Afisicx, noytcyr, Roytctm, soxpeca, tdydowkc, etc [RESOLVED]

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

Afisicx, noytcyr, Roytctm, soxpeca, tdydowkc, etc [RESOLVED], having problems with my computer - posting hijackthis log

Options

AdamBud View Member Profile	Oct 6 2008, 07:50 PM Post #1
Member Posts: 11 OS: XP	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:36:02 PM, on 10/6/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\afisicx.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\mabidwe.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\noytcyr.exe C:\WINDOWS\system32\roytctm.exe C:\WINDOWS\system32\soxpeca.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\tdydowkc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\wsldoekd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\SmcGui.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Common Files\AOL\1162169502\ee\AOLSoftware.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxsrvc.exe c:\program files\common files\aol\1162169502\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1162169502\EE\aolsoftware.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\WINDOWS\system32\mmc.exe C:\Program Files\Internet Explorer\iexplore.exe c:\program files\aol\aol toolbar 5.0\AolTbServer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\abudnick\Local Settings\Temporary Internet Files\Content.IE5\LU1JQ3JA\HiJackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162169502\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.download.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1222740135234 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222740254593 O16 - DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} - http://www.av-xp2008.com/tools/virusremover.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = absolutaire.local O17 - HKLM\Software\..\Telephony: DomainName = absolutaire.local O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe O23 - Service: TCP IP Service (Messager) - Unknown owner - c:\temps\svchost.exe (file missing) O23 - Service: MsService - Unknown owner - C:\WINDOWS\system\proxy.exe (file missing) O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe O23 - Service: Remote - Unknown owner - C:\WINDOWS\system32\dxdicg.exe O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE O23 - Service: wsldoekd Co. Ltd. (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 9063 bytes

fenzodahl512 View Member Profile	Oct 6 2008, 08:57 PM Post #2
Trusted Helper Posts: 4,397 OS: Windows XP	Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following.. Please download SDFix by Andy Manchesta and save it to your desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please reboot into Safe Mode In Safe Mode, right click the SDFix.zip folder and choose Extract All, A new folder will be extracted to your %systemdrive%, typically C:\SDFix Open the extracted folder and double click RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions. *NEXT* Please visit below webpage for instructions for downloading and running ComboFix. Make sure you download and save ComboFix DIRECTLY to your Desktop http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given.. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log. Post me these logs in your next reply.. Post each log in separate post.. 1. SDFix 2. ComboFix 3. A fresh HijackThis log (after ComboFix step)

AdamBud View Member Profile	Oct 7 2008, 08:29 PM Post #3
Member Posts: 11 OS: XP	SDFix: Version 1.233 Run by Administrator on Tue 10/07/2008 at 09:34 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : Messager Path : c:\temps\svchost.exe Messager - Deleted Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\atsxyzd.sys - Deleted C:\WINDOWS\system32\comsa32.sys - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-07 21:41:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher] "TracesProcessed"=dword:00000000 "TracesSuccessful"=dword:00000000 "LastTraceFailure"=dword:00000000 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe::Enabled:pcAnywhere Main Program" "C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe::Enabled:AOL Software" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\WINDOWS\\system32\\1024\\SVCHOST.EXE"="C:\\WINDOWS\\system32\\1024\\SVCHOST.EXE::Enabled:SVCHOST.EXE" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe::Enabled:pcAnywhere Main Program" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe::Enabled:AOL Connectivity Service Dialer" "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe::Enabled:AOL Connectivity Service" "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe::Enabled:America Online" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\Common Files\\AOL\\1162169502\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1162169502\\EE\\aolsoftware.exe::Enabled:AOL Services" "C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe::Enabled:AOL TopSpeed" "C:\\Program Files\\Common Files\\AOL\\1162169502\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1162169502\\EE\\AOLServiceHost.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe::Enabled:AOL System Information" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe::Enabled:AOL" "C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe::Enabled:AOL" "C:\\Program Files\\DelAir7\\Delair7.exe"="C:\\Program Files\\DelAir7\\Delair7.exe::Enabled:DelAir 7" "C:\\Program Files\\DelAir7\\daweb.exe"="C:\\Program Files\\DelAir7\\daweb.exe::Enabled:Delair 7 Internet Update Software" "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE::Enabled:Internet Explorer" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe::Enabled:AIM" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe::Enabled:AOL 9.1" "C:\\Program Files\\Symantec AntiVirus\\Smc.exe"="C:\\Program Files\\Symantec AntiVirus\\Smc.exe::Enabled:SMC Service" "C:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"="C:\\Program Files\\Symantec AntiVirus\\SNAC.EXE::Enabled:SNAC Service" "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe::Enabled:Symantec Email" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 12 Jul 2005 54,872 A..H. --- "C:\Program Files\America Online 9.0\AOLphx.exe" Tue 12 Jul 2005 31,832 A..H. --- "C:\Program Files\America Online 9.0\rbm.exe" Tue 23 Jan 2007 46,640 A..H. --- "C:\Program Files\AOL 9.0\AOLphx.exe" Tue 23 Jan 2007 54,832 A..H. --- "C:\Program Files\AOL 9.0\AOLphxex.exe" Tue 23 Jan 2007 33,328 A..H. --- "C:\Program Files\AOL 9.0\rbm.exe" Sat 27 Oct 2007 46,432 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe" Sat 27 Oct 2007 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe" Sat 27 Oct 2007 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe" Sun 28 Sep 2008 75,776 A..H. --- "C:\WINDOWS\inf\icuc32.dll" Wed 4 Aug 2004 549,888 A.SHR --- "C:\WINDOWS\system32\dxdicg.exe" Wed 1 Oct 2008 23,040 ..SHR --- "C:\WINDOWS\system32\pScripts.exe" Tue 30 Sep 2008 582,144 ..SHR --- "C:\WINDOWS\system32\yCobar.dll" Tue 30 Sep 2008 375,296 ..SHR --- "C:\WINDOWS\system32\yscript.exe" Sun 28 Sep 2008 14,848 A..H. --- "C:\WINDOWS\system32\zordisa.dll" Wed 22 Dec 2004 76,568 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe" Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll" Thu 4 Oct 2007 407 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg" Thu 4 Oct 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg" Sun 17 Feb 2008 96,072 A..H. --- "C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe" Thu 19 Oct 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp" Thu 19 Oct 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp" Thu 19 Oct 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp" Thu 19 Oct 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp" Thu 19 Oct 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp" Finished! ComboFix 08-10-07.06 - Administrator 2008-10-07 22:09:47.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.586 [GMT -4:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\Install.txt C:\WINDOWS\MSSqlServer.dll C:\WINDOWS\system32\afisicx.exe C:\WINDOWS\system32\inf\svchosd.exe C:\WINDOWS\system32\Install.txt C:\WINDOWS\system32\mabidwe.exe C:\WINDOWS\system32\noytcyr.exe C:\WINDOWS\system32\oduxftw.sys C:\WINDOWS\system32\roytctm.exe C:\WINDOWS\system32\rtl60.bpl C:\WINDOWS\system32\soxpeca.exe C:\WINDOWS\system32\syspilog.pil C:\WINDOWS\system32\tdydowkc.exe C:\WINDOWS\system32\tpszxyd.sys C:\WINDOWS\system32\vsdertl.dll C:\WINDOWS\system32\wsldoekd.exe C:\WINDOWS\system32\zordisa.dll C:\WINDOWS\tawisys.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_6TO4 -------\Legacy_AFISICX -------\Legacy_INTERNET_SERVICE -------\Legacy_MABIDWE -------\Legacy_MSSERVICE -------\Legacy_NOXTCYR -------\Legacy_NOYTCYR -------\Legacy_PANDRV -------\Legacy_PERFS -------\Legacy_ROXTCTM -------\Legacy_ROYTCTM -------\Legacy_SEIUCTOL -------\Legacy_SOTPECA -------\Legacy_SOXPECA -------\Legacy_SVCHOST -------\Legacy_TDYDOWKC -------\Legacy_WSLDOEKD -------\Service_afisicx -------\Service_Internet Service -------\Service_mabidwe -------\Service_MsService -------\Service_noytcyr -------\Service_roytctm -------\Service_soxpeca -------\Service_tdydowkc -------\Service_wsldoekd ((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 ))))))))))))))))))))))))))))))) . 2008-10-07 22:11 . 2008-10-07 22:11 <DIR> d-------- C:\WINDOWS\LastGood.Tmp 2008-10-07 21:33 . 2008-10-07 21:33 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll 2008-10-07 21:31 . 2008-10-07 21:31 <DIR> d-------- C:\WINDOWS\ERUNT 2008-10-07 21:22 . 2008-10-07 21:44 <DIR> d-------- C:\SDFix 2008-10-01 13:46 . 2008-10-01 13:46 23,040 -r-hs---- C:\WINDOWS\system32\pScripts.exe 2008-09-30 09:21 . 2008-09-30 09:21 10,652 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-09-30 09:21 . 2008-09-30 09:21 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-09-30 08:59 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-09-30 08:58 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-09-30 08:58 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-09-30 08:58 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys 2008-09-30 08:49 . 2008-10-02 22:11 <DIR> d-------- C:\Documents and Settings\abudnick\Application Data\U3 2008-09-30 08:39 . 2008-09-30 08:39 582,144 -r-hs---- C:\WINDOWS\system32\yCobar.dll 2008-09-30 08:39 . 2008-09-30 08:39 375,296 -r-hs---- C:\WINDOWS\system32\yscript.exe 2008-09-30 08:02 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll 2008-09-30 08:02 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-09-29 22:24 . 2004-08-04 06:00 381,425 -----c--- C:\WINDOWS\system32\dllcache\copycd.wmv 2008-09-29 22:24 . 2008-04-13 20:12 294,912 -----c--- C:\WINDOWS\system32\dllcache\dlimport.exe 2008-09-29 22:24 . 2004-08-04 06:00 9,585 -----c--- C:\WINDOWS\system32\dllcache\controls.css 2008-09-29 22:24 . 2004-08-04 06:00 8,298 -----c--- C:\WINDOWS\system32\dllcache\contents.htm 2008-09-29 22:24 . 2004-08-04 06:00 6,878 -----c--- C:\WINDOWS\system32\dllcache\controls.js 2008-09-29 22:24 . 2004-08-04 06:00 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif 2008-09-29 22:24 . 2004-08-04 06:00 773 -----c--- C:\WINDOWS\system32\dllcache\cnth.gif 2008-09-29 22:24 . 2004-08-04 06:00 773 -----c--- C:\WINDOWS\system32\dllcache\cnt.gif 2008-09-29 22:24 . 2004-08-04 06:00 772 -----c--- C:\WINDOWS\system32\dllcache\cntd.gif 2008-09-29 22:24 . 2004-08-04 06:00 760 -----c--- C:\WINDOWS\system32\dllcache\cloapph.gif 2008-09-29 22:24 . 2004-08-04 06:00 717 -----c--- C:\WINDOWS\system32\dllcache\cloapp.gif 2008-09-29 19:54 . 2005-12-13 03:40 135,168 --a------ C:\WINDOWS\system32\igfxres.dll 2008-09-29 19:49 . 2004-08-04 06:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls 2008-09-29 19:47 . 2008-04-13 20:11 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime 2008-09-29 19:46 . 2004-08-04 06:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex 2008-09-29 19:45 . 2008-04-13 20:09 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll 2008-09-29 19:44 . 2004-08-04 06:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll 2008-09-29 19:43 . 2004-08-04 06:00 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll 2008-09-29 19:43 . 2004-08-04 06:00 94,720 --a--c--- C:\WINDOWS\system32\dllcache\certmap.ocx 2008-09-29 19:43 . 2004-08-04 06:00 49,664 --a--c--- C:\WINDOWS\system32\dllcache\adrot.dll 2008-09-29 19:43 . 2004-08-04 06:00 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll 2008-09-29 19:43 . 2004-08-04 06:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\iisreset.exe 2008-09-29 19:43 . 2004-08-04 06:00 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe 2008-09-29 19:43 . 2004-08-04 06:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll 2008-09-29 19:43 . 2004-08-04 06:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\ftpsapi2.dll 2008-09-29 19:43 . 2004-08-04 06:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\admxprox.dll 2008-09-29 19:43 . 2004-08-04 06:00 5,632 --a--c--- C:\WINDOWS\system32\dllcache\iisrstap.dll 2008-09-29 19:43 . 2001-08-17 22:36 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll 2008-09-29 19:42 . 2008-10-01 00:15 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-09-29 19:40 . 2004-08-04 06:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe 2008-09-29 19:40 . 2008-09-29 19:40 749 -rah----- C:\WINDOWS\WindowsShell.Manifest 2008-09-29 19:40 . 2008-09-29 19:40 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest 2008-09-29 19:40 . 2008-09-29 19:40 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest 2008-09-29 19:40 . 2008-09-29 19:40 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest 2008-09-29 19:40 . 2008-09-29 19:40 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest 2008-09-29 19:40 . 2008-09-29 19:40 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest 2008-09-29 19:26 . 2004-08-04 06:00 1,086,058 -ra------ C:\WINDOWS\SET56.tmp 2008-09-29 19:26 . 2004-08-04 06:00 1,042,903 -ra------ C:\WINDOWS\SET53.tmp 2008-09-29 19:26 . 2004-08-04 06:00 13,753 -ra------ C:\WINDOWS\SET62.tmp 2008-09-29 15:14 . 2008-09-29 15:14 <DIR> d-------- C:\WINDOWS\dell 2008-09-27 15:35 . 2008-09-27 15:35 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX 2008-09-15 19:28 . 2008-04-13 20:12 389,120 --a------ C:\WINDOWS\system32\tmpacj2.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-30 13:26 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-09-30 13:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-09-30 13:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-09-30 13:21 60,808 -c--a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-09-30 13:21 136,496 -c--a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-09-30 13:21 --------- d-----w C:\Program Files\Symantec 2008-09-30 13:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-28 15:28 75,776 ---ha-w C:\WINDOWS\inf\icuc32.dll 2008-09-28 14:21 --------- d-----w C:\Program Files\AOL 9.1 2008-09-28 14:21 --------- d-----w C:\Documents and Settings\abudnick\Application Data\Viewpoint 2008-09-27 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-08-30 14:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-08-30 08:17 --------- d-----w C:\Program Files\Google 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 02:10 45,768 -c--a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2004-08-04 10:00 549,888 --sha-r C:\WINDOWS\system32\dxdicg.exe . C:\WINDOWS\system32\svchost.exe ... Infected -- Win32.Qhost !! -c----w 14,336 2004-08-04 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe ----a-w 55,276 2008-10-06 03:01:24 C:\WINDOWS\Prefetch\SVCHOST.EXE-2D5FBD18.pf ------w 14,336 2008-04-14 00:12:36 C:\WINDOWS\ServicePackFiles\i386\svchost.exe ----a-w 14,336 2008-04-14 00:12:36 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\svchost.exe ----a-w 14,336 2008-04-14 00:12:36 C:\WINDOWS\system32\svchost.exe Entries: 5 (5) Directories: 0 Files: 5 Bytes: 112,620 Blocks: 220 -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-07-16 389120] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 176128] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 1347584] "HostManager"="C:\Program Files\Common Files\AOL\1162169502\ee\AOLSoftware.exe" [2007-05-25 42032] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 118784] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-04 115560] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 C:\WINDOWS\stsystra.exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ AutoCAD LT Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU] --a------ 2004-02-19 07:23 61440 c:\dell\bldbubg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] --a------ 2006-07-16 22:29 389120 C:\Program Files\Dell Support\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] --a--c--- 2005-12-09 21:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold] --a------ 2003-09-10 03:24 20480 C:\Program Files\NetWaiting\netwaiting.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"= "C:\\Program Files\\AOL 9.0\\waol.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S2 Remote;Remote;C:\WINDOWS\system32\dxdicg.exe [2004-08-04 549888] S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-10-04 22112] . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - Notify-NavLogon - (no file) MSConfigStartUp-Dell QuickSet - C:\Program Files\Dell\QuickSet\quickset.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.dell.com O8 -: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O16 -: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} - hxxp://www.av-xp2008.com/tools/virusremover.dll . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-07 22:13:14 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SDDMI2] "ImagePath"="\??\C:\WINDOWS\system32\DDMI2.sys" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant] "ImagePath"="a" . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Symantec AntiVirus\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Apoint\hidfind.exe C:\WINDOWS\system32\WLTRYSVC.EXE C:\WINDOWS\system32\BCMWLTRY.EXE C:\Program Files\Apoint\ApntEx.exe C:\Program Files\Symantec AntiVirus\SmcGui.exe C:\Program Files\Common Files\AOL\1162169502\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe C:\WINDOWS\system32\igfxsrvc.exe C:\ComboFix\pv.cfexe . ************************************************************************ . Completion time: 2008-10-07 22:18:44 - machine was rebooted [Administrator] ComboFix-quarantined-files.txt 2008-10-08 02:18:41 Pre-Run: 48,378,298,368 bytes free Post-Run: 48,543,117,312 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 269 --- E O F --- 2008-10-01 02:54:29 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:25:17 PM, on 10/7/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Smc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Common Files\AOL\1162169502\ee\AOLSoftware.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Symantec AntiVirus\SmcGui.exe C:\WINDOWS\system32\igfxpers.exe c:\program files\common files\aol\1162169502\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1162169502\EE\aolsoftware.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\stsystra.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\NetWaiting\netWaiting.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe c:\program files\aol\aol toolbar 5.0\AolTbServer.exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\HiJackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1162169502\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1222740135234 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222740254593 O16 - DPF: {7D5DD829-6C90-42C5-B54C-2AFA82F988BA} - http://www.av-xp2008.com/tools/virusremover.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = absolutaire.local O17 - HKLM\Software\..\Telephony: DomainName = absolutaire.local O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Remote - Unknown owner - C:\WINDOWS\system32\dxdicg.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7726 bytes

fenzodahl512 View Member Profile	Oct 7 2008, 08:51 PM Post #4
Trusted Helper Posts: 4,397 OS: Windows XP	Please show hidden files and folders. Please visit HERE if you don't know how. Please go to VirSCAN.org FREE on-line scan service Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page: C:\WINDOWS\system32\yCobar.dll C:\WINDOWS\system32\yscript.exe C:\WINDOWS\system32\tmpacj2.exe C:\WINDOWS\system32\pScripts.exe Click on the Upload button Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard. Paste the contents of the Clipboard in your next reply. If VirScan.org server is too busy, please submit the file to VirusTotal instead. *NEXT* Please go to UploadMalware to upload a suspicious file for analysis. Enter your username from this forum Copy and paste the link to this thread Browse for this files: C:\WINDOWS\system32\yCobar.dll C:\WINDOWS\system32\yscript.exe C:\WINDOWS\system32\tmpacj2.exe C:\WINDOWS\system32\pScripts.exe In the comments, please mention that fenzodahl512 asked you to upload this file Click on Send File *NEXT* 1. Please open Notepad Click Start, then Run Type notepad.exe in the Run Box. 2. Now copy/paste the entire content of the codebox below into the Notepad window: CODE http://www.geekstogo.com/forum/Afisicx-noytcyr-Roytctm-soxpeca-tdydowkc-etc-t213915.html&view=findpost&p=1348293#entry1348293 KillAll:: FCopy:: C:\WINDOWS\$NtServicePackUninstall$\svchost.exe \| C:\WINDOWS\system32\svchost.exe Suspect:: C:\WINDOWS\system32\yCobar.dll C:\WINDOWS\system32\yscript.exe C:\WINDOWS\system32\tmpacj2.exe C:\WINDOWS\system32\pScripts.exe 3. Save the above as CFScript.txt 4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. 5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: VirScan.org/VirusTotal result Combofix.txt A new HijackThis log. Note When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. DO NOT close that browser. Simply follow the instructions to copy/paste/send the requested file.

AdamBud

Oct 8 2008, 07:55 PM

Post #5

Member

Posts: 11
OS: XP

VirSCAN.org Scanned Report :
Scanned time : 2008/10/09 09:02:30 (CST)
Scanner results: 3% Scanner(1/37) found malware!
File Name : yCobar.dll
File Size : 582144 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : 57e3e5a04b119790ccd2a24b1c3dcc6b
SHA1 : 09b78d09c8a581fda27f8cd56f858ca41d71b004
Online report : http://virscan.org/report/c085a515aca5a591...980ef9a9b4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.16 2008.10.07 2008-10-07 1.46 -
AhnLab V3 2008.10.09.00 2008.10.09 2008-10-09 0.94 -
AntiVir 7.8.1.34 7.0.7.14 2008-10-08 2.36 -
Arcavir 1.0.5 200810081436 2008-10-08 1.23 -
Authentium 5.1.1 200810012118 2008-10-01 1.06 -
AVAST! 3.0.1 081008-1 2008-10-08 0.04 -
AVG 7.5.52.442 270.7.6/1715 2008-10-08 1.63 -
BitDefender 7.60825.1846949 7.21198 2008-10-09 3.17 -
CA (VET) 9.0.0.143 31.6.6135 2008-10-08 4.12 -
ClamAV 0.94 8396 2008-10-09 0.13 -
Comodo 2.11 2.0.0.670 2008-10-08 0.43 -
CP Secure 1.1.0.715 2008.10.09 2008-10-09 6.08 -
Dr.Web 4.44.0.9170 2008.10.08 2008-10-08 3.44 DLOADER.Trojan
ewido 4.0.0.2 2008.10.08 2008-10-08 2.98 -
F-Prot 4.4.4.56 20081008 2008-10-08 1.06 -
F-Secure 5.51.6100 2008.10.08.12 2008-10-08 3.66 -
Fortinet 2.81-3.113 9.626 2008-10-08 0.28 -
ViRobot 20081008 2008.10.08 2008-10-08 0.40 -
Ikarus T3.1.01.34 2008.10.08.71604 2008-10-08 3.56 -
JiangMin 11.0.706 2008.10.08 2008-10-08 1.27 -
Kaspersky 5.5.10 2008.10.08 2008-10-08 0.04 -
KingSoft 2008.9.8.18 2008.10.8.17 2008-10-08 0.63 -
McAfee 5.3.00 5401 2008-10-08 2.08 -
Microsoft 1.4005 2008.10.09 2008-10-09 4.46 -
mks_vir 2.01 2008.10.08 2008-10-08 2.67 -
Norman 5.93.01 5.93.00 2008-10-08 5.20 -
Panda 9.05.01 2008.10.08 2008-10-08 2.27 -
Trend Micro 8.700-1004 5.590.02 2008-10-08 0.03 -
Quick Heal 9.50 2008.10.08 2008-10-08 1.94 -
Rising 20.0 20.65.22.00 2008-10-08 0.80 -
Sophos 2.79.0 4.34 2008-10-09 1.81 -
Sunbelt 3.1.1708.1 2293 2008-10-08 0.59 -
Symantec 1.3.0.24 20081008.003 2008-10-08 0.11 -
nProtect 2008-10-08.00 2212818 2008-10-08 4.47 -
The Hacker 6.3.1.0 v00103 2008-10-07 0.43 -
VBA32 3.12.8.6 20081007.1506 2008-10-07 1.57 -
VirusBuster 4.5.11.10 10.89.11/634093 2008-10-08 1.31 -

VirSCAN.org Scanned Report :
Scanned time : 2008/10/08 21:18:39 (EDT)
Scanner results: 22% Scanner(8/37) found malware!
File Name : yscript.exe
File Size : 375296 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 9a5efd831e7c896edfa33f2c242360f4
SHA1 : 730773e004e526e630c28fff18d8e83eb98a2e2c
Online report : http://virscan.org/report/7b2a724796a671a5...ca8dce251a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.16 2008.10.07 2008-10-07 1.47 -
AhnLab V3 2008.10.09.00 2008.10.09 2008-10-09 0.97 -
AntiVir 7.8.1.34 7.0.7.14 2008-10-08 2.34 TR/Hijack.Explor.5179
Arcavir 1.0.5 200810081436 2008-10-08 1.23 -
Authentium 5.1.1 200810012118 2008-10-01 1.08 -
AVAST! 3.0.1 081008-1 2008-10-08 0.07 Win32:Trojan-gen {Other}
AVG 7.5.52.442 270.7.6/1715 2008-10-08 1.63 -
BitDefender 7.60825.1846949 7.21198 2008-10-09 3.18 BehavesLike:Win32.ExplorerHijack
CA (VET) 9.0.0.143 31.6.6135 2008-10-08 5.42 -
ClamAV 0.94 8396 2008-10-09 0.08 -
Comodo 2.11 2.0.0.670 2008-10-08 0.43 -
CP Secure 1.1.0.715 2008.10.09 2008-10-09 6.08 -
Dr.Web 4.44.0.9170 2008.10.08 2008-10-08 3.37 -
ewido 4.0.0.2 2008.10.08 2008-10-08 3.12 -
F-Prot 4.4.4.56 20081008 2008-10-08 1.07 -
F-Secure 5.51.6100 2008.10.08.12 2008-10-08 3.52 -
Fortinet 2.81-3.113 9.626 2008-10-08 0.32 -
ViRobot 20081008 2008.10.08 2008-10-08 0.40 -
Ikarus T3.1.01.34 2008.10.08.71604 2008-10-08 3.53 Trojan-Downloader.Win32.Banload.agt
JiangMin 11.0.706 2008.10.08 2008-10-08 1.25 -
Kaspersky 5.5.10 2008.10.08 2008-10-08 0.05 -
KingSoft 2008.9.8.18 2008.10.8.17 2008-10-08 0.65 -
McAfee 5.3.00 5401 2008-10-08 2.09 -
Microsoft 1.4005 2008.10.09 2008-10-09 4.02 -
mks_vir 2.01 2008.10.08 2008-10-08 2.68 -
Norman 5.93.01 5.93.00 2008-10-08 5.18 W32/Malware.ECMR
Panda 9.05.01 2008.10.08 2008-10-08 2.23 -
Trend Micro 8.700-1004 5.590.02 2008-10-08 0.03 -
Quick Heal 9.50 2008.10.08 2008-10-08 1.89 -
Rising 20.0 20.65.22.00 2008-10-08 0.78 -
Sophos 2.79.0 4.34 2008-10-09 1.79 -
Sunbelt 3.1.1708.1 2293 2008-10-08 0.46 Trojan.Win32.ExplorerHijack
Symantec 1.3.0.24 20081008.003 2008-10-08 0.06 -
nProtect 2008-10-08.00 2212818 2008-10-08 4.22 BehavesLike:Win32.ExplorerHijack
The Hacker 6.3.1.0 v00103 2008-10-07 0.43 -
VBA32 3.12.8.6 20081008.2118 2008-10-08 1.58 MalwareScope.Trojan-PSW.Game.17 (paranoid heuristics) (suspicious)
VirusBuster 4.5.11.10 10.89.11/634093 2008-10-08 1.51 -

VirSCAN.org Scanned Report :
Scanned time : 2008/10/08 21:15:27 (EDT)
Scanner results: 35% Scanner(13/37) found malware!
File Name : pScripts.exe
File Size : 23040 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3137334d39421a01efb02c2020236772
SHA1 : 781f4bb65dabd7854af31cd709b8265714736e76
Online report : http://virscan.org/report/24acc6b0dd8326d1...f5e73648b6.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.16 2008.10.07 2008-10-07 1.44 -
AhnLab V3 2008.10.09.00 2008.10.09 2008-10-09 1.00 -
AntiVir 7.8.1.34 7.0.7.14 2008-10-08 3.08 TR/Downloader.Gen
Arcavir 1.0.5 200810081436 2008-10-08 1.57 Heur.W32
Authentium 5.1.1 200810012118 2008-10-01 2.38 W32/Ristix.A (Heuristic)
AVAST! 3.0.1 081008-1 2008-10-08 0.77 -
AVG 7.5.52.442 270.7.6/1715 2008-10-08 1.64 Downloader.Generic7.AWRO
BitDefender 7.60825.1846949 7.21198 2008-10-09 7.42 -
CA (VET) 9.0.0.143 31.6.6135 2008-10-08 5.09 -
ClamAV 0.94 8396 2008-10-09 0.02 -
Comodo 2.11 2.0.0.670 2008-10-08 0.42 -
CP Secure 1.1.0.715 2008.10.09 2008-10-09 6.04 -
Dr.Web 4.44.0.9170 2008.10.08 2008-10-08 3.28 -
ewido 4.0.0.2 2008.10.08 2008-10-08 2.90 -
F-Prot 4.4.4.56 20081008 2008-10-08 1.03 W32/Zbot.I.gen!Eldorado (generic, not disinfectable)
F-Secure 5.51.6100 2008.10.08.12 2008-10-08 3.50 -
Fortinet 2.81-3.113 9.626 2008-10-08 0.18 Suspicious
ViRobot 20081008 2008.10.08 2008-10-08 0.40 -
Ikarus T3.1.01.34 2008.10.08.71604 2008-10-08 3.48 Trojan-Downloader
JiangMin 11.0.706 2008.10.08 2008-10-08 1.25 -
Kaspersky 5.5.10 2008.10.08 2008-10-08 0.03 -
KingSoft 2008.9.8.18 2008.10.8.17 2008-10-08 0.64 -
McAfee 5.3.00 5401 2008-10-08 2.06 Generic.dx
Microsoft 1.4005 2008.10.09 2008-10-09 5.73 -
mks_vir 2.01 2008.10.08 2008-10-08 2.65 Heur.W32
Norman 5.93.01 5.93.00 2008-10-08 5.24 W32/DLoader.JXUI
Panda 9.05.01 2008.10.08 2008-10-08 2.14 Generic Trojan
Trend Micro 8.700-1004 5.590.02 2008-10-08 0.03 Mal_DRPR-3
Quick Heal 9.50 2008.10.08 2008-10-08 1.81 -
Rising 20.0 20.65.22.00 2008-10-08 0.99 -
Sophos 2.79.0 4.34 2008-10-09 1.81 -
Sunbelt 3.1.1708.1 2293 2008-10-08 0.52 -
Symantec 1.3.0.24 20081008.003 2008-10-08 0.07 -
nProtect 2008-10-08.00 2212818 2008-10-08 7.17 -
The Hacker 6.3.1.0 v00103 2008-10-07 0.44 -
VBA32 3.12.8.6 20081007.1506 2008-10-07 1.36 Embedded.Win32.Agent.YNL (suspicious)
VirusBuster 4.5.11.10 10.89.11/634093 2008-10-08 0.87 -

| עברית | | Sloven�čina | Dansk | Русский | Rom�nă | T�rk�e | Nederlands | Ελληνικά | Fran�ais | Svenska | Portugu�s | Italiano | | | Magyar | Deutsch | Česky | Polski | Espa�ol

Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File tmpacj2.exe received on 10.09.2008 03:23:35 (CET)
Current status: finished
Result: 0/36 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.10.3.2 2008.10.08 -
AntiVir 7.8.1.34 2008.10.08 -
Authentium 5.1.0.4 2008.10.08 -
Avast 4.8.1248.0 2008.10.08 -
AVG 8.0.0.161 2008.10.09 -
BitDefender 7.2 2008.10.08 -
CAT-QuickHeal 9.50 2008.10.08 -
ClamAV 0.93.1 2008.10.08 -
DrWeb 4.44.0.09170 2008.10.08 -
eSafe 7.0.17.0 2008.10.08 -
eTrust-Vet 31.6.6135 2008.10.08 -
Ewido 4.0 2008.10.08 -
F-Prot 4.4.4.56 2008.10.08 -
F-Secure 8.0.14332.0 2008.10.08 -
Fortinet 3.113.0.0 2008.10.08 -
GData 19 2008.10.09 -
Ikarus T3.1.1.34.0 2008.10.09 -
K7AntiVirus 7.10.488 2008.10.08 -
Kaspersky 7.0.0.125 2008.10.08 -
McAfee 5400 2008.10.07 -
Microsoft 1.4005 2008.10.08 -
NOD32 3504 2008.10.08 -
Norman 5.80.02 2008.10.07 -
Panda 9.0.0.4 2008.10.09 -
PCTools 4.4.2.0 2008.10.08 -
Prevx1 V2 2008.10.09 -
Rising 20.65.22.00 2008.10.08 -
SecureWeb-Gateway 6.7.6 2008.10.08 -
Sophos 4.34.0 2008.10.09 -
Sunbelt 3.1.1708.1 2008.10.08 -
Symantec 10 2008.10.08 -
TheHacker 6.3.1.0.103 2008.10.07 -
TrendMicro 8.700.0.1004 2008.10.08 -
VBA32 3.12.8.6 2008.10.07 -
ViRobot 2008.10.8.1412 2008.10.08 -
VirusBuster 4.5.11.0 2008.10.08 -
Additional information
File size: 389120 bytes
MD5...: 6d778e0f95447e6546553eeea709d03c
SHA1..: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
SHA256: 62abed7d45040381bbced97ea7b6c697b418448fd3322fd4bfb2bbfdb6155eb4
SHA512: a9401d8b077a48c0b6dd3443e62703d53513208f49d7b44d14f722f4c5400ffa
ca59582ca066d92d68a72aa96278bed1b2c5d8f1b85d5ef964d06e979a9ac09f
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4ad05046
timedatestamp.....: 0x48025baf (Sun Apr 13 19:14:55 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1f620 0x1f800 6.58 67557095d2941262a733cea0bc7ab480
.data 0x21000 0x1ca24 0x1ca00 0.17 ac08e12c2ca9c0b872b354378edde336
.rsrc 0x3e000 0x228a0 0x22a00 3.83 1586a8d471cd77b625c608210b6f5e5f

( 3 imports )
> KERNEL32.dll: FlushConsoleInputBuffer, LoadLibraryA, InterlockedExchange, FreeLibrary, LocalAlloc, GetVDMCurrentDirectories, CmdBatNotification, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetThreadLocale, GetDiskFreeSpaceExW, CompareFileTime, RemoveDirectoryW, GetCurrentDirectoryW, SetCurrentDirectoryW, TerminateProcess, WaitForSingleObject, GetExitCodeProcess, CopyFileW, SetFileAttributesW, DeleteFileW, SetFileTime, CreateDirectoryW, FillConsoleOutputAttribute, SetConsoleTextAttribute, ScrollConsoleScreenBufferW, FormatMessageW, DuplicateHandle, FlushFileBuffers, HeapReAlloc, HeapSize, GetFileAttributesExW, LocalFree, GetDriveTypeW, InitializeCritica