Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

persistant trojan in registry- hijack this log enclosed [RESOLVED]


  • This topic is locked This topic is locked

#16
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Lets try this once again. Seems that files a spawning.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Collect::
C:\WINDOWS\system32\lrkjod.dll
C:\Documents and Settings\Ruben\Local Settings\Temp\recfl.nls
C:\WINDOWS\system32\tesrssn.nls

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eernn"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"qjkcletm"=-


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.
  • 0

Advertisements


#17
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
ComboFix 08-04-13.3 - Administrator 2008-04-18 17:02:22.8 - NTFSx86 MINIMAL
Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lrkjod.dll
C:\WINDOWS\system32\tesrssn.nls

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-15 19:17 . 2008-04-18 15:39 <DIR> d-------- C:\fixwareout
2008-04-14 11:26 . 2008-04-14 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-04-14 07:21 . 2008-04-14 07:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-13 13:33 . 2008-04-13 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 13:16 . 2008-04-13 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-04-13 08:30 . 2008-04-13 08:30 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 08:04 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-13 08:04 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-13 08:03 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-13 08:03 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-13 08:03 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-13 08:03 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-13 08:03 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-13 08:03 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-13 08:02 . 2008-04-13 08:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-13 08:02 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-13 08:02 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-13 08:02 . 2003-03-18 13:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-13 08:02 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-13 08:02 . 2003-02-20 21:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-13 07:27 . 2008-04-13 07:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 07:05 . 2008-04-13 07:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 11:44 . 2008-04-13 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:44 . 2008-04-09 11:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\MSN6
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 12:18 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-09 02:55 --------- d-----w C:\Documents and Settings\Ruben\Application Data\LimeWire
2008-03-18 04:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Walgreens
2008-03-14 00:05 --------- d-----w C:\Program Files\Azureus
2008-03-14 00:05 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Azureus
2008-03-03 22:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-03 22:13 --------- d-----w C:\Program Files\Avanquest update
2008-03-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-03 22:08 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-03 22:08 --------- d-----w C:\Documents and Settings\Ruben\Application Data\InstallShield
2008-03-03 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-01 05:38 --------- d-----w C:\Program Files\Apple Software Update
2008-03-01 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-01 05:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Snapfish
2008-02-23 15:58 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Ahead
.

------- Sigcheck -------

2001-08-18 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-13 07:18 17408 c357a9031d4c637112df2a4a8fa21ac4 C:\WINDOWS\system32\svchost.exe

2001-08-18 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-18 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 506368 b270125e1557a24f8de54857d8199dcf C:\WINDOWS\system32\winlogon.exe

2004-08-04 01:56 1034752 99641a4d634ddf0403ac065c51b365e7 C:\WINDOWS\explorer.exe
2001-08-18 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-15_21.38.28.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 01:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-18 21:05:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2004-08-04 06:56:50 113,664 ----a-w C:\WINDOWS\system32\kltqeifhqdp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 14:56 45056]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 14:33 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 14:33 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 14:33 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 12:37 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 18:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10397:TCP"= 10397:TCP:@xpsp2res.dll,-22005
"7480:TCP"= 7480:TCP:@xpsp2res.dll,-22005
"22423:TCP"= 22423:TCP:@xpsp2res.dll,-22005
"30874:TCP"= 30874:TCP:@xpsp2res.dll,-22005

S1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 12:31]
S2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 15:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 15:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 05:38:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 17:05:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-18 17:06:04
ComboFix-quarantined-files.txt 2008-04-18 22:05:37
ComboFix2.txt 2008-04-18 20:45:22
ComboFix3.txt 2008-04-18 04:55:12
ComboFix4.txt 2008-04-16 20:54:47
ComboFix5.txt 2008-04-16 20:23:22

Pre-Run: 72,241,606,656 bytes free
Post-Run: 72,230,932,480 bytes free




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:09 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [eernn] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\bokagkktcaj.sys" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [qjkcletm] rundll32.exe "C:\WINDOWS\system32\kltqeifhqdp.dll" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 4247 bytes
  • 0

#18
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
i have submitted second zip file
  • 0

#19
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, desireejassel :)

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [eernn] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\bokagkktcaj.sys" WLEntryPoint

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Lets check for remnants:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a Hijackthis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#20
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Malwarebytes' Anti-Malware 1.11
Database version: 599

Scan type: Quick Scan
Objects scanned: 27185
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 63
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{06faccd2-c7bb-4612-88de-338120477578} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0bc37c25-432c-4ec4-95b4-0f860c1bdfe3} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{18c0c3dc-9b12-45c8-8243-11a32babc050} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{20b5789d-76b8-41c3-92d2-72b322d0d81d} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248c5ea6-af58-4a11-97a4-72b183232e58} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e8986d0-b571-4a3a-a831-0621cfcd7be1} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{30073d4c-957a-4a2b-8dc7-ff57ea3d3dfb} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{30576ee7-054c-4faf-801b-703845928839} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{59fe90af-3bf6-489b-9181-b1ee2a6ce64a} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{65f3c1a2-ec45-445f-b2e5-7fff05344ca0} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{78f4493f-42f4-4ef6-a417-042dd0a7e0af} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{818dd1ed-83b4-4ef0-99f9-e4a6d73e2456} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{853be7bd-f267-4750-b072-2b6b11d3d70c} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8eb10171-6058-4822-baf3-3da829caca4e} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{91a4a1c5-7fe7-41f1-9d23-cee9d3064175} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{91bd0deb-7196-46b1-9cd0-c26b7b3ab72e} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{93c9f61d-51b6-47ee-8fe5-36185021222b} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99bcd932-0d63-4f7e-8faa-dbd12b9f494c} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9b99e76d-9081-41c2-ae6e-e43cf752ac71} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9da1ffd9-3cd7-4cb5-8c0b-dcdea5663ae0} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{abe1716e-6f32-4d6f-8f3d-73425d396bdb} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae4a9ec4-1dfe-425f-8fc7-501fb6cbf132} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c53fef45-3339-4d96-83c7-2f4bf389fa7b} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cd0ab90e-4a7f-4f0e-9cfa-5cc428649265} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0271652-93b4-4bc5-afc7-fb41e0d5004c} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e187f1a7-86bf-4df8-8d3c-33c1d1e50f3a} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e98f32d4-89dd-4e7d-96b8-e1b8d1c22eb2} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f3847cce-f74a-43ea-a323-3ac984c3443e} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ffe3c26d-fa6d-4884-bd7a-bc1d778eee94} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f4aaeb6d-3735-45aa-a22b-924cc4882d9c} (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\luapvs.tchongabho (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cf26fac0-7d4e-46d8-ae64-b277b11443ac} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14e6d991-db22-4661-981d-20c168d6847b} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2242513c-f5e9-41b3-bc89-4d9daf487450} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3b489b37-fc1b-45c8-b1ce-78d9aef5b336} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3d6a6e24-fdff-418e-a93d-9fbdcba377af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e318e44-0c35-4292-af91-18dd17795636} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{495349a3-3a35-465f-88df-6ccfc1348246} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{575e8879-d6cf-4992-a7fe-651da9277bcb} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76a15001-ff88-47ee-9e34-9f68e34246af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{819a1c55-735f-4696-8727-3772ec87ad26} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8dc7e656-ffbc-4ba2-af81-1c6c4fe04407} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a86bed71-2b56-4778-9c48-829a3d01c687} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae119e11-cf86-43cb-91aa-1acf2bbf9ec6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a1ce7f-011d-4475-98db-076aaf3b1d18} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b667f141-171c-4ac6-bd2b-8e0c646fb920} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4f8351-05ef-4956-b9ab-1093b732436f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e1e4e46d-53b8-45dc-abf0-3e7adef79012} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{83b0cadc-ea64-4ac6-822a-3ece95f44da6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\icasServ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\luapvs.tchongabho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rmqlgcfn (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qjkcletm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\Autorun (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Ruben\Start Menu\Programs\VirusHeat 4.3 (Rogue.VirusHeat) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Ruben\Local Settings\temp\bokagkktcaj.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kltqeifhqdp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lgnalkj.sys (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Ruben\Local Settings\temp\bgmtbhjiaqn.nls (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Local Settings\temp\gafgoi.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Start Menu\Programs\VirusHeat 4.3\Uninstall VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3 Website.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Start Menu\Programs\VirusHeat 4.3\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Start Menu\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Desktop\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ruben\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusHeat 4.3.lnk (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\csrss.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:57 PM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [cbafibjq] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\gndjprkbd.sys" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [iiiopj] rundll32.exe "C:\WINDOWS\system32\sqanaonnae.sys" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 4459 bytes
  • 0

#21
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, desireejassel :)

Posted ImagePlease download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [cbafibjq] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\gndjprkbd.sys" WLEntryPoint

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with a Hijackthis log.

  • 0

#22
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 18, 2008 11:57:16 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 715009
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 42784
Number of viruses found: 52
Number of infected objects: 212
Number of suspicious objects: 0
Duration of the scan process: 00:26:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\[4][email protected]/lrkjod.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Administrator\Desktop\[4][email protected]/tesrssn.nls Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Administrator\Desktop\[4][email protected] ZIP: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008041820080419\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruben\Local Settings\temp\bllqdjimmpr.nls Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Ruben\Local Settings\temp\dehflds.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\Documents and Settings\Ruben\Local Settings\temp\lkbdppiffp.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\A0.tmp.vir Infected: Trojan-Spy.Win32.Zbot.avh skipped
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\cftmon.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\Documents and Settings\Ruben\cftmon.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\gavurjjf.exe.vir Infected: Trojan.Win32.Agent.kcj skipped
C:\QooBox\Quarantine\C\gjtxc.exe.vir Infected: Worm.Win32.Socks.by skipped
C:\QooBox\Quarantine\C\lilsesn.exe.vir Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\QooBox\Quarantine\C\pOXJ.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\Program Files\Bat\Bat.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\QooBox\Quarantine\C\Program Files\Bat\Info.dll.vir Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\QooBox\Quarantine\C\Program Files\BraveSentry\BraveSentry.exe.vir Infected: not-a-virus:FraudTool.Win32.BraveSentry.m skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\Helper\1208089291.dll.vir Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbmdl.dll.vir Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbmntr.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\sbsm.exe.vir Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\scit.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ldc skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\scm.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\QooBox\Quarantine\C\Program Files\NetProject\waun.exe.vir Infected: Trojan-Downloader.Win32.Zlob.lde skipped
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack15.exe.vir Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\QooBox\Quarantine\C\Program Files\SCURIT~1\svchost.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\QooBox\Quarantine\C\WINDOWS\Installer\{7021957c-9195-4357-84c1-f696a7614968}\DrvSys.dll.vir Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\QooBox\Quarantine\C\WINDOWS\kavir.exe.vir Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\QooBox\Quarantine\C\WINDOWS\lfn.exe.vir Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu27.exe.vir Infected: Trojan-Downloader.Win32.Homles.bf skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\000090.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\215651\215651.dll.vir Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\3532924907m.exe.vir Infected: Backdoor.Win32.IRCBot.clv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\accesse.dll.vir Infected: Backdoor.Win32.Agent.frr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\admparses.exe.vir Infected: Backdoor.Win32.IRCBot.clv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\advpacku.exe.vir Infected: Backdoor.Win32.IRCBot.clv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\alt.exe.exe.vir Infected: Trojan.Win32.Agent.jdn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q2.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q5.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q6.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dllgh8jkd1q7.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\asc3550p.sys.vir Infected: Trojan.Win32.Pakes.cly skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\spools.exe.vir Infected: Worm.Win32.Socks.bn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gavurjjf.exe.vir Infected: Trojan.Win32.Agent.kcj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gnernqairjp.sys.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ilsbelknidg.sys.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\japojatkrap.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jfiehayd.dll.vir Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lrkjod.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\luapvs.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\maxpaynow1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\maxpaynowti1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\msdefender.exe.vir Infected: Trojan.Win32.Pakes.cmd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntos.exe.vir Infected: Trojan-Spy.Win32.Zbot.avh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pgbitgbilsfal.dll.vir Infected: Email-Worm.Win32.Locksky.cm skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rkvdr.dll.vir Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqRhIYpM.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\shift.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvVOEwx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxg4am1et2.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxg6ame4.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga1me4t1.exe.vir Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga3me2.exe.vir Infected: Trojan-Downloader.Win32.VB.dql skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wind32.exe.vir Infected: Email-Worm.Win32.Zhelatin.wu skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmsdkns.exe.vir Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WNSXS~1\tаskmgr.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xkpisxen.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.okj skipped
C:\QooBox\Quarantine\C\WINDOWS\taskmon.exe.vir Infected: Trojan-Downloader.Win32.Tibs.ym skipped
C:\QooBox\Quarantine\C\WINDOWS\Temp\1396886080.exe.vir Infected: Backdoor.Win32.Agent.gjd skipped
C:\QooBox\Quarantine\C\WINDOWS\zeqbqwp.sys.vir Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip/Documents and Settings/Administrator/Desktop/catchme.zip/Wfn08.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip/Documents and Settings/Administrator/Desktop/catchme.zip/ddcYsRHB.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip/Documents and Settings/Administrator/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\QooBox\Quarantine\catchme2008-04-15_213618.20.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP63\A0005855.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.xf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP64\A0005865.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.mcg skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP64\A0005868.exe Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009848.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009849.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009853.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009854.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009855.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0009857.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010848.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010861.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010865.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010866.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0010867.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0011860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0012860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0013860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014860.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014869.exe Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014870.dll Infected: not-a-virus:FraudTool.Win32.AntiVirPro.k skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014883.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0014886.dll Infected: not-a-virus:AdWare.Win32.BHO.ajw skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015882.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015896.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015900.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015901.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0015902.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016902.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016903.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0016904.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017902.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017903.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0017904.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018895.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018902.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018903.sys Infected: Trojan.Win32.Pakes.cly skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0018912.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019902.dll Infected: Trojan-Downloader.Win32.Mutant.iz skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019906.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019912.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019923.exe Infected: Trojan.Win32.Patched.aa skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019923.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.xf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019925.dll Infected: Trojan-Downloader.Win32.Zlob.leb skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019926.exe Infected: Trojan-Downloader.Win32.Zlob.ldk skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019927.exe Infected: Trojan-Downloader.Win32.Zlob.lda skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019928.exe Infected: Trojan-Downloader.Win32.Zlob.ldc skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019929.exe Infected: Trojan-Downloader.Win32.Zlob.ldf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019931.exe Infected: Trojan-Downloader.Win32.Zlob.lde skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019932.exe Infected: not-a-virus:FraudTool.Win32.BraveSentry.m skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019935.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019939.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019942.exe Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019943.exe Infected: not-a-virus:AdWare.Win32.AdBand.x skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019944.exe Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019947.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019950.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019951.exe Infected: Email-Worm.Win32.Zhelatin.wu skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019952.exe Infected: Trojan-Downloader.Win32.Tibs.ym skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019953.exe Infected: Trojan.Win32.Pakes.cmd skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019956.exe Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019959.exe Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019960.exe Infected: not-virus:Hoax.Win32.Renos.bqi skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019961.dll Infected: not-virus:Hoax.Win32.Agent.bv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019962.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019965.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019965.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019965.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019967.dll Infected: not-a-virus:AdWare.Win32.E404.x skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019968.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019969.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.npx skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019970.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.okj skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0019985.exe Infected: Trojan-Downloader.Win32.Agent.lfo skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0021045.exe Infected: Trojan-Spy.Win32.Zbot.avh skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0021046.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022127.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022181.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022322.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022325.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022329.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022330.exe Infected: Trojan.Win32.Agent.kcj skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022331.exe Infected: Worm.Win32.Socks.by skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022332.exe Infected: Trojan-Clicker.Win32.Costrat.fl skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022333.exe Infected: Worm.Win32.Socks.bn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022335.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022335.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022339.exe Infected: Trojan-Downloader.Win32.Homles.bf skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022342.exe Infected: Backdoor.Win32.IRCBot.clv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022343.dll Infected: Backdoor.Win32.Agent.frr skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022344.exe Infected: Backdoor.Win32.IRCBot.clv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022345.exe Infected: Backdoor.Win32.IRCBot.clv skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022346.exe Infected: Trojan.Win32.Agent.jdn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022347.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022348.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022349.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022350.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022351.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022353.exe Infected: Trojan.Win32.Agent.kcj skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022355.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022356.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022357.dll Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022358.dll Infected: not-a-virus:AdWare.Win32.BHO.ank skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022359.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022360.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022361.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022362.exe Infected: Email-Worm.Win32.Zhelatin.xh skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022363.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022364.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022365.exe Infected: Trojan-Downloader.Win32.Tibs.yn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022366.exe Infected: Trojan-Downloader.Win32.VB.dql skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022368.sys Infected: Trojan-Clicker.Win32.Costrat.fn skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022481.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022593.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022601.exe Infected: Trojan.Win32.Agent.jol skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\A0022605.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\System Volume Information\_restore{48465052-9288-4739-A9E2-0DC2CA7C6012}\RP65\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\explorer.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\lsass.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\mjrei.nls Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\psegkrlfrgt.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\services.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\sqanaonnae.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\svchost.exe Infected: Trojan.Win32.Patched.aa skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.aa skipped
F:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\SmitfraudFix.exe RarSFX: infected - 2 skipped
F:\[4][email protected]/lrkjod.dll Infected: Email-Worm.Win32.Locksky.cm skipped
F:\[4][email protected]/tesrssn.nls Infected: Email-Worm.Win32.Locksky.cm skipped
F:\[4][email protected] ZIP: infected - 2 skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:20 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [rgpst] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\dehflds.sys" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [iiiopj] rundll32.exe "C:\WINDOWS\system32\sqanaonnae.sys" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 4535 bytes
  • 0

#23
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\Documents and Settings\Administrator\Desktop\[4][email protected]
C:\Documents and Settings\Ruben\Local Settings\temp\bllqdjimmpr.nls
C:\Documents and Settings\Ruben\Local Settings\temp\dehflds.sys
C:\Documents and Settings\Ruben\Local Settings\temp\lkbdppiffp.dll
C:\WINDOWS\system32\mjrei.nls
C:\WINDOWS\system32\psegkrlfrgt.dll
C:\WINDOWS\system32\sqanaonnae.sys
F:\[4][email protected]


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

Additonally, ComboFix will generate a zipped file on your desktop called Submit [Date Time].zip
Please submit this file to:

http://www.bleepingc...e.php?channel=4


Please include a link to this topic in the message.

Please go to Virus Total and scan the following files:

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe


Post the reports on your next reply.

Download the enclosed folder. Save and extract its contents to the desktop. It is a batch file to search for every instance of these files in your computer. Once extracted, open the folder and click on the RunMe.bat file. Post the contents of the results.txt it shall produce.
  • 0

#24
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
ComboFix 08-04-13.3 - Administrator 2008-04-19 23:05:19.9 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.354 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Administrator\Desktop\[4][email protected]
C:\Documents and Settings\Ruben\Local Settings\temp\bllqdjimmpr.nls
C:\Documents and Settings\Ruben\Local Settings\temp\dehflds.sys
C:\Documents and Settings\Ruben\Local Settings\temp\lkbdppiffp.dll
C:\WINDOWS\system32\mjrei.nls
C:\WINDOWS\system32\psegkrlfrgt.dll
C:\WINDOWS\system32\sqanaonnae.sys
F:\[4][email protected]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ruben\Local Settings\temp\bllqdjimmpr.nls
C:\Documents and Settings\Ruben\Local Settings\temp\dehflds.sys
C:\Documents and Settings\Ruben\Local Settings\temp\lkbdppiffp.dll
C:\WINDOWS\system32\mjrei.nls
C:\WINDOWS\system32\psegkrlfrgt.dll
C:\WINDOWS\system32\sqanaonnae.sys
F:\[4][email protected]

.
((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-18 22:53 . 2008-04-18 22:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 22:53 . 2008-04-18 22:53 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-18 22:53 . 2008-04-18 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-18 19:38 . 2008-04-18 19:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-18 19:38 . 2008-04-18 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-18 19:38 . 2008-04-18 19:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-04-15 19:17 . 2008-04-18 15:39 <DIR> d-------- C:\fixwareout
2008-04-14 11:26 . 2008-04-14 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-14 10:04 . 2008-04-14 10:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TrojanHunter
2008-04-14 07:21 . 2008-04-14 07:22 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-04-13 13:33 . 2008-04-13 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-13 13:16 . 2008-04-13 13:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-04-13 08:30 . 2008-04-18 19:54 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-13 08:04 . 2008-03-29 12:27 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-04-13 08:04 . 2008-03-29 12:29 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-04-13 08:03 . 2008-03-29 12:23 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-04-13 08:03 . 2008-03-29 12:35 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-04-13 08:03 . 2008-01-17 10:34 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-04-13 08:03 . 2008-03-29 12:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-13 08:03 . 2008-03-29 12:26 26,944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-04-13 08:03 . 2008-03-29 12:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-13 08:02 . 2008-04-13 08:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-04-13 08:02 . 2008-03-29 12:45 1,146,232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-04-13 08:02 . 2003-03-18 14:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-04-13 08:02 . 2003-03-18 13:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-04-13 08:02 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-04-13 08:02 . 2003-02-20 21:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-04-13 07:27 . 2008-04-13 07:53 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-13 07:05 . 2008-04-13 07:05 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:47 . 2008-04-09 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 11:44 . 2008-04-13 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-09 11:44 . 2008-04-09 11:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\Ruben\Application Data\MSN6
2008-03-25 00:28 . 2008-03-25 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 12:18 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
2008-04-09 02:55 --------- d-----w C:\Documents and Settings\Ruben\Application Data\LimeWire
2008-03-18 04:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Walgreens
2008-03-14 00:05 --------- d-----w C:\Program Files\Azureus
2008-03-14 00:05 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Azureus
2008-03-03 22:15 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-03-03 22:13 --------- d-----w C:\Program Files\Avanquest update
2008-03-03 22:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-03 22:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-03-03 22:08 --------- d-----w C:\Program Files\Common Files\Motorola Shared
2008-03-03 22:08 --------- d-----w C:\Documents and Settings\Ruben\Application Data\InstallShield
2008-03-03 19:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-01 05:38 --------- d-----w C:\Program Files\Apple Software Update
2008-03-01 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-01 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Kodak
2008-03-01 05:30 --------- d-----w C:\Program Files\Common Files\Kodak
2008-03-01 05:01 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Snapfish
2008-02-23 15:58 --------- d-----w C:\Documents and Settings\Ruben\Application Data\Ahead
.

------- Sigcheck -------

2001-08-18 07:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 01:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-04-13 07:18 17408 c357a9031d4c637112df2a4a8fa21ac4 C:\WINDOWS\system32\svchost.exe

2001-08-18 07:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-04 00:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys

2001-08-18 07:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 01:56 506368 b270125e1557a24f8de54857d8199dcf C:\WINDOWS\system32\winlogon.exe

2004-08-04 01:56 1034752 99641a4d634ddf0403ac065c51b365e7 C:\WINDOWS\explorer.exe
2001-08-18 07:00 1000960 5a26fc6010886d25b3e412493dd95ed8 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 01:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-15_21.38.28.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 01:05:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 03:55:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 14:56 45056]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 15:12 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 13:25 14720000 C:\WINDOWS\RTHDCPL.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-29 14:33 94208]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-29 14:33 77824]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-29 14:33 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 12:37 79224]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]
"rgpst"="C:\DOCUME~1\Ruben\LOCALS~1\Temp\dehflds.sys WLEntryPoint" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 05:33:46 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"iiiopj"= rundll32.exe "C:\WINDOWS\system32\sqanaonnae.sys" WLEntryPoint

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 18:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22383:TCP"= 22383:TCP:@xpsp2res.dll,-22005
"20498:TCP"= 20498:TCP:@xpsp2res.dll,-22005
"62737:TCP"= 62737:TCP:@xpsp2res.dll,-22005
"8252:TCP"= 8252:TCP:@xpsp2res.dll,-22005

S1 aswsp;avast! Self Protection;C:\WINDOWS\system32\drivers\aswsp.sys [2008-03-29 12:31]
S2 aswfsblk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 12:35]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 15:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 motport;Motorola USB Diagnostic Port;C:\WINDOWS\system32\DRIVERS\motport.sys [2007-02-27 15:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 05:38:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 23:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 23:07:46
ComboFix-quarantined-files.txt 2008-04-20 04:07:38
ComboFix2.txt 2008-04-18 22:06:05
ComboFix3.txt 2008-04-18 20:45:22
ComboFix4.txt 2008-04-18 04:55:12
ComboFix5.txt 2008-04-16 20:54:47

Pre-Run: 72,209,694,720 bytes free
Post-Run: 72,198,656,000 bytes free





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:18 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aprotecti.../test/?c=419608
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [rgpst] rundll32.exe "C:\DOCUME~1\Ruben\LOCALS~1\Temp\dehflds.sys" WLEntryPoint
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [iiiopj] rundll32.exe "C:\WINDOWS\system32\sqanaonnae.sys" WLEntryPoint
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 4501 bytes
  • 0

#25
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
File explorer.exe received on 04.20.2008 06:25:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 17/32 (53.13%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 TR/Patched.AA.15
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 Win32:Patched-CK
AVG 7.5.0.516 2008.04.19 Win32/PEPatch.AO
BitDefender 7.2 2008.04.20 Trojan.Patched.U
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 Trojan.Agent-5069
DrWeb 4.44.0.09170 2008.04.19 Trojan.Starter.384
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan.Win32.Patched.aa
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 Trojan.Win32.Patched.ai
Kaspersky 7.0.0.125 2008.04.20 Trojan.Win32.Patched.aa
McAfee 5277 2008.04.18 W32/PEPatcher.c
Microsoft 1.3408 2008.04.20 Trojan:Win32/Patched.B
NOD32v2 3041 2008.04.19 Win32/TrojanProxy.Agent.NCI
Norman 5.80.02 2008.04.18 W32/Smalltroj.CCBD
Panda 9.0.0.4 2008.04.19 W32/PatchLog.gen
Prevx1 V2 2008.04.20 -
Rising 20.40.52.00 2008.04.19 Trojan.Win32.Patched.aa
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 Win32.Agent.IMP
Webwasher-Gateway 6.6.2 2008.04.18 Trojan.Patched.AA.15
Additional information
File size: 1034752 bytes
MD5...: 99641a4d634ddf0403ac065c51b365e7
SHA1..: a7467be548127692552d7f577deb1dc9c85db45a
SHA256: b9840018b9621f3487d5dc32d1e59e644004c6833d919140a0cc31d5ac60ae29
SHA512: b074b65c2fd7b7dc2ead6ed3addca3fdda9482b7bfc20e4b4fcb6d1e52dc9b7d
2b41b33d38d7a5763b14c629a399d9029395eb2126e7678d20247feece96c9df
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10ff000
timedatestamp.....: 0x41107ece (Wed Aug 04 06:14:38 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44689 0x44800 6.38 b257b3cd7102cece46cd7366aff0f34b
.data 0x46000 0x1d90 0x1800 1.29 d0b87d8ce5a34731be197efb73b5d7bf
.rsrc 0x48000 0xb2278 0xb2400 6.63 abf6dc1befe1a4a4c7f6ef51d1a6f907
.reloc 0xfb000 0x5000 0x4200 6.27 0cb0268ac97106b255d9514d221da122

( 13 imports )
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, -
> SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> BROWSEUI.dll: -, -, -, -
> SHDOCVW.dll: -, -, -
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )






File lsass.exe received on 04.20.2008 06:34:57 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 17/32 (53.13%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HEUR/Malware
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 Win32:Patched-CK
AVG 7.5.0.516 2008.04.19 Win32/PEPatch.AO
BitDefender 7.2 2008.04.20 Trojan.Patched.U
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 Trojan.Agent-5069
DrWeb 4.44.0.09170 2008.04.19 Trojan.Starter.384
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan.Win32.Patched.aa
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 Trojan.Win32.Patched.aa
Kaspersky 7.0.0.125 2008.04.20 Trojan.Win32.Patched.aa
McAfee 5277 2008.04.18 W32/PEPatcher.c
Microsoft 1.3408 2008.04.20 Trojan:Win32/Patched.B
NOD32v2 3041 2008.04.19 Win32/TrojanProxy.Agent.NCI
Norman 5.80.02 2008.04.18 W32/Smalltroj.DGHM
Panda 9.0.0.4 2008.04.19 W32/PatchLog.gen
Prevx1 V2 2008.04.20 -
Rising 20.40.52.00 2008.04.19 Trojan.Win32.Patched.aa
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 Win32.Agent.IMP
Webwasher-Gateway 6.6.2 2008.04.18 Heuristic.Malware
Additional information
File size: 14848 bytes
MD5...: 0ac6fcda303f54e1e68f579a7d3a0c4b
SHA1..: 7f6960a6f6cdeaf37467d32946ec5c30fc32a929
SHA256: 31339bfe50e0f89b6b8ead7446d047c848e2094b5f0d47d317d7dd56389548d2
SHA512: b03a29679f1cf1a4c969b2f8d34b9e494d57b5476ba52349e6a19eb41e2d5c78
5ffc79bc751ec23264b3c7104929aecc6e317398e17b2da46ad19b0b46bd9670
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1006000
timedatestamp.....: 0x41107b4d (Wed Aug 04 05:59:41 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10d0 0x1200 6.01 d107b4f218abee66665545859fb9cc89
.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250
.rsrc 0x4000 0x3000 0x2200 6.46 9df6775850a1f9da2b23f10d15d41ad6

( 5 imports )
> ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf
> KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery
> ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter
> LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo
> SAMSRV.dll: SamIInitialize, SampUsingDsData

( 0 exports )



File services.exe received on 04.20.2008 06:45:05 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 18/32 (56.25%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 45 and 65 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HEUR/Malware
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 Win32:Patched-CK
AVG 7.5.0.516 2008.04.19 Win32/PEPatch.AO
BitDefender 7.2 2008.04.20 Trojan.Patched.U
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 Trojan.Agent-5069
DrWeb 4.44.0.09170 2008.04.19 Trojan.Starter.384
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan.Win32.Patched.aa
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 Win32.Starter.A
Kaspersky 7.0.0.125 2008.04.20 Trojan.Win32.Patched.aa
McAfee 5277 2008.04.18 W32/PEPatcher.c
Microsoft 1.3408 2008.04.20 Trojan:Win32/Patched.B
NOD32v2 3041 2008.04.19 Win32/TrojanProxy.Agent.NCI
Norman 5.80.02 2008.04.18 W32/Patched.A
Panda 9.0.0.4 2008.04.19 W32/PatchLog.gen
Prevx1 V2 2008.04.20 Heuristic: Suspicious Self Modifying File
Rising 20.40.52.00 2008.04.19 Trojan.Win32.Patched.aa
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 Win32.Agent.IMP
Webwasher-Gateway 6.6.2 2008.04.18 Heuristic.Malware
Additional information
File size: 110592 bytes
MD5...: 7a9084adeca39cef5725bd21a157fa2f
SHA1..: 023f6b7790fae2bb80787d00cf4196ec0ef61e64
SHA256: fc2af331b80f2a56efc1bac268ae6c071ab7b5c033b67bd4a4ed8e546fe472ef
SHA512: 6e8bcd3793d5a1f475f04801318ec4478c8ea901b6ad9b987b24b8891790a59d
d718c63b3a09f76cdfbd731e9007f520bddf62cbfc671d1003ca3f498b5cb68c
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x101c000
timedatestamp.....: 0x41107eb3 (Wed Aug 04 06:14:11 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x18f55 0x19000 6.26 b20d7426baadb5d61b21b7f45648ecfa
.data 0x1a000 0xa14 0xa00 2.05 fd6fc84823efda2858a97fe8e6dd8f76
.rsrc 0x1b000 0x2000 0x1200 2.15 694832fc56f43d9c5eef9f649cb0edc0

( 10 imports )
> msvcrt.dll: wcsrchr, time, _except_handler3, memmove, wcschr, _c_exit, _exit, _XcptFilter, _cexit, _wcsicmp, exit, __initenv, __getmainargs, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcslen, wcsncmp, _wtol, wcscpy, _itow, _wcsnicmp, wcscat, _initterm, wcsncpy, wcscspn, _ultow
> ADVAPI32.dll: RegOpenKeyW, ConvertSidToStringSidW, LogonUserExW, LsaStorePrivateData, LsaLookupNames, LsaQueryInformationPolicy, OpenThreadToken, RegNotifyChangeKeyValue, InitializeSecurityDescriptor, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, SystemFunction029, SystemFunction005, CheckTokenMembership, FreeSid, AllocateAndInitializeSid, SetSecurityDescriptorOwner, GetSecurityDescriptorDacl, GetLengthSid, CopySid, InitializeAcl, AddAce, SetSecurityDescriptorDacl, LsaOpenPolicy, LsaLookupSids, LsaFreeMemory, LsaClose, ImpersonateLoggedOnUser, CreateProcessAsUserW, GetTokenInformation, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, InitiateSystemShutdownW, RevertToSelf
> KERNEL32.dll: TerminateProcess, SetProcessShutdownParameters, lstrcmpiW, FormatMessageW, ExitThread, ReleaseMutex, DelayLoadFailureHook, RaiseException, GetExitCodeThread, SetErrorMode, SetUnhandledExceptionFilter, LoadLibraryA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcess, UnhandledExceptionFilter, GetModuleHandleA, CreateMutexW, LocalAlloc, LocalFree, Sleep, LeaveCriticalSection, EnterCriticalSection, SetLastError, CloseHandle, CreateThread, GetLastError, CreateProcessW, ExpandEnvironmentStringsW, InitializeCriticalSection, HeapAlloc, HeapFree, SetConsoleCtrlHandler, WaitForSingleObject, HeapCreate, FreeLibrary, GetProcAddress, GetModuleHandleExW, InterlockedCompareExchange, CreateNamedPipeW, ReadFile, CancelIo, GetOverlappedResult, WaitForMultipleObjects, ConnectNamedPipe, TransactNamedPipe, WriteFile, GetTickCount, GetSystemTimeAsFileTime, GetModuleHandleW, GetComputerNameW, CreateEventW, SetEvent, ResetEvent, DeviceIoControl, CreateFileW, ResumeThread, GetCurrentProcessId, LoadLibraryW, GetDriveTypeW, OpenEventW, GetCurrentThread
> USER32.dll: wsprintfW, BroadcastSystemMessageW, MessageBoxW, LoadStringW, RegisterServicesProcess
> RPCRT4.dll: RpcServerRegisterAuthInfoW, RpcBindingFree, RpcEpResolveBinding, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrClientCall2, RpcAsyncCompleteCall, RpcAsyncInitializeHandle, NdrAsyncServerCall, NdrAsyncClientCall, RpcMgmtStopServerListening, RpcMgmtWaitServerListen, NdrServerCall2, I_RpcBindingIsClientLocal, RpcRevertToSelf, I_RpcMapWin32Status, RpcImpersonateClient, RpcStringBindingParseW, RpcStringFreeW, RpcBindingToStringBindingW, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcServerRegisterIf, RpcServerListen, RpcServerUnregisterIf
> ntdll.dll: RtlCreateAcl, NtCreateKey, NtQueryValueKey, NtSetValueKey, NtDeleteValueKey, NtEnumerateKey, NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, NtDeleteKey, RtlSetControlSecurityDescriptor, RtlValidSecurityDescriptor, RtlLengthSecurityDescriptor, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtAccessCheckAndAuditAlarm, NtSetInformationThread, NtAdjustPrivilegesToken, NtDuplicateToken, NtOpenProcessToken, NtQueryInformationToken, RtlQuerySecurityObject, RtlAddAccessAllowedAce, RtlValidRelativeSecurityDescriptor, RtlMapGenericMask, RtlCopyUnicodeString, NtSetInformationFile, NtQueryInformationFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, NtWaitForSingleObject, NtQueryDirectoryFile, NtDeleteFile, NtSetInformationProcess, RtlUnhandledExceptionFilter, NtSetEvent, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlAllocateHeap, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, RtlUnicodeStringToAnsiString, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlNewSecurityObject, RtlAddAce, RtlSetOwnerSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSubAuthorityCountSid, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlCompareUnicodeString, NtLoadDriver, NtUnloadDriver, RtlExpandEnvironmentStrings_U, RtlAdjustPrivilege, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, RtlAreAllAccessesGranted, NtDeleteObjectAuditAlarm, NtCloseObjectAuditAlarm, RtlQueueWorkItem, RtlCopyLuid, RtlDeregisterWait, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, RtlDeleteSecurityObject, RtlLockBootStatusData, RtlGetSetBootStatusData, RtlUnlockBootStatusData, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosError, NtShutdownSystem, RtlSetSecurityObject, RtlMakeSelfRelativeSD, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtSetSecurityObject
> USERENV.dll: UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock
> SCESRV.dll: ScesrvInitializeServer, ScesrvTerminateServer
> umpnpmgr.dll: RegisterScmCallback, PNP_SetActiveService, PNP_GetDeviceRegProp, PNP_GetDeviceListSize, PNP_GetDeviceList, PNP_HwProfFlags, RegisterServiceNotification, DeleteServicePlugPlayRegKeys
> NCObjAPI.DLL: WmiSetAndCommitObject, WmiEventSourceConnect, WmiCreateObjectWithFormat

( 0 exports )

Prevx info: http://info.prevx.co...33924001742B819




File svchost.exe received on 04.20.2008 06:55:56 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 17/32 (53.13%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 45 and 65 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 HEUR/Malware
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 Win32:Patched-CK
AVG 7.5.0.516 2008.04.19 Win32/PEPatch.AO
BitDefender 7.2 2008.04.20 Trojan.Patched.U
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 Trojan.Agent-5069
DrWeb 4.44.0.09170 2008.04.19 Trojan.Starter.384
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan.Win32.Patched.aa
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 Trojan.Win32.Patched.aa
Kaspersky 7.0.0.125 2008.04.20 Trojan.Win32.Patched.aa
McAfee 5277 2008.04.18 W32/PEPatcher.c
Microsoft 1.3408 2008.04.20 Trojan:Win32/Patched.B
NOD32v2 3041 2008.04.19 Win32/TrojanProxy.Agent.NCI
Norman 5.80.02 2008.04.18 W32/Smalltroj.CPXE
Panda 9.0.0.4 2008.04.19 W32/Patchlog.D
Prevx1 V2 2008.04.20 -
Rising 20.40.52.00 2008.04.19 Trojan.Win32.Patched.aa
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 Win32.Agent.IMP
Webwasher-Gateway 6.6.2 2008.04.18 Heuristic.Malware
Additional information
File size: 17408 bytes
MD5...: c357a9031d4c637112df2a4a8fa21ac4
SHA1..: 0e667acb54510520028d251878f20808fd4335e0
SHA256: 209bed7a0476745384467bec1cb63dec441c01388fb8a06ceb60aeb567c109a7
SHA512: 83373345de0d8144de56ca1631c77006e13f4b28abe2a6b6151ae4d82c1a3837
a92cd19bd2d076dc7c426d9ef0a9103b66a2e40406864704bc4eeaaa6511c02e
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1006000
timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x2000 0x1200 1.55 9911195bec6dee515757f60fcfb73b9d

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )



File winlogon.exe received on 04.20.2008 07:04:41 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 17/32 (53.13%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 TR/Patched.AA.18
Authentium 4.93.8 2008.04.19 -
Avast 4.8.1169.0 2008.04.19 Win32:Patched-CK
AVG 7.5.0.516 2008.04.19 Win32/PEPatch.AO
BitDefender 7.2 2008.04.20 Trojan.Patched.U
CAT-QuickHeal 9.50 2008.04.19 -
ClamAV 0.92.1 2008.04.20 Trojan.Agent-5069
DrWeb 4.44.0.09170 2008.04.19 Trojan.Starter.384
eSafe 7.0.15.0 2008.04.17 -
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.19 -
F-Prot 4.4.2.54 2008.04.20 -
F-Secure 6.70.13260.0 2008.04.19 Trojan.Win32.Patched.aa
FileAdvisor 1 2008.04.20 -
Fortinet 3.14.0.0 2008.04.20 -
Ikarus T3.1.1.26 2008.04.20 Trojan.Win32.Patched.i
Kaspersky 7.0.0.125 2008.04.20 Trojan.Win32.Patched.aa
McAfee 5277 2008.04.18 W32/PEPatcher.c
Microsoft 1.3408 2008.04.20 Trojan:Win32/Patched.B
NOD32v2 3041 2008.04.19 Win32/TrojanProxy.Agent.NCI
Norman 5.80.02 2008.04.18 W32/Patched.A
Panda 9.0.0.4 2008.04.19 W32/PatchLog.gen
Prevx1 V2 2008.04.20 -
Rising 20.40.52.00 2008.04.19 Trojan.Win32.Patched.aa
Sophos 4.28.0 2008.04.20 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.20 -
TheHacker 6.2.92.285 2008.04.19 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.19 Win32.Agent.IMP
Webwasher-Gateway 6.6.2 2008.04.18 Trojan.Patched.AA.18
Additional information
File size: 506368 bytes
MD5...: b270125e1557a24f8de54857d8199dcf
SHA1..: 4b0955b62a9b5aed9556e95605ee362740f7dcc1
SHA256: bbf5bb983d86914367fcbf4087879cdcb5b271d38940848e393c6111f7fb7c1d
SHA512: 7ef22e71c419ce442a35f42f6eb3e3a8ee506b2bde0ad7d1d4051154edac6275
682141d7f1d77e9cfaae87c9b7ce148571085e05c51865da446f387119c89eae
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1080000
timedatestamp.....: 0x41107edc (Wed Aug 04 06:14:52 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6f288 0x6f400 6.82 5a133ab60f38b5d739d86c8290fa5a3c
.data 0x71000 0x4d90 0x2000 6.20 baa64d00a5f8a540a38a60d2aff66f30
.rsrc 0x76000 0xb000 0xa200 3.40 60448fcc7715160fc8844cb2bfae3762

( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, ExpandEnvironmentStringsW, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, DuplicateHandle, OpenProcess, GetOverlappedResult, GetVersionExA, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, DeleteCriticalSection, TlsGetValue, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: _vsnwprintf, wcslen, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, __set_app_type, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlCreateSecurityDescriptor, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtOpenDirectoryObject, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlInitString, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtSetInformationProcess
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, LsaCallAuthenticationPackage
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, KillTimer, GetMessageTime, SetLogonNotifyWindow, UnlockWindowStation, SetTimer, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, SetCursor, DefWindowProcW, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, RegisterClassW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, GetUserProfileDirectoryW, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, -
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon, _WinStationNotifyLogoff
> WINTRUST.dll: CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, getaddrinfo, -

( 0 exports )

Edited by desireejassel, 19 April 2008 - 11:11 PM.

  • 0

Advertisements


#26
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
----a-w 1,034,752 2004-08-04 06:56:50 C:\WINDOWS\explorer.exe
-c----w 1,000,960 2001-08-18 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
------w 1,032,192 2004-08-04 06:56:50 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 3,067,904 Blocks: 5,992

----a-w 14,848 2004-08-04 06:56:52 C:\WINDOWS\system32\lsass.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 14,848 Blocks: 29

----a-w 110,592 2004-08-04 06:56:56 C:\WINDOWS\system32\services.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 110,592 Blocks: 216

----a-w 17,408 2008-04-13 12:18:42 C:\WINDOWS\system32\svchost.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 17,408 Blocks: 34

----a-w 506,368 2004-08-04 06:56:58 C:\WINDOWS\system32\winlogon.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 506,368 Blocks: 989

Total Entries: 7 (7)
Total Directories: 0 Files: 7
Total Bytes: 3,717,120 Blocks: 7,260
  • 0

#27
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, desireejassel :)

Those files are major System Files. We will need to find a way to replace them.

I would like to get a sample of these files for further review.

First download the attached catchme.txt to your desktop.

Next,

Download catchme.exe from thespykiller forum here and save it to your desktop.

Alternate download: http://www2.gmer.net/catchme.exe

Double click the catchme.exe to run it and click on Add. A window will open with a list of files, select the catchme.txt on your desktop and press open. The files listed in it will appear in the catchme window. Now click on Zip to make a copy of this file which will be backed up to catchme.zip on your desktop.

Next, please go to TheSpykiller forum and upload this file so we can examine it. In order to do so, click on New Topic, fill in the needed details and give a link to your post here. ClIck on Browse and navigate to the Catchme.zip on your desktop select the .zip folder and once on the window, click on Post.( do not post HJT logs there as they will not get dealt with)

Let me know when done.

In order to replace these files I will need to know if you have the Windows XP installation CD. There are no replacements in the computer, thus the only option will be to extract these files from the CD.

Question, if available, is this CD SP2? If the CD is avalable, which drive letter uses the CD_ROM?
  • 0

#28
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,579 posts
Hi, desireejassel :)

Please remove the FindFiles.zip and the FindFiles folders I previously asked you to download from here. The batch file contains an error on the path to search.

Then download the enclosed one. Save and extract its contents to the desktop. Once extracted, open the FindFiles folder and doubleclick on the RunMe.bat file. The MSDOS window will be displayed for a while. That is normal.

Please post the contents of the report it shall produce.
  • 0

#29
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
----a-w 1,034,752 2004-08-04 06:56:50 C:\WINDOWS\explorer.exe
-c----w 1,000,960 2001-08-18 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
------w 1,032,192 2004-08-04 06:56:50 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 3,067,904 Blocks: 5,992

----a-w 14,848 2004-08-04 06:56:52 C:\WINDOWS\system32\lsass.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 14,848 Blocks: 29

----a-w 110,592 2004-08-04 06:56:56 C:\WINDOWS\system32\services.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 110,592 Blocks: 216

----a-w 17,408 2008-04-13 12:18:42 C:\WINDOWS\system32\svchost.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 17,408 Blocks: 34

----a-w 506,368 2004-08-04 06:56:58 C:\WINDOWS\system32\winlogon.exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 506,368 Blocks: 989

Total Entries: 7 (7)
Total Directories: 0 Files: 7
Total Bytes: 3,717,120 Blocks: 7,260

Edited by desireejassel, 21 April 2008 - 12:13 PM.

  • 0

#30
desireejassel

desireejassel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Did you still want me to complete instructions in post 27?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP