32v2 3147 2008.05.30 -
    Norman 5.80.02 2008.05.29 -
    Panda 9.0.0.4 2008.05.30 -
    Prevx1 V2 2008.05.30 -
    Rising 20.46.42.00 2008.05.30 -
    Sophos 4.29.0 2008.05.30 -
    Sunbelt 3.0.1139.1 2008.05.29 -
    Symantec 10 2008.05.30 -
    TheHacker 6.2.92.325 2008.05.30 -
    VBA32 3.12.6.6 2008.05.30 -
    VirusBuster 4.3.26:9 2008.05.30 -
    Webwasher-Gateway 6.6.2 2008.05.30 -
    Additional information
    File size: 502272 bytes
    MD5...: 6225f14b8ce08ccba8b25ad27843c674
    SHA1..: ec2dbfe0c28b004bee344daa53fdc2e2ced0695f
    SHA256: 3089e8a15776989fbc345a57c47eaaca9a46c3c8f72eec4bb57429f9f4355ad0
    SHA512: 34ad2a4f43608aa1a44b447b21d1f3cb8af58986521ebb4fd8c115d9100eb6e2
    27183de41bcc774027aad302123a4a4a0bef5cb60b8e57d71fd9d6e4de998882
    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x103d353
    timedatestamp.....: 0x41107edc (Wed Aug 04 06:14:52 2004)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x6f288 0x6f400 6.82 d221db22a9ac855a59358c515e207c45
    .data 0x71000 0x4d90 0x2000 6.21 662eceb591c7df2d6e365ae6b9b2da15
    .rsrc 0x76000 0x9030 0x9200 3.62 b93cbbc049130e1bad3ea13d7512c074


    --------------> continued in next post
  25. hyperdrive

    hyperdrive Newcomer, in training Topic Starter Posts: 37

    continuation >-------------------


    ( 20 imports )
    > ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
    > AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
    > CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
    > GDI32.dll: RemoveFontResourceW, AddFontResourceW
    > KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, ExpandEnvironmentStringsW, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, DuplicateHandle, OpenProcess, GetOverlappedResult, GetVersionExA, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, DeleteCriticalSection, TlsGetValue, TlsAlloc, VirtualFree, TlsFree
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.