Jump to content

Build Theme!
  • Infected?


We invite you to ask questions, share experiences, and learn. It's 100% free. Did we mention that it's free. It is. It's free. Join 91558 other members! Anybody can ask, anybody can answer. Consistently helpful members with best answers are invited to staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


[Resolved] Virus, limited use on computer

  • This topic is locked This topic is locked
23 replies to this topic

#16 SweetTech


    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 20 November 2009 - 10:32 AM

Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: C:\WINDOWS\system32\winlogon.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Please repeat the above process for these two files as well:

Please post the results in your next reply.

Posted Image

Proud Graduate of the WTT Classroom
Posted Image


Register to Remove

#17 Poopkabob


    Authentic Member

  • Authentic Member
  • PipPip
  • 74 posts

Posted 21 November 2009 - 01:01 AM

Ok so combo fix finally finished the scan and it seemed to have helped alot. I'm not sure why but it rebooted my computer around three times.
The computer is running at its normal speed, much better than before... atleast 20 times faster. I'm going to post a hijack this log after the combo fix log just incase you need it. Thanks for all of your help and patience and sorry I wasn't quicker to follow your instructions.

ComboFix 09-11-19.05 - Eric 11/20/2009 22:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.336 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
c:\documents and settings\Chiao\Favorites\Online Security Guide.lnk
c:\documents and settings\Cliff\Favorites\Online Security Guide.lnk
c:\documents and settings\Eric\Favorites\Online Security Guide.lnk
c:\documents and settings\Jason\Desktop\Live Safety Center.lnk
c:\documents and settings\Jason\Favorites\Online Security Guide.lnk

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :P
((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))

2009-11-20 03:34 . 2009-11-20 03:37 -------- d-----w- C:\32788R22FWJFW
2009-11-07 06:58 . 2009-11-07 06:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-11-06 19:59 . 2009-11-06 19:59 -------- d-----w- c:\program files\Trend Micro
2009-10-24 15:13 . 2009-10-24 15:13 -------- d-----w- c:\program files\CCleaner

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-11-03 01:42 . 2009-10-03 06:35 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-24 15:17 . 2006-06-19 05:01 -------- d-----w- c:\program files\ewido anti-malware
2009-10-21 02:50 . 2006-03-04 18:41 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-13 03:11 . 2009-10-13 03:11 -------- d-----w- c:\program files\3ivx
2009-10-13 03:10 . 2009-10-13 03:10 -------- d-----w- c:\program files\Pure Digital Technologies
2009-10-13 03:10 . 2009-10-13 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Digital Technologies
2009-09-12 00:43 . 2009-09-12 00:43 34 ----a-w- c:\windows\system32\BD2170W.DAT
2009-09-11 14:18 . 2008-07-20 02:53 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 22:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2001-08-18 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-09-12 00:17 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 15:26 . 2004-10-16 15:46 67080 -c--a-w- c:\documents and settings\Jason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-11 01:21 . 2007-11-10 18:36 246 ----a-w- c:\program files\Common Files\quzaj568
2007-11-10 14:31 . 2007-11-10 14:31 10 ----a-w- c:\program files\.autoreg
2007-11-10 14:31 . 2007-11-10 14:31 69632 ----a-w- c:\program files\mozilla firefox\components\ffwt.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 655360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-06 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2008-3-6 2060371]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-12 22:40 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Program Files\\warcraft iii\\war3.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\warcraft iii\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"c:\\Program Files\\StarNet\\X-Win32 7.1\\xwin32.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Brother\\BRAdmin Light\\BRAdmLight.exe"=

"123:UDP"= 123:UDP:SNTP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [1/6/2009 2:28 PM 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/6/2009 2:28 PM 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/6/2009 2:28 PM 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [1/6/2009 2:28 PM 76040]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [11/13/2008 12:17 PM 439616]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1/1/1980 1:00 AM 28672]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 Eacfilt;Eacfilt Miniport;c:\windows\SYSTEM32\DRIVERS\eacfilt.sys [11/7/2008 8:33 PM 26137]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2009 10:41 PM 102448]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [4/1/2002 11:24 PM 6942]
R3 ProtoWall;ProtoWall Defender;c:\windows\SYSTEM32\DRIVERS\ProtoWall.sys [6/5/2004 3:26 PM 21376]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\SYSTEM32\DRIVERS\ipsecw2k.sys [11/7/2008 8:33 PM 155152]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [8/2/2005 4:10 PM 32512]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 1:40 AM 115952]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys --> c:\windows\system32\Drivers\usbbc.sys [?]
Contents of the 'Scheduled Tasks' folder

2009-11-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
------- Supplementary Scan -------
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\h73e7lw0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\ffwt.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{47d48954-8e4b-41b1-a246-6cf83bd2dfcd} - c:\windows\system32\fksmtus.dll
BHO-{B0AF0097-BE1E-476E-9260-1AE0300BDAE6} - c:\windows\system32\awtqq.dll
WebBrowser-{9301F19E-DD73-4D4A-B8F1-21158CB5C018} - (no file)
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-Data Compiler - c:\program files\scbar\v9\scbar.exe
AddRemove-Indexing Function - c:\program files\scbar\v9\scbar.exe
AddRemove-SBM OS - c:\program files\scbar\v9\scbar.exe
AddRemove-Search OS - c:\program files\scbar\v9\scbar.exe
AddRemove-URL.IE APP - c:\program files\scbar\v9\scbar.exe
AddRemove-XviD - c:\program files\XviD\UninstXviD.exe


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 23:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2771580065-2020637620-97400744-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* ]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2771580065-2020637620-97400744-1009\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* \OpenWithList]
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1676)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2976)
c:\program files\Exceed.nt\HESHELL.DLL
------------------------ Other Running Processes ------------------------
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\WMPNetwk.exe
Completion time: 2009-11-20 23:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 04:45

Pre-Run: 3,411,521,536 bytes free
Post-Run: 3,379,032,064 bytes free

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - F1E994E297EB98514474F29006017194


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:28 AM, on 11/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt2_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1215957260750
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

End of file - 8544 bytes

#18 Poopkabob


    Authentic Member

  • Authentic Member
  • PipPip
  • 74 posts

Posted 21 November 2009 - 12:58 PM

Here is the info from the Virus Total website C:\WINDOWS\system32\winlogon.exe: Antivirus Version Last Update Result ClamAV 0.94.1 2009.11.21 - F-Secure 9.0.15370.0 2009.11.20 - Fortinet 2009.11.21 - GData 19 2009.11.21 - Prevx 3.0 2009.11.21 - Additional information File size: 507904 bytes MD5...: ed0ef0a136dec83df69f04118870003e SHA1..: f77a7cd78877527023ebfb35e83b75ef59d3df07 SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e ssdeep: 6144:kNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+ lcDKao6nSKHsRqOMgxZg PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x3e5e1 timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x70991 0x70a00 6.82 39d0278af55c2446adf638b9f0236aff .data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d .rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187 ( 20 imports ) > ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA > AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle > CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx > GDI32.dll: RemoveFontResourceW, AddFontResourceW > KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree > msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp > NDdeApi.dll: -, -, -, - > ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject > PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW > PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW > REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery > RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate > Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess > SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW > USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW > USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW > VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW > WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon > WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext > WS2_32.dll: -, -, getaddrinfo ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win64 Executable Generic (80.9%) Win32 Executable Generic (8.0%) Win32 Dynamic Link Library (generic) (7.1%) Generic Win/DOS Executable (1.8%) DOS Executable Generic (1.8%) ================================================================================ ============== C:\WINDOWS\system32\services.exe: File services.exe received on 2009.11.21 18:49:15 (UTC) Antivirus Version Last Update Result a-squared 2009.11.21 - AhnLab-V3 2009.11.20 - AntiVir 2009.11.20 - Antiy-AVL 2009.11.20 - Authentium 2009.11.21 - Avast 4.8.1351.0 2009.11.21 - AVG 2009.11.21 - BitDefender 7.2 2009.11.21 - CAT-QuickHeal 10.00 2009.11.21 - ClamAV 0.94.1 2009.11.21 - Comodo 2988 2009.11.21 - DrWeb 2009.11.21 - eSafe 2009.11.19 - eTrust-Vet 35.1.7133 2009.11.20 - F-Prot 2009.11.21 - F-Secure 9.0.15370.0 2009.11.20 - Fortinet 2009.11.21 - GData 19 2009.11.21 - Ikarus T3. 2009.11.21 - Jiangmin 11.0.800 2009.11.21 - K7AntiVirus 7.10.901 2009.11.20 - Kaspersky 2009.11.21 - McAfee 5808 2009.11.20 - McAfee+Artemis 5808 2009.11.20 - McAfee-GW-Edition 6.8.5 2009.11.21 - Microsoft 1.5302 2009.11.21 - NOD32 4626 2009.11.21 - Norman 6.03.02 2009.11.21 - nProtect 2009.1.8.0 2009.11.21 - Panda 2009.11.21 - PCTools 2009.11.21 - Rising 2009.11.21 - Sophos 4.47.0 2009.11.21 - Sunbelt 3.2.1858.2 2009.11.21 - Symantec 2009.11.21 - TheHacker 2009.11.20 - TrendMicro 2009.11.21 - VBA32 2009.11.20 - ViRobot 2009.11.20.2047 2009.11.20 - VirusBuster 2009.11.21 - Additional information File size: 110592 bytes MD5...: 65df52f5b8b6e9bbd183505225c37315 SHA1..: de3701d2c03d9ae29b2d87eccafbbcadf1bfb7e3 SHA256: 59c606977db40a3443dff0be2a4c761824881b22c9fdb3d23f6486db580e92a4 ssdeep: 1536:HHj12id0hKy+k1DQ+7Gpj3r4M7TGfwG1K9IJvydlnk4pCxvN:HHG1DQgGpj<br>3Cf1K9IBydlk+cvN<br> PEiD..: - PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0xbf63<br>timedatestamp.....: 0x498c1ac8 (Fri Feb 06 11:11:04 2009)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x196a5 0x19800 6.23 bf32e1a6f4363e9fffea31d970bdebf2<br>.data 0x1b000 0xa38 0xc00 1.78 817a9a6979796d656eb64e994df5db0a<br>.rsrc 0x1c000 0x7b0 0x800 3.16 23ab6e3c1dc51af966dc27da2a957917<br><br>( 10 imports ) <br>&gt; ADVAPI32.dll: AllocateLocallyUniqueId, RegOpenKeyW, ConvertSidToStringSidW, AllocateAndInitializeSid, FreeSid, LogonUserExW, LsaStorePrivateData, LsaLookupNames, AddAccessAllowedAce, SetTokenInformation, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, SystemFunction029, SystemFunction005, CheckTokenMembership, LsaQueryInformationPolicy, OpenThreadToken, RegNotifyChangeKeyValue, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, GetSecurityDescriptorDacl, GetLengthSid, CopySid, InitializeAcl, AddAce, SetSecurityDescriptorDacl, LsaOpenPolicy, LsaLookupSids, LsaFreeMemory, LsaClose, GetTokenInformation, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, InitiateSystemShutdownW, RevertToSelf, CreateProcessAsUserW, ImpersonateLoggedOnUser<br>&gt; KERNEL32.dll: GetCurrentThread, CreateMutexW, ReleaseMutex, ExitThread, FormatMessageW, lstrcmpiW, SetProcessShutdownParameters, DelayLoadFailureHook, RaiseException, GetExitCodeThread, SetConsoleCtrlHandler, SetErrorMode, SetUnhandledExceptionFilter, LoadLibraryA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcess, UnhandledExceptionFilter, GetModuleHandleA, OpenEventW, LocalAlloc, LocalFree, Sleep, LeaveCriticalSection, EnterCriticalSection, SetLastError, CloseHandle, CreateThread, GetLastError, CreateProcessW, ExpandEnvironmentStringsW, InitializeCriticalSection, HeapAlloc, HeapFree, TerminateProcess, WaitForSingleObject, HeapCreate, FreeLibrary, GetProcAddress, GetModuleHandleExW, InterlockedCompareExchange, CreateNamedPipeW, ReadFile, CancelIo, GetOverlappedResult, WaitForMultipleObjects, ConnectNamedPipe, TransactNamedPipe, WriteFile, GetTickCount, GetSystemTimeAsFileTime, GetModuleHandleW, GetComputerNameW, CreateEventW, SetEvent, ResetEvent, DeviceIoControl, CreateFileW, ResumeThread, GetCurrentProcessId, LoadLibraryW, GetDriveTypeW<br>&gt; msvcrt.dll: _itow, wcsrchr, time, _except_handler3, memmove, wcschr, _c_exit, _exit, wcsncmp, _XcptFilter, _cexit, exit, _wcsnicmp, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _wtol, wcscpy, wcscat, wcsncpy, _wcsicmp, __initenv, wcslen, wcscspn, _ultow<br>&gt; NCObjAPI.DLL: WmiCreateObjectWithFormat, WmiEventSourceConnect, WmiSetAndCommitObject<br>&gt; ntdll.dll: RtlCreateSecurityDescriptor, RtlAddAccessAllowedAce, RtlCreateAcl, NtCreateKey, NtQueryValueKey, NtSetValueKey, NtDeleteValueKey, NtEnumerateKey, NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, NtDeleteKey, RtlSetControlSecurityDescriptor, RtlValidSecurityDescriptor, RtlLengthSecurityDescriptor, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtAccessCheckAndAuditAlarm, NtSetInformationThread, NtAdjustPrivilegesToken, NtDuplicateToken, NtOpenProcessToken, RtlSetDaclSecurityDescriptor, RtlQuerySecurityObject, RtlSetSecurityObject, RtlValidRelativeSecurityDescriptor, RtlMapGenericMask, RtlCopyUnicodeString, NtSetInformationFile, NtQueryInformationFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, NtWaitForSingleObject, NtQueryDirectoryFile, NtDeleteFile, NtSetInformationProcess, RtlUnhandledExceptionFilter, NtSetEvent, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlAllocateHeap, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlUnicodeStringToAnsiString, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlNewSecurityObject, RtlAddAce, RtlSetOwnerSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSubAuthorityCountSid, RtlCompareUnicodeString, NtLoadDriver, NtUnloadDriver, RtlExpandEnvironmentStrings_U, RtlAdjustPrivilege, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, RtlAreAllAccessesGranted, NtDeleteObjectAuditAlarm, NtCloseObjectAuditAlarm, RtlQueueWorkItem, RtlCopyLuid, RtlDeregisterWait, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, RtlDeleteSecurityObject, RtlLockBootStatusData, RtlGetSetBootStatusData, RtlUnlockBootStatusData, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosError, NtShutdownSystem, NtQueryInformationToken, RtlMakeSelfRelativeSD, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtSetSecurityObject<br>&gt; RPCRT4.dll: RpcServerRegisterAuthInfoW, RpcBindingFree, RpcEpResolveBinding, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrClientCall2, RpcAsyncCompleteCall, RpcAsyncInitializeHandle, NdrAsyncServerCall, RpcServerListen, RpcMgmtStopServerListening, RpcMgmtWaitServerListen, RpcServerUnregisterIf, NdrAsyncClientCall, NdrServerCall2, I_RpcBindingIsClientLocal, RpcRevertToSelf, I_RpcMapWin32Status, RpcImpersonateClient, RpcStringBindingParseW, RpcStringFreeW, RpcBindingToStringBindingW, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcServerRegisterIf<br>&gt; SCESRV.dll: ScesrvInitializeServer, ScesrvTerminateServer<br>&gt; umpnpmgr.dll: RegisterScmCallback, PNP_SetActiveService, PNP_GetDeviceRegProp, PNP_GetDeviceListSize, PNP_GetDeviceList, PNP_HwProfFlags, RegisterServiceNotification, DeleteServicePlugPlayRegKeys<br>&gt; USER32.dll: LoadStringW, wsprintfW, BroadcastSystemMessageW, MessageBoxW, RegisterServicesProcess<br>&gt; USERENV.dll: UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock<br><br>( 0 exports ) <br> RDS...: NSRL Reference Data Set<br>- pdfid.: - trid..: Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Services and Controller app<br>original name: services.exe<br>internal name: services.exe<br>file version.: 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br> ================================================================================ ================== C:\WINDOWS\system32\lsass.exe: Antivirus Version Last Update Result a-squared 2009.11.21 - AhnLab-V3 2009.11.20 - AntiVir 2009.11.20 - Antiy-AVL 2009.11.20 - Authentium 2009.11.21 - Avast 4.8.1351.0 2009.11.21 - AVG 2009.11.21 - BitDefender 7.2 2009.11.21 - CAT-QuickHeal 10.00 2009.11.21 - ClamAV 0.94.1 2009.11.21 - Comodo 2988 2009.11.21 - DrWeb 2009.11.21 - eTrust-Vet 35.1.7133 2009.11.20 - F-Prot 2009.11.21 - F-Secure 9.0.15370.0 2009.11.20 - Fortinet 2009.11.21 - GData 19 2009.11.21 - Ikarus T3. 2009.11.21 - Jiangmin 11.0.800 2009.11.21 - K7AntiVirus 7.10.901 2009.11.20 - Kaspersky 2009.11.21 - McAfee 5808 2009.11.20 - McAfee+Artemis 5808 2009.11.20 - McAfee-GW-Edition 6.8.5 2009.11.21 - Microsoft 1.5302 2009.11.21 - NOD32 4626 2009.11.21 - Norman 6.03.02 2009.11.21 - nProtect 2009.1.8.0 2009.11.21 - Panda 2009.11.21 - PCTools 2009.11.21 - Prevx 3.0 2009.11.21 - Rising 2009.11.21 - Sophos 4.47.0 2009.11.21 - Sunbelt 3.2.1858.2 2009.11.21 - Symantec 2009.11.21 - TheHacker 2009.11.20 - TrendMicro 2009.11.21 - VBA32 2009.11.20 - ViRobot 2009.11.20.2047 2009.11.20 - VirusBuster 2009.11.21 - Additional information File size: 13312 bytes MD5...: bf2466b3e18e970d8a976fb95fc1ca85 SHA1..: de5a73cbb5f51f64c53fb4277ef2c23e70db123f SHA256: f7794b5d12dc5d820a162850f4388e2aa80426ad07cb221799cf941c682ab501 ssdeep: 384:ggHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:338z4zRfMpy0BF4 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x14bd timedatestamp.....: 0x48025186 (Sun Apr 13 18:31:34 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x10d0 0x1200 6.00 7d33d24893e1db0fa0ecbd7a8fa637bd .data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250 .rsrc 0x4000 0x1b30 0x1c00 7.15 54488850c25258396b2c9492c36b0bd5 ( 5 imports ) > ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf > KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery > ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter > LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo > SAMSRV.dll: SamIInitialize, SampUsingDsData ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Microsoft Corporation copyright....: © Microsoft Corporation. All rights reserved. product......: Microsoft_ Windows_ Operating System description..: LSA Shell (Export Version) original name: lsass.exe internal name: lsass.exe file version.: 5.1.2600.5512 (xpsp.080413-2113) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned

#19 SweetTech


    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 21 November 2009 - 03:31 PM

Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please make sure you include the following items in your next post:
1. The log that was produced after running MalwareBytes' Anti-Malware.
2. The log that was produced after running ESET Online Scanner.

Posted Image

Proud Graduate of the WTT Classroom
Posted Image

#20 Poopkabob


    Authentic Member

  • Authentic Member
  • PipPip
  • 74 posts

Posted 23 November 2009 - 12:42 AM

The Mbam search found no viruses: Malwarebytes' Anti-Malware 1.41 Database version: 3215 Windows 5.1.2600 Service Pack 3 11/22/2009 4:27:58 PM mbam-log-2009-11-22 (16-27-58).txt Scan type: Quick Scan Objects scanned: 144055 Time elapsed: 18 minute(s), 32 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ================================================================================ ===================== This is the ESET online antivirus log: C:\Documents and Settings\Chiao\Desktop\Unused Desktop Shortcuts\Live Safety Center.lnk Win32/Adware.SecToolbar application C:\Documents and Settings\Chiao\Desktop\Unused Desktop Shortcuts\Online Security Guide.lnk Win32/Adware.SecToolbar application C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application C:\Qoobox\Quarantine\C\Documents and Settings\Chiao\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ahnngqiu.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\amqmgvki.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\armmnjgq.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dpkilcbj.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gxompnsq.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hepmevsu.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hfcjwrur.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hjxuaurb.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\hkimfkxv.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\igtjxbps.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\itgolqvd.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mbqxywrs.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mloboant.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mmcajvwb.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mvisimea.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\orpqhbaa.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\pcohbkyj.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qqtwa.bak1.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qqtwa.bak2.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qqtwa.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qqtwa.ini2.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qqtwa.tmp.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rbeyursk.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tlxeiuvt.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ubuvdxjo.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\uswbaqdx.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\xidelorw.ini.vir Win32/Adware.Virtumonde.NEO application C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.OF virus C:\RECYCLER\S-1-5-21-2771580065-2020637620-97400744-1009\Dc46\CDKey\Warcraft III Reign Of Chaos Keygen.exe probably a variant of Win32/Hupigon trojan C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290473.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290474.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290475.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290476.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290477.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290478.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290479.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290480.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290481.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290482.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290483.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290484.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290485.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290486.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290487.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290488.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290489.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290490.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290491.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290493.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290495.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290496.ini Win32/Adware.Virtumonde.NEO application C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP2129\A0290497.ini

#21 SweetTech


    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 23 November 2009 - 06:08 PM

Please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\RECYCLER\S-1-5-21-2771580065-2020637620-97400744-1009\Dc46\CDKey\Warcraft III Reign Of Chaos Keygen.exe"

I would like to see a list of installed programs, so please do this:

Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open.

Post the contents of that file in your next reply.

Posted Image

Proud Graduate of the WTT Classroom
Posted Image

#22 Poopkabob


    Authentic Member

  • Authentic Member
  • PipPip
  • 74 posts

Posted 25 November 2009 - 09:10 AM

Heres the log that it produced 3ivx MPEG-4 5.0.3 (remove only) A-L MKV Playback Pack [2003/12/24] (Remove Only) Adobe Acrobat 5.0 Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) Adobe Flash Player 10 Plugin Adobe Photoshop 7.0 Adobe Reader 8.1.2 Adobe Reader 8.1.2 Security Update 1 (KB403742) Adobe Shockwave Player AIM 6.0 AOL Instant Messenger AOL Toolbar 2.0 AutoUpdate AVG Free 8.0 BitTorrent 3.4.2 Brother BRAdmin Light 1.11 Brother HL-2170W CCleaner (remove only) Cisco Clean Access Agent Conexant HSF V92 56K RTAD Speakerphone PCI Modem Critical Update for Windows Media Player 11 (KB959772) Data Compiler DivX DivX Player Easy CD Creator 5 Basic eManga 0.5.8 eMusic - 50 Free MP3 offer Exceed for Windows NT ffdshow (remove only) FlipShare Garmin WebUpdater GoToAssist GSIM Help and Support Customization Heroes of Might and Magic V Demo HighMAT Extension to Microsoft Windows XP CD Writing Wizard Hijackthis 1.99.1 HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Indexing Function iPod for Windows 2005-03-23 iTunes Java™ 6 Update 15 Java™ 6 Update 3 Java™ 6 Update 5 Java™ 6 Update 7 LiveUpdate 3.0 (Symantec Corporation) Malwarebytes' Anti-Malware Matroska Pack (remove only) MaxBlast 3 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Data Access Components KB870669 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office 2000 Professional Microsoft Office 2000 SR-1 Premium Microsoft Picture It! Photo 2002 Microsoft Silverlight Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Windows Journal Viewer Microsoft Windows Script 5.7 Microsoft Word 2002 Microsoft Works 2002 Setup Launcher Microsoft Works 6.0 Microsoft Works Suite Add-in for Microsoft Word Modem Helper Mozilla Firefox (3.0.14) Mozilla Thunderbird ( MSN Music Assistant MSXML 6.0 Parser (KB933579) MYIE2 Browser (remove only) NVIDIA Drivers OpenOffice.org Installer 1.0 PHandler PokerStars PRO200WL Protowall QuickTime SBM OS Search OS Security Update for CAPICOM (KB931906) Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 7 (KB974455) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 10 (KB936782) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Shockwave Shockwave Player Soulseek Client 152 Symantec AntiVirus TurboTax ItsDeductible 2006 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 7 (KB928089) Update for Windows XP (KB942763) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB973815) URL.IE APP Value Added Software Ventrilo Client Verizon VPN Client Viewpoint Manager (Remove Only) VobSub v2.23 (Remove Only) Warcraft III: All Products Warhammer 40,000: Dawn Of War - Gold Edition WC3Banlist Web Savings from Ebates WebFldrs XP Winamp (remove only) Windows Defender Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool Windows Imaging Component Windows Internet Explorer 7 Windows Media Connect Windows Media Format 11 runtime Windows Media Format SDK Hotfix - KB891122 Windows Media Player 11 Windows Presentation Foundation Windows XP Service Pack 3 WinPcap 3.1 WinRAR archiver Works Suite OS Pack Works Synchronization X-Win32 7.1 XML Paper Specification Shared Components Pack 1.0 XviD MPEG-4 Video Codec XviD Video Codec 24.2.2003-11:00 (uManiac's build)

#23 SweetTech


    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,368 posts

Posted 25 November 2009 - 12:15 PM

Peer to Peer Program
While reviewing your logs I noticed that you currently have Peer to Peer program(s) installed on your computer.
You currently have the following P2P programs installed:
  • BitTorrent 3.4.2
Most of the infections that we see today are through P2P file sharing. By uninstalling the programs that I mentioned above you will be doing yourself a favor. It's impossible to trust the source of what is being downloaded from them and a file may or may not be what it appears to be.

How to Uninstall the P2P Programs:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    BitTorrent 3.4.2
PLEASE NOTE: When your uninstalling the P2P Program(s) some questions are worded in various ways to try and deceive you and keep you from uninstalling their Program.

Please go to Start > Control Panel > Add/Remove Programs > Find and Click Remove for the following (if present):
HijackThis 1.9.9

Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.

Java Outdated
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the drop-down menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Your Firefox and Thunderbird are out of date. While in Firefox and Thunderbird go to the Help menu and select Check for Updates.

Time for some housekeeping
The following will implement some cleanup procedures as well as reset System Restore points:
Posted Image
Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /Uninstall

From your Desktop please delete the following things (if present):
  • Any notepad/logs that we created
  • RootRepeal.zip from wherever you downloaded the file to.
  • RootRepeal.exe from where you extracted it.
  • OTL
  • GMER.zip from wherever you downloaded the file to.
  • GMER.exe from where you extracted it.
  • You may also remove ESET Online Scan via your Add/Remove Programs.
All Clean Speech

===> Make sure you've re-enabled any Security Programs that we may have disabled during the malware removal process. <===

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at: http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.
  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to which is your local computer, meaning it will be difficult to infect yourself in the future.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
    secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
    blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from Here
    • If you choose to use Firefox, I highly recommend this add-on to keep your PC even more secure.
      • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.
**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Posted Image

Proud Graduate of the WTT Classroom
Posted Image

#24 CatByte


    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 27 November 2009 - 12:15 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users