Joebox - Abstract Analysis File: 17830
+ General information
Joebox version: 1.7.0
Start time: 23:05:18
Start date: 17/05/2010
Overall analysis duration: 0h 1m 22s
Target binary file name: ergdz.exe
Target script file name: xp.jbs
Avira scanner version: 7.10.4.41 - FUP(0), created 02/11/2010
Avira label: ADSPY/Adware.Gen
Errors:
    Number of runs: 1
    Number of analysed new started processes analysed: 1
    Number of new started drivers analysed: 0
    Number of existing processes analysed: 0
    Number of existing drivers analysed: 0
    Number of injected processes analysed: 0
    + Calling statistics
    NtCreateFile 0
    NtOpenFile 5
    NtDeleteFile 0
    NtSetInformationFile 0
    NtCreateIoCompletion 0
    NtRemoveIoCompletion 0
    NtSetIoCompletion 0
    NtAreMappedFilesTheSame 0
    NtCancelIoFile 0
    NtCreateNamedPipeFile 0
    NtFlushBuffersFile 0
    NtFsControlFile 1
    NtLockFile 0
    NtOpenDirectoryObject 2
    NtQueryAttributesFile 6
    NtQueryDirectoryFile 0
    NtQueryFullAttributesFile 0
    NtQueryInformationFile 0
    NtQueryVolumeInformationFile 1
    NtReadFile 0
    NtUnlockFile 0
    NtUnmapViewOfSection 2
    NtWriteFile 0
    NtCloseObjectAuditAlarm 0
    NtClose 42
    NtDeleteObjectAuditAlarm 0
    NtCreateSection 4
    NtOpenSection 16
    NtMapViewOfSection 17
    NtQuerySection 2
    NtMakeTemporaryObject 0
    NtCreateKey 0
    NtOpenKey 34
    NtRenameKey 0
    NtDeleteKey 0
    NtDeleteValueKey 0
    NtSetValueKey 0
    NtEnumerateKey 0
    NtEnumerateValueKey 0
    NtFlushKey 0
    NtNotifyChangeKey 0
    NtQueryKey 0
    NtQueryValueKey 17
    NtSetInformationKey 0
    NtCreateProcess 0
    NtCreateProcessEx 0
    NtTerminateProcess 2
    NtFlushInstructionCache 40
    NtOpenProcess 0
    NtOpenProcessToken 3
    NtOpenProcessTokenEx 1
    NtReadVirtualMemory 0
    NtWriteVirtualMemory 0
    NtAllocateVirtualMemory 17
    NtFlushVirtualMemory 0
    NtFreeVirtualMemory 1
    NtLockVirtualMemory 0
    NtProtectVirtualMemory 80
    NtQueryInformationProcess 6
    NtQueryVirtualMemory 5
    NtSetInformationProcess 1
    NtSuspendProcess 0
    NtCreateThread 0
    NtGetContextThread 0
    NtSetContextThread 0
    NtQueueApcThread 0
    NtAlertThread 0
    NtDelayExecution 0
    NtImpersonateThread 0
    NtOpenThread 0
    NtOpenThreadToken 0
    NtOpenThreadTokenEx 1
    NtQueryInformationThread 0
    NtRegisterThreadTerminatePort 1
    NtResumeThread 0
    NtSetInformationThread 4
    NtSuspendThread 0
    NtTerminateThread 0
    NtYieldExecution 0
    NtAcceptConnectPort 0
    NtCompleteConnectPort 0
    NtConnectPort 0
    NtCreatePort 0
    NtImpersonateClientOfPort 0
    NtReplyPort 0
    NtReplyWaitReceivePort 0
    NtReplyWaitReceivePortEx 0
    NtRequestPort 0
    NtRequestWaitReplyPort 5
    NtSecureConnectPort 1
    NtReadRequestData 0
    NtWriteRequestData 0
    NtAccessCheck 0
    NtAccessCheckAndAuditAlarm 0
    NtAccessCheckByType 0
    NtAdjustPrivilegesToken 0
    NtAllocateLocallyUniqueId 0
    NtQuerySecurityObject 0
    NtSetSecurityObject 0
    NtAddAtom 0
    NtFindAtom 0
    NtDeleteAtom 0
    NtQueryInformationAtom 0
    NtOpenKeyedEvent 1
    NtCreateKeyedEvent 0
    NtOpenEvent 1
    NtQueryEvent 0
    NtCreateEvent 0
    NtSetEvent 0
    NtSetEventBoostPriority 0
    NtOpenMutant 0
    NtCreateMutant 0
    NtCreateSemaphore 2
    NtReleaseSemaphore 0
    NtReleaseMutant 0
    NtCreateTimer 0
    NtCancelTimer 0
    NtSetTimer 0
    NtDeviceIoControlFile 1
    NtLoadDriver 0
    NtUnloadDriver 0
    NtDuplicateObject 0
    NtOpenObjectAuditAlarm 0
    NtDuplicateToken 0
    NtImpersonateAnonymousToken 0
    NtQueryInformationToken 4
    NtGetPlugPlayEvent 0
    NtPlugPlayControl 0
    NtOpenSymbolicLinkObject 1
    NtQuerySymbolicLinkObject 1
    NtQueryDirectoryObject 0
    NtQueryDebugFilterState 0
    NtQueryDefaultLocale 1
    NtQueryDefaultUILanguage 0
    NtQueryInstallUILanguage 0
    NtQueryInformationJobObject 0
    NtQueryObject 1
    NtQueryPerformanceCounter 0
    NtQuerySystemInformation 15
    NtQuerySystemTime 0
    NtQueryTimerResolution 0
    NtRaiseException 0
    NtRaiseHardError 0
    NtSetInformationObject 2
    NtSetSystemInformation 0
    NtShutdownSystem 0
    NtSystemDebugControl 0
    NtTestAlert 1
    NtWaitForMultipleObjects 0
    NtWaitForSingleObject 0
    NtSetInformationDebugObject 0
    NtCreateDebugObject 0
    NtDebugContinue 0
    NtWaitForDebugEvent 0
    NtRemoveProcessDebug 0
    NtUserPostMessage 0
    NtUserSendInput 0
    NtUserSetWindowsHookEx 0
    NtUserSetWinEventHook 0
    NtUserDestroyWindow 0
    NtUserPostThreadMessage 0
    NtUserBuildHwndList 0
    NtUserSetCapture 0
    NtUserRegisterHotKey 0
    NtUserRegisterUserApiHook 0
    NtUserCreateWindowEx 0
    NtUserQueryWindow 0
    NtUserFindWindowEx 0
    NtUserGetAsyncKeyState 0
    NtUserGetKeyboardState 0
    NtUserGetKeyState 0
    + Startup
    • system is xp
    • ergdz.exe (PID: 672 MD5: 129507EE97363E42B11AE0CC08184F96)
    • cleanup
    Analysis File: ergdz.exe PID: 672 Parent PID: 1916 Run ID: 0
    + Sections
    - General
    Start time: 23:06:01
    Start date: 17/05/2010
    Path: C:\ergdz.exe
    File size: 401408 bytes
    MD5 hash: 129507EE97363E42B11AE0CC08184F96
    File Activities:
    File opened
    File Path Access Options Completion Count
    File created
    File Path Access Attributes Options Completion Count
    + File overwritten
    File Path Access Options Completion Count
    \Device\KsecDD read data or list directory and synchronize synchronous io alert success or wait 1
    File deleted
    File Path Completion Count
    File renamed
    Old File Path New File Path Completion Count
    File written
    File Path Completion Count
    Other file operations
    File Path Disposition Data Completion Count
    Section Activities:
    + Section opened
    File Path Access Base Entrypoint Size Mapped to pid Completion Count
    \KnownDlls\kernel32.dll map write and map read and map execute 7C800000 7C80B64E F6000 own pid success or wait 1
    \NLS\NlsSectionUnicode map read 00260000 0 15DF4 own pid success or wait 1
    \NLS\NlsSectionLocale map read 00280000 0 40EDC own pid success or wait 1
    \NLS\NlsSectionSortkey query and map read 002D0000 0 40004 own pid success or wait 1
    \NLS\NlsSectionSortTbls map read 00320000 0 5A04 own pid success or wait 1
    \NLS\NlsSectionSortkey00000409 map read not known not known not known own pid object name not found 2
    \KnownDlls\ole32.dll map write and map read and map execute 774E0000 774FD0B9 13D000 own pid success or wait 1
    \KnownDlls\ADVAPI32.dll map write and map read and map execute 77DD0000 77DD710B 9B000 own pid success or wait 1
    \KnownDlls\RPCRT4.dll map write and map read and map execute 77E70000 77E7628F 92000 own pid success or wait 1
    \KnownDlls\Secur32.dll map write and map read and map execute 77FE0000 77FE2146 11000 own pid success or wait 1
    \KnownDlls\GDI32.dll map write and map read and map execute 77F10000 77F16587 49000 own pid success or wait 1
    \KnownDlls\USER32.dll map write and map read and map execute 7E410000 7E41B217 91000 own pid success or wait 1
    \KnownDlls\msvcrt.dll map write and map read and map execute 77C10000 77C1F2A1 58000 own pid success or wait 1
    \KnownDlls\OLEAUT32.dll map write and map read and map execute 77120000 77121560 8B000 own pid success or wait 1
    \NLS\NlsSectionCType map read 008B0000 0 20C2 own pid success or wait 1
    + Section created
    File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
    not known query and map write and map read and map execute and extend size reserve not known F6FE1A00 10000 read write own pid success or wait 20
    not known query and map write and map read and map execute and extend size reserve not known F6FE1A00 10000 read write own pid success or wait 1
    not known map write and map read and map execute commit 00470000 F6FE1A00 1AE00 execute own pid success or wait 2
    not known query and map write and map read and map execute image 76390000 763912C0 1D000 execute own pid success or wait 1
    Registry Activities:
    + Key opened
    Key Path Access Completion Count
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ergdz.exe generic read object name not found 51
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ergdz.exe generic read object name not found 2
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server query value and enumerate sub key and notify and read or execute and write and read control success or wait 3
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE maximum allowed success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option query value and set value and read or execute and write object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Ole query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Classes\Interface query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT query value and read or execute object name not found 2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra query value and enumerate sub key and read or execute object name not found 1
    Key created
    Key Path Access Options Completion Count
    Key deleted
    Key Path Completion Count
    Key value deleted
    Key Path Key Value Name Completion Count
    Key value set
    Key Path Name Type Data Completion Count
    Key value replaced with new
    Key Path Name Type Old Data New Data Completion Count
    Key value replaced with same
    Key Path Name Type Data Completion Count
    + Key value queried
    Key Path Name Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server TSAppCompat success or wait 3
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server TSUserEnabled success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LeakTrack object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager SafeDllSearchMode object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers TransparentEnabled success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager CriticalSectionTimeout success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole RWLockResourceTimeOut object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAll object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAllForOle32 object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableTypeLib object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAll object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAllForOle32 object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    Mutant Activities:
    Mutant opened
    Name Completion Count
    Mutant created
    Name Completion Count
    Mutant released
    Name Completion Count
    Process Activities:
    Process started
    PID Access Flags System Completion Count
    Process opened
    PID Access Filename Cmdline Completion Count
    Process suspended
    PID Filename Cmdline Completion Count
    + Process terminated
    PID Filename Cmdline Completion Count
    own pid own process file path own process cmdline success or wait 2
    own pid own process file path own process cmdline success or wait 1
    Thread Activities:
    Thread opened
    TID PID Access Completion Count
    Thread created
    TID PID Process Path Cmdline Access Completion Count
    Thread queued
    TID PID Completion Count
    Thread set
    TID PID Completion Count
    Thread delayed
    TID Delay Completion Count
    Thread terminated
    TID PID Completion Count
    Memory Activities:
    Memory read
    PID Filename Cmdline Base Completion Count
    Memory written
    PID Filename Cmdline Base Completion Count
    Driver Activities:
    Driver loaded
    Service name path Completion Count
    Driver unloaded
    Service name path Completion Count
    System Activities:
    System information set
    System info class Data Completion Count
    + System information queried
    System info class Completion Count
    BasicInformation success or wait 15
    BasicInformation success or wait 4
    RangeStartInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    ProcessorInformation success or wait 3
    BasicInformation success or wait 2
    Time Activities:
    Performance counter queried
    Count Frequency Completion Count
    System resolution queried
    Minimum resolution Maximum resolution Current resolution Completion Count
    System time queried
    Time Completion Count
    User Activities:
    Window created
    Window name Class name Completion Count
    Window found
    Window name Class name Completion Count
    Window hook set
    Module Thread id Hook code Completion Count
    Key async got
    Virtual key code Key state Count
    Keyboard state got
    Completion Count
    Key state got
    Virtual key code State Count
    Debug Activities:
    System debug info set
    Debug info class Input data Output data Completion Count
    Exception Activities:
    Exception raised
    Exception code Address Completion Count
    + Chronological sections
    Operation Data Completion Time
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ergdz.exe Access: generic read object name not found 2764899995
    System info queried Type: BasicInformation success or wait 2764901959
    System info queried Type: BasicInformation success or wait 2764902963
    Section opened Access: map write and map read and map execute Baseaddress: 7C800000 Size: F6000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll success or wait 2764906135
    System info queried Type: RangeStartInformation success or wait 2764909855
    System info queried Type: BasicInformation success or wait 2764909971
    Section created Access: query and map write and map read and map execute and extend size Protection: read write Attributes: reserve Path: not known Type: reserve Baseaddress: not known Entrypoint: F6FE1A00 Mapped to pid: own pid Size: 10000 success or wait 2764910261
    System info queried Type: BasicInformation success or wait 2765148680
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765151269
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat success or wait 2765153231
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ergdz.exe Access: generic read object name not found 2765159129
    Section opened Access: map read Baseaddress: 00260000 Size: 15DF4 Mapped to pid: own pid Path: \NLS\NlsSectionUnicode success or wait 2765159350
    Section opened Access: map read Baseaddress: 00280000 Size: 40EDC Mapped to pid: own pid Path: \NLS\NlsSectionLocale success or wait 2765160832
    Section opened Access: query and map read Baseaddress: 002D0000 Size: 40004 Mapped to pid: own pid Path: \NLS\NlsSectionSortkey success or wait 2765165415
    Section opened Access: map read Baseaddress: 00320000 Size: 5A04 Mapped to pid: own pid Path: \NLS\NlsSectionSortTbls success or wait 2765166677
    Section opened Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409 object name not found 2765168897
    Section opened Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409 object name not found 2765169098
    Section opened Access: map write and map read and map execute Baseaddress: 774E0000 Size: 13D000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll success or wait 2765176089
    Section opened Access: map write and map read and map execute Baseaddress: 77DD0000 Size: 9B000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll success or wait 2765187477
    Section opened Access: map write and map read and map execute Baseaddress: 77E70000 Size: 92000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll success or wait 2765192043
    Section opened Access: map write and map read and map execute Baseaddress: 77FE0000 Size: 11000 Mapped to pid: own pid Path: \KnownDlls\Secur32.dll success or wait 2765196100
    Section opened Access: map write and map read and map execute Baseaddress: 77F10000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll success or wait 2765202205
    Section opened Access: map write and map read and map execute Baseaddress: 7E410000 Size: 91000 Mapped to pid: own pid Path: \KnownDlls\USER32.dll success or wait 2765204830
    Section opened Access: map write and map read and map execute Baseaddress: 77C10000 Size: 58000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll success or wait 2765211164
    Section opened Access: map write and map read and map execute Baseaddress: 77120000 Size: 8B000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll success or wait 2765219505
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765228275
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat success or wait 2765228741
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll Access: generic read object name not found 2765237363
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll Access: generic read object name not found 2765238364
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll Access: generic read object name not found 2765239017
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765239417
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat success or wait 2765239675
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSUserEnabled success or wait 2765245159
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765249589
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack object name not found 2765250074
    Key opened Path: HKEY_LOCAL_MACHINE Access: maximum allowed success or wait 2765250961
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2765251359
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll Access: generic read object name not found 2765251872
    System info queried Type: BasicInformation success or wait 2765252121
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute success or wait 2765253744
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode object name not found 2765254054
    Section created Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00470000 Entrypoint: F6FE1A00 Mapped to pid: own pid Size: 1AE00 success or wait 2765255365
    Section created Access: map write and map read and map execute Protection: execute Attributes: commit Path: not known Type: commit Baseaddress: 00470000 Entrypoint: F6FE1A00 Mapped to pid: own pid Size: 1AE00 success or wait 2765257544
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: not known Type: image Baseaddress: 76390000 Entrypoint: 763912C0 Mapped to pid: own pid Size: 1D000 success or wait 2765259336
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write object name not found 2765260686
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute success or wait 2765260910
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled success or wait 2765261354
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute object name not found 2765262646
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL Access: generic read object name not found 2765266850
    System info queried Type: BasicInformation success or wait 2765266996
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll Access: generic read object name not found 2765268062
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll Access: generic read object name not found 2765268295
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll Access: generic read object name not found 2765268572
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll Access: generic read object name not found 2765269108
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll Access: generic read object name not found 2765269333
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll Access: generic read object name not found 2765269688
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2765270211
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765270630
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 2765270914
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765275120
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs success or wait 2765275378
    System info queried Type: BasicInformation success or wait 2765278062
    Section opened Access: map read Baseaddress: 008B0000 Size: 20C2 Mapped to pid: own pid Path: \NLS\NlsSectionCType success or wait 2765279720
    System info queried Type: BasicInformation success or wait 2765290862
    System info queried Type: ProcessorInformation success or wait 2765291048
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765300076
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout success or wait 2765301194
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765306405
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut object name not found 2765306884
    System info queried Type: BasicInformation success or wait 2765314167
    System info queried Type: ProcessorInformation success or wait 2765314361
    System info queried Type: BasicInformation success or wait 2765314597
    System info queried Type: ProcessorInformation success or wait 2765315200
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765315415
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll object name not found 2765315737
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32 object name not found 2765316915
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib object name not found 2765317085
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765318521
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll object name not found 2765318840
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32 object name not found 2765319008
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute object name not found 2765325142
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra Access: query value and enumerate sub key and read or execute object name not found 2765326185
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute object name not found 2765327968
    System info queried Type: BasicInformation success or wait 2765331024
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline success or wait 2765364999
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2765366449
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 2765366785
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline NOSTATUS 2765368806
    Network Data
    + All TCP, UDP, ICMP
    Timestamp Source Port Dest Port Source IP Dest IP Protocol
    May 17, 2010 23:05:57.141780000 138 138 192.168.111.6 192.168.111.255 udp
    May 17, 2010 23:05:57.143657000 137 137 192.168.111.6 192.168.111.21 udp
    May 17, 2010 23:06:06.376917000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.377465000 1047 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.565689000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.566127000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.568760000 1047 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.569052000 1047 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.776169000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.786636000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.806622000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.816125000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.841409000 1047 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.856441000 1047 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.975816000 1047 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:06.975857000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:07.427044000 1047 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:07.427283000 1046 80 192.168.111.6 207.46.19.254 tcp
    May 17, 2010 23:06:07.427451000 1043 80 192.168.111.6 94.236.15.26 tcp
    DNS
    Timestamp Source IP Dest IP Type Data
    + HTTP
    Timestamp Source IP Dest IP Host Data
    May 17, 2010 23:06:06.566127000 192.168.111.6 207.46.19.254 www.microsoft.com GET /athome/community/rss.xml HTTP/1.1\r\n
    May 17, 2010 23:06:06.569052000 192.168.111.6 207.46.19.254 www.microsoft.com GET /atwork/community/rss.xml HTTP/1.1\r\n
    Copyright 2010 Joe Security | All rights reserved | This page is optimized for firefox - 1024x786