PDA

View Full Version : Nxtepad.exe, trojans, delmet.bat on desktop



travor
2009-03-04, 04:49
WinPatrol Scotty keeps asking me if I want to allow Notepad.exe to be replaced with Nxtepad.exe. My browser has a warning bar on top (between browser window and menu functions) telling me I have 18 trojans and "click here to do a scan". There is a constant pop-up in my taskbar that wants me to download some antivirus software, when WinXP starts I get 2 .dll errors.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:37 PM, on 3/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozy\mozybackup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\inf\rundll33.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\system32\hgcheck.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\Program Files\Mozy\mozystat.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MSIE
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {f10058a2-2f3e-4dcb-b40b-5658bbb7a296} - C:\WINDOWS\system32\zimuworo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [hgcheck] C:\WINDOWS\system32\hgcheck.exe
O4 - HKLM\..\Run: [CPM632d9ef7] Rundll32.exe "c:\windows\system32\rotawugo.dll",a
O4 - HKLM\..\Run: [jedibotara] Rundll32.exe "C:\WINDOWS\system32\rekomeve.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Policies\Explorer\Run: [application] C:\Program Files\AKProg\AKProg.exe hs
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_090131a.dll xccd16
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\Mozy\mozystat.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {546B1745-1674-4089-A56A-171B67631F8D} - http://66.197.233.53/ImageControl.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097963696261
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138486494250
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37440.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Network Magic Scan Helper Control) - http://scan.networkmagic.com/NmScan/download/WebDiag.1.0.0.0.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc02.custhelp.com/7560-b440h-turbotax/rnl/java/RntX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - http://www.sparedollar.com/sdImage/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D010E729-8B30-4638-9BB2-F32338BED958}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\vohewumo.dll c:\windows\system32\rotawugo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rotawugo.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rotawugo.dll (file missing)
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MozyHome Backup Service (MozyBackup) - Mozy, Inc. - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Simple TCP/IP Services (SimpTcp) - Unknown owner - C:\WINDOWS\System32\tcpsvcs.exe (file missing)

--
End of file - 14514 bytes

Shaba
2009-03-05, 17:19
Hi travor

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

travor
2009-03-06, 01:43
Thank you Shaba. Here are both logs:

ComboFix 09-03-04.01 - Owner 2009-03-05 16:39:13.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\mousehook.dll
c:\docume~1\Owner\LOCALS~1\Temp\ntdll64.dll
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\2Wire.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\3com.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\ActionT.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Asante.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Belkin.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Buffalo.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Comtrend.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Dell.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\devregex.xml
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\DLink.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Gigafast.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Linksys.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\MicroCore.ver
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Motorola.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\MSFT.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\NetGear.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\nmantivirus.ini
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\nmcore.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\nmfirewalls.ini
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\routerdrivers.xml
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Siemens.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\SMC.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\SonicWAL.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\svcrsrc.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\UPnPGW.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\USRob.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\vendors.xml
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Westell.dll
c:\windows\Downloaded Program Files\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}\Zyxel.dll
c:\windows\Install.txt
c:\windows\patch.exe
c:\windows\system32\1000.exe
c:\windows\system32\4.tmp
c:\windows\system32\6.tmp
c:\windows\system32\8.tmp
c:\windows\system32\9.tmp
c:\windows\system32\998.exe
c:\windows\system32\A.tmp
c:\windows\system32\adezihij.ini
c:\windows\system32\afisicx.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\C.tmp
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekavimxodqv.sys
c:\windows\system32\E.tmp
c:\windows\system32\feyiloto.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\inf\xccdfb16_090131.dll
c:\windows\system32\inf\xccefb090131.scr
c:\windows\system32\init32.exe
c:\windows\system32\Install.txt
c:\windows\system32\mabidwe.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\prunnet.exe
c:\windows\system32\senekabsgiqufa.dll
c:\windows\system32\senekaixekmfvb.dat
c:\windows\system32\senekajruyxurr.dll
c:\windows\system32\senekamyxwbrpi.dat
c:\windows\system32\senekaonnqbaaw.dll
c:\windows\system32\test.ttt
c:\windows\system32\tmp.reg
c:\windows\system32\tmpxccacj0.exe
c:\windows\system32\tmpxccacj1.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\uniq.tll
c:\windows\system32\w.exe
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\xcchit32.ini
c:\windows\xccdf16_090131a.dll
c:\windows\xccdf32_090131a.dll
c:\windows\xccwinsys.ini

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_6TO4
-------\Legacy_AFISICX
-------\Legacy_DEFAULTLIB
-------\Legacy_IPRIP
-------\Legacy_MABIDWE
-------\Legacy_SOFTYINFORWOW1
-------\Service_6to4
-------\Service_afisicx
-------\Service_defaultlib
-------\Service_Iprip
-------\Service_mabidwe
-------\Service_softyinforwow1


((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-03-05 16:38 . 2009-03-03 07:56 578,560 --a------ c:\windows\system32\adfeuwwpc
2009-03-05 16:38 . 2009-03-05 16:38 105,984 --a------ c:\windows\system32\19.tmp
2009-03-05 16:38 . 2009-03-05 16:38 40 --a------ c:\windows\system32\18.tmp
2009-03-05 16:34 . 2009-03-03 07:56 578,560 --a------ c:\windows\system32\mtwlmulxd
2009-03-05 16:34 . 2009-03-05 16:34 105,984 --a------ c:\windows\system32\17.tmp
2009-03-05 16:34 . 2009-03-05 16:34 40 --a------ c:\windows\system32\16.tmp
2009-03-05 15:54 . 2009-03-05 15:54 105,984 --a------ c:\windows\system32\15.tmp
2009-03-05 15:54 . 2009-03-05 15:54 40 --a------ c:\windows\system32\14.tmp
2009-03-05 09:33 . 2009-03-03 07:56 578,560 --a------ c:\windows\system32\glqpmm
2009-03-05 09:33 . 2009-03-05 09:33 105,984 --a------ c:\windows\system32\13.tmp
2009-03-05 09:32 . 2009-03-05 09:33 40 --a------ c:\windows\system32\F.tmp
2009-03-05 06:54 . 2009-03-05 06:54 40 --a------ c:\windows\system32\D.tmp
2009-03-04 14:39 . 2009-03-04 14:39 40 --a------ c:\windows\system32\B.tmp
2009-03-03 20:39 . 2009-03-03 20:39 <DIR> d-------- c:\program files\Trend Micro
2009-03-03 20:36 . 2009-03-03 20:37 <DIR> d-------- c:\program files\ERUNT
2009-03-03 16:30 . 2009-03-03 16:30 121,856 --a--c--- c:\windows\system32\dllcache\userinit.exe
2009-03-03 16:16 . 2009-03-03 07:56 578,560 --a------ c:\windows\system32\ddffr
2009-03-03 16:15 . 2009-03-03 16:15 40 --a------ c:\windows\system32\7.tmp
2009-03-03 10:03 . 2009-03-03 10:59 <DIR> d-------- c:\windows\system32\3361
2009-03-03 09:03 . 2009-03-03 07:56 578,560 --a------ c:\windows\system32\vamiua
2009-03-03 09:03 . 2009-03-03 09:03 40 --a------ c:\windows\system32\5.tmp
2009-03-03 08:23 . 2009-03-03 08:23 32 --a------ c:\windows\system32\work.ini
2009-03-03 08:22 . 2009-03-03 08:22 <DIR> d-------- c:\windows\$ntunistalls
2009-03-03 08:21 . 2009-03-04 15:29 345,880 --a------ c:\windows\system32\hguest.exe
2009-03-03 08:21 . 2009-03-03 08:21 140,744 --a------ c:\windows\system32\hgcheck.exe
2009-03-03 08:21 . 2009-03-04 15:29 209 --a------ c:\windows\system32\hgset.ini
2009-03-03 08:20 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-03-03 08:20 . 2009-03-03 07:56 578,560 --a------ c:\windows\system32\mijyj
2009-03-03 08:20 . 2009-03-03 08:20 40 --a------ c:\windows\system32\3.tmp
2009-03-03 08:15 . 2009-03-03 08:15 30,880 --a------ c:\windows\system32\drivers\yfeeicdj.sys
2009-03-03 08:00 . 2009-03-03 08:00 0 --a------ c:\windows\mqcd.dbt
2009-03-03 07:59 . 2009-03-05 16:38 77,312 --a------ c:\windows\system32\rkoq.pxf
2009-03-03 07:59 . 2009-03-05 16:38 32,768 --a------ c:\windows\system32\odjan.wa
2009-03-03 07:59 . 2009-03-05 16:38 32,768 --a------ c:\windows\system32\kei1w.an
2009-03-03 07:59 . 2009-03-05 16:38 28,672 --a------ c:\windows\system32\kdoqmn.sr
2009-03-03 07:59 . 2009-03-05 16:38 28,672 --a------ c:\windows\system32\doqkm.zt
2009-03-03 07:56 . 2009-03-03 07:56 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-03-03 07:56 . 2009-03-05 16:47 262,144 --a------ c:\windows\system32\nvtpm32.dll
2009-03-03 07:56 . 2009-03-05 16:47 105,984 --a------ c:\windows\system32\azton.mt
2009-03-03 07:55 . 2009-03-03 07:56 40 --a------ c:\windows\system32\2.tmp
2009-03-03 07:34 . 2009-03-05 16:41 <DIR> d-------- c:\windows\system32\inf
2009-03-03 07:34 . 2009-03-03 07:34 155,222 --a------ c:\windows\system\xccef090131.exe
2009-03-03 07:34 . 2009-03-03 07:34 105,984 --a------ c:\windows\system32\11.tmp
2009-03-03 07:34 . 2009-03-03 07:34 40 --a------ c:\windows\system32\10.tmp
2009-03-03 07:34 . 2009-03-03 07:34 0 --a------ c:\windows\system32\12.tmp
2009-02-25 16:10 . 2009-02-25 16:10 <DIR> d-------- c:\documents and settings\Owner\Application Data\Jasc
2009-02-22 08:45 . 2009-02-22 08:52 <DIR> d-------- c:\program files\Portrait Professional Max 6
2009-02-22 08:45 . 2009-02-22 08:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\Anthropics
2009-02-11 18:29 . 2009-02-11 16:34 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-11 16:35 . 2009-03-03 16:24 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-11 16:32 . 2009-02-11 16:32 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 22:44 196 ----a-w c:\windows\system32\drivers\ALCICH.DAT
2009-03-05 22:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 22:15 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-03 16:37 --------- d-----w c:\program files\AvRack
2009-02-27 21:08 --------- d-----w c:\documents and settings\Owner\Application Data\FileZilla
2009-02-26 21:54 --------- d-----w c:\program files\FileZilla FTP Client
2009-02-22 14:50 --------- d-----w c:\program files\Photo Story 3 for Windows
2009-02-22 14:47 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-02-21 17:42 --------- d-----w c:\program files\Google
2009-02-21 00:42 --------- d-----w c:\program files\KeePass Password Safe
2009-02-18 13:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-18 13:25 --------- d-----w c:\program files\Common Files\Apple
2009-02-17 13:25 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-13 01:54 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-12 15:15 --------- d-----w c:\program files\Mozy
2009-02-11 22:31 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-05 19:37 --------- d-----w c:\program files\IZArc
2009-02-04 01:12 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-04 01:11 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-22 16:55 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-05 20:34 --------- d-----w c:\program files\TechSmith
2009-01-05 20:32 --------- d-----w c:\program files\MSBuild
2009-01-05 20:27 --------- d-----w c:\program files\Reference Assemblies
2008-12-07 02:38 256 ----a-w c:\documents and settings\Owner\pool.bin
2008-10-27 03:08 167 ----a-w c:\documents and settings\Owner\udownload.dat
2008-03-26 21:16 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-02-16 21:24 846,504 ----a-w c:\documents and settings\Owner\JNativeCpp.dll
2007-10-16 19:43 0 ---h--w c:\program files\LauncherAppUpdate.log
2006-01-12 22:22 242,907 ----a-w c:\documents and settings\Owner\setup.exe
2006-06-11 03:18 3,072 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-01-23 19:07 1,847,296 ----a-w c:\program files\mozilla firefox\plugins\Seadragon.dll
2006-06-11 03:18 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
2009-02-21 17:42 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-03 19:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090320080904\index.dat
.
file copied: c:\windows\system32\user32.dll -> c:\qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir ( 578560 bytes )
Infected c:\windows\system32\user32.dll hex repaired


------- Sigcheck -------

2004-08-04 01:56 31232 3ef8142ec3e0ae042189b04d74629a07 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 18:12 31744 10f797a06454d42ce324bd5b99f1fdc5 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-13 18:12 31744 253ae48a29ec08b32aa33a14934d9f6c c:\windows\system32\svchost.exe
2009-03-03 10:03 139264 3d9aefa2ed8980e40bdd6fde8b88c55c c:\windows\system32\3361\SVCHOST.EXE

2008-04-13 18:12 1050624 bb37af240efc24d65ea621c0a63ea9c1 c:\windows\explorer.exe
2007-06-13 05:26 1050112 6e4b6b8db773ec8d0ea376b6c950d82e c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 04:23 1050112 1396d8b010dd7ab0c9f68d1f8e58dd16 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-13 18:12 1050624 e4e6b49b11413d9585ed374dae25afd8 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 01:56 32256 f6ea65a60fe061c32b635687babb93e9 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 18:12 32256 689b79187274fb66c857bedde00323a6 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-13 18:12 32256 d183d00e6ab2532d0bb89772ec6a60f0 c:\windows\system32\ctfmon.exe

2005-06-10 18:17 75264 3e3bc745589ac55e3d960c4de59f7102 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 17:53 75264 cf1afccc8127ac2dcc582264109c3d8a c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-13 18:12 74752 b3083e6ea707b475d7fd54bf2241c790 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-13 18:12 74752 f880fd57bdae7aa53cdfe1cf3b4221cc c:\windows\system32\spoolsv.exe

2004-08-04 01:56 41984 c374d03a9d472181c4c448c99b05a401 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 18:12 43008 536f2f30712fbe29caa5bc67b5d2c190 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-13 18:12 43008 79ce6163d1a0c399180d933d8ba0cb3a c:\windows\system32\userinit.exe
2009-03-03 16:30 121856 6ea6cad938e5d5f48c1516a69e4f21c4 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-01-30 14:05 2788152 --a------ c:\program files\Mozy\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-01-30 14:05 2788152 --a------ c:\program files\Mozy\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-03 1601304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 434176]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-03 515416]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-21 30192]
"hgcheck"="c:\windows\system32\hgcheck.exe" [2009-03-03 140744]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
MozyHome Status.lnk - c:\program files\Mozy\mozystat.exe [2009-01-30 2737464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Folders"= 2 (0x2)
"Btn_Fullscreen"= 2 (0x2)
"Btn_MailNews"= 2 (0x2)
"Btn_Size"= 2 (0x2)
"Btn_Print"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-03 19:12 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 14:22 63040 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CSCD"= camcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-11 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-11 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-11 107272]
R1 MozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2007-03-27 53752]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-11 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-11 298264]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-06-02 46112]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2006-01-22 7296]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2001-08-18 66048]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2006-05-25 12192]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-01-22 16512]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-21 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2001-08-18 2176]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e837b2f9-e18d-11dc-99d2-000c41593f42}]
\Shell\AutoRun\command - h:\magicjack\autorun.exe
\Shell\phone\command - h:\magicjack\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\Ad-Aware SE Personal.job
- c:\progra~1\Lavasoft\AD-AWA~1\Ad-Aware.exe []

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f10058a2-2f3e-4dcb-b40b-5658bbb7a296} - c:\windows\system32\zimuworo.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-CPM632d9ef7 - c:\windows\system32\rotawugo.dll
HKLM-Run-jedibotara - c:\windows\system32\rekomeve.dll
HKLM-Run-Viewbar - (no file)
HKLM-Explorer_Run-application - c:\program files\AKProg\AKProg.exe
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rotawugo.dll
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\TEMP\ntdll64.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: convergys.com
Trusted Zone: antimalwareguard.com
TCP: {D010E729-8B30-4638-9BB2-F32338BED958} = 208.67.222.222,208.67.220.220
DPF: {546B1745-1674-4089-A56A-171B67631F8D} - hxxp://66.197.233.53/ImageControl.CAB
DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37440.cab
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/NmScan/download/WebDiag.1.0.0.0.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cfljd6y5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?spn=0.125382,0.222439&hl=en&q=&tab=lw
FF - prefs.js: keyword.URL - hxxp://urlseek.vmn.net/search.php?lg=fr&mkt=fr&type=dns&tbn=vmntoolbar&tbo=toolbar__2evmn__2enet__2ffr__2foptions__2ephp&q=
FF - prefs.js: network.proxy.http_port - 12080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cfljd6y5.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cfljd6y5.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cfljd6y5.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\MOZILLA FIREFOX\plugins\np-mswmp.dll
FF - plugin: c:\program files\MOZILLA FIREFOX\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\MOZILLA FIREFOX\plugins\nppsynth.dll
FF - plugin: c:\program files\MOZILLA FIREFOX\plugins\npRACtrl.dll
FF - plugin: c:\windows\system32\Photosynth\nppsynth.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 16:46:12
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

c:\windows\system32\sopidkc.exe [1220] 0x82EBC950
? [12676]
? [18880]
? [18888]
scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\rezu 578560 bytes executable
c:\windows\system32\tpszxyd.sys 224256 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-527237240-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-484763869-527237240-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7426B936-DA08-9721-F76A-86FA1108A992}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\TEMP\ntdll64.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ahead\InCD\InCDsrv.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Mozy\mozybackup.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\hpzipm12.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\windows\system32\rundll32.exe
c:\windows\SoftwareDistribution\Download\Install\mpas-fe_bd.exe
.
**************************************************************************
.
Completion time: 2009-03-05 17:03:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 23:02:59

Pre-Run: 16,867,487,744 bytes free
Post-Run: 16,687,616,000 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

451 --- E O F --- 2009-03-03 12:53:41




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:09 PM, on 3/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mozy\mozybackup.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\hgcheck.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [hgcheck] C:\WINDOWS\system32\hgcheck.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\Mozy\mozystat.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {546B1745-1674-4089-A56A-171B67631F8D} - http://66.197.233.53/ImageControl.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097963696261
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138486494250
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37440.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Network Magic Scan Helper Control) - http://scan.networkmagic.com/NmScan/download/WebDiag.1.0.0.0.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc02.custhelp.com/7560-b440h-turbotax/rnl/java/RntX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - http://www.sparedollar.com/sdImage/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D010E729-8B30-4638-9BB2-F32338BED958}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MozyHome Backup Service (MozyBackup) - Mozy, Inc. - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Simple TCP/IP Services (SimpTcp) - Unknown owner - C:\WINDOWS\System32\tcpsvcs.exe (file missing)
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe

--
End of file - 13272 bytes

Shaba
2009-03-06, 07:07
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site 1 (http://hype.free.googlepages.com/gmer.zip)
alternate download site 2 (http://www.castlecops.com/downloads-file-546.html)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on "Settings", then check the first five settings:
*System Protection and Tracing
*Processes
*Save created processes to the log
*Drivers
*Save loaded drivers to the log
You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other unning programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan.

I'd like you to check a file/some files for malware.

Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)


c:\windows\system32\svchost.exe
c:\windows\explorer.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\userinit.exe


Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Save the complete results in a Notepad/Word document on your desktop.
Repeat for all files on the list.
Post back results, please.

Post:

- gmer log
- jotti/virustotal results

travor
2009-03-06, 17:17
Thank you, Shaba

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-06 08:43:53
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[184] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[184] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[184] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[184] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[184] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.rsrc C:\WINDOWS\System32\svchost.exe[240] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[240] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x0100581D]
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[348] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[348] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[348] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[348] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[348] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[404] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[404] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[404] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[404] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[404] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[524] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[524] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[524] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[524] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[524] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\winlogon.exe[668] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[692] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[692] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[692] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[692] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[692] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FF93E1B
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FF93EAA
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FF93EB7
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FF93EA0
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FF93EF8
.rsrc C:\WINDOWS\system32\svchost.exe[880] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[880] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100581D]
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.rsrc C:\WINDOWS\system32\svchost.exe[976] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[976] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100581D]
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Windows Defender\MsMpEng.exe[1024] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.rsrc C:\WINDOWS\System32\svchost.exe[1064] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1064] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x0100581D]
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Ahead\InCD\InCDsrv.exe[1108] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Ahead\InCD\InCDsrv.exe[1108] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Ahead\InCD\InCDsrv.exe[1108] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Ahead\InCD\InCDsrv.exe[1108] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Ahead\InCD\InCDsrv.exe[1108] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\mabidwe.exe[1232] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\mabidwe.exe[1232] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\mabidwe.exe[1232] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\mabidwe.exe[1232] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\mabidwe.exe[1232] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.rsrc C:\WINDOWS\System32\svchost.exe[1236] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\System32\svchost.exe[1236] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x0100581D]
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.rsrc C:\WINDOWS\system32\svchost.exe[1296] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWS\system32\svchost.exe[1296] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100581D]
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Mozy\mozybackup.exe[1448] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Mozy\mozybackup.exe[1448] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Mozy\mozybackup.exe[1448] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Mozy\mozybackup.exe[1448] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Mozy\mozybackup.exe[1448] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\nvsvc32.exe[1484] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\nvsvc32.exe[1484] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\nvsvc32.exe[1484] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\nvsvc32.exe[1484] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\nvsvc32.exe[1484] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1540] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1540] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1540] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1540] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1540] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1584] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1584] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1584] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1584] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1584] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\System32\HPZipm12.exe[1588] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\System32\HPZipm12.exe[1588] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\HPZipm12.exe[1588] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\System32\HPZipm12.exe[1588] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\System32\HPZipm12.exe[1588] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\sopidkc.exe[1688] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\sopidkc.exe[1688] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\sopidkc.exe[1688] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\sopidkc.exe[1688] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\sopidkc.exe[1688] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1720] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1720] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1720] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1720] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1720] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.reloc C:\WINDOWS\Explorer.EXE[1848] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE2000060]
.reloc C:\WINDOWS\Explorer.EXE[1848] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x01102890]
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\Explorer.EXE[1848] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1940] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1940] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1940] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1940] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe[1940] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Java\jre6\bin\jusched.exe[2000] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Java\jre6\bin\jusched.exe[2000] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Java\jre6\bin\jusched.exe[2000] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Java\jre6\bin\jusched.exe[2000] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Java\jre6\bin\jusched.exe[2000] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\spoolsv.exe[2040] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\spoolsv.exe[2040] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\spoolsv.exe[2040] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\spoolsv.exe[2040] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\spoolsv.exe[2040] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2124] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2124] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2124] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2124] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[2124] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2188] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2188] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2188] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2188] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2188] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2236] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2236] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2236] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2236] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\PROGRA~1\AVG\AVG8\avgtray.exe[2236] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2272] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2272] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2272] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2272] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2272] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2288] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2288] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2288] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2288] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2288] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\hgcheck.exe[2320] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\hgcheck.exe[2320] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\hgcheck.exe[2320] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\hgcheck.exe[2320] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\hgcheck.exe[2320] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\hgcheck.exe[2320] ntdll.dll!DbgUiRemoteBreakin 7C94FFE3 5 Bytes JMP 7C81CAFA C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2328] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2328] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2328] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2328] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2328] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2336] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2336] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2336] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2336] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[2336] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2360] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2360] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2360] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2360] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2360] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2536] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2536] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2536] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2536] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\AVG\AVG8\avgcsrvx.exe[2536] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Mozy\mozystat.exe[2624] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Mozy\mozystat.exe[2624] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Mozy\mozystat.exe[2624] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Mozy\mozystat.exe[2624] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Mozy\mozystat.exe[2624] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\System32\alg.exe[3076] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\System32\alg.exe[3076] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\alg.exe[3076] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\System32\alg.exe[3076] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\System32\alg.exe[3076] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\System32\wbem\unsecapp.exe[3236] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\System32\wbem\unsecapp.exe[3236] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\wbem\unsecapp.exe[3236] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\System32\wbem\unsecapp.exe[3236] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\System32\wbem\unsecapp.exe[3236] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3508] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3508] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3508] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3508] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\System32\wbem\wmiprvse.exe[3508] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\wscntfy.exe[3552] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\wscntfy.exe[3552] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\wscntfy.exe[3552] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\wscntfy.exe[3552] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\wscntfy.exe[3552] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\WINDOWS\system32\wuauclt.exe[3568] ntdll.dll!NtCreateFile 7C90D090 5 Bytes CALL 7FFA3E1B
.text C:\WINDOWS\system32\wuauclt.exe[3568] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\wuauclt.exe[3568] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes CALL 7FFA3EB7
.text C:\WINDOWS\system32\wuauclt.exe[3568] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\WINDOWS\system32\wuauclt.exe[3568] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8
.text C:\gmer\gmer.exe[3884] ntdll.dll!NtOpenFile 7C90D580 5 Bytes CALL 7FFA3EA0
.text C:\gmer\gmer.exe[3884] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes CALL 7FFA3EF8

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003D2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003D2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003D2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[1212] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003D2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C62F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C62CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C62D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1848] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C62CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01EC2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01EC2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01EC2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[2116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01EC2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\System32\wbem\unsecapp.exe[3236] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B82F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\System32\wbem\unsecapp.exe[3236] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B82CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\System32\wbem\unsecapp.exe[3236] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00B82D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\System32\wbem\unsecapp.exe[3236] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B82CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe[3280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\wscntfy.exe[3552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\gmer\gmer.exe[3884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

---- Processes - GMER 1.0.14 ----

Process C:\WINDOWS\system32\mabidwe.exe (*** hidden *** ) 1232
Process C:\WINDOWS\system32\sopidkc.exe (*** hidden *** ) 1688

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\MozyFilter@LogFile \??\C:\Program Files\Mozy\Data\filter_raw.log.1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7426B936-DA08-9721-F76A-86FA1108A992}

---- Files - GMER 1.0.14 ----

File C:\Program Files\Mozy\Data\filter_raw.log.1 0 bytes

---- EOF - GMER 1.0.14 ----

travor
2009-03-06, 17:19
virustotal results:

====> svchost.exe

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.06 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.105 2009.03.06 W32/Virut.Gen
Authentium 5.1.0.4 2009.03.06 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.03.05 Win32:Vitro
AVG 8.0.0.237 2009.03.06 -
BitDefender 7.2 2009.03.06 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.03.06 W32.Virut.G
ClamAV 0.94.1 2009.03.06 -
Comodo 1027 2009.03.05 -
DrWeb 4.44.0.09170 2009.03.06 Win32.Virut.56
eSafe 7.0.17.0 2009.03.05 -
eTrust-Vet 31.6.6384 2009.03.05 Win32/Virut.17408
F-Prot 4.4.4.56 2009.03.06 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.03.06 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.03.06 -
GData 19 2009.03.06 Win32.Virtob.Gen.12
Ikarus T3.1.1.45.0 2009.03.06 -
K7AntiVirus 7.10.660 2009.03.06 -
Kaspersky 7.0.0.125 2009.03.06 Virus.Win32.Virut.ce
McAfee 5544 2009.03.05 W32/Virut.n.gen
McAfee+Artemis 5544 2009.03.05 W32/Virut.n.gen
Microsoft 1.4405 2009.03.06 Virus:Win32/Virut.BM
NOD32 3912 2009.03.06 Win32/Virut.NBK
Norman 6.00.06 2009.03.06 W32/Virut.BV
nProtect 2009.1.8.0 2009.03.06 -
Panda 10.0.0.10 2009.03.05 W32/Sality.AO
PCTools 4.4.2.0 2009.03.06 -
Prevx1 V2 2009.03.06 -
Rising 21.19.42.00 2009.03.06 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.03.06 Win32.Virut.Gen
Sophos 4.39.0 2009.03.06 W32/Scribble-A
Sunbelt 3.2.1858.2 2009.03.06 Win32.Virut.cf (v)
Symantec 1.4.4.12 2009.03.06 W32.Virut.CF
TheHacker 6.3.2.7.273 2009.03.06 W32/Virut.gen
TrendMicro 8.700.0.1004 2009.03.06 PE_VIRUX.D
VBA32 3.12.10.1 2009.03.05 Virus.Win32.Virut.X5
ViRobot 2009.3.6.1637 2009.03.06 -
VirusBuster 4.5.11.0 2009.03.05 -
Additional information
File size: 31744 bytes
MD5...: 253ae48a29ec08b32aa33a14934d9f6c
SHA1..: f32b309a9612b8afa5fcf936c2071c8243224460
SHA256: 5cf6b8bb9f62fdd1f5bb4c3f3c049834995339b487c31a0da1c2a466fc7dfbcf
SHA512: b6087b9c28c9161c2333bca6299b425d49e59ed99832f46aa8984ea72e78b56b
ecbbadbdbfa958c54701eaa9416d99047aec91853766153f2b27c089ec334fa4
ssdeep: 768:3NcG6xlCRaJKGOA7SHJQP2QOTbIbY1hQhIvbpbCB5i:dcG6yPzKSHJQeQOTY
Y1hQ+bp
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x581d
timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 f6589e1ed3da6afefb0b4294d9ff7f2e
.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2
.rsrc 0x5000 0x5600 0x4a00 7.68 e90660d3db0548b2c479a1c26f7f91e9

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )


====> explorer.exe

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.06 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.105 2009.03.06 W32/Virut.Gen
Authentium 5.1.0.4 2009.03.06 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.03.05 Win32:Vitro
AVG 8.0.0.237 2009.03.06 -
BitDefender 7.2 2009.03.06 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.03.06 W32.Virut.G
ClamAV 0.94.1 2009.03.06 -
Comodo 1027 2009.03.05 -
DrWeb 4.44.0.09170 2009.03.06 Win32.Virut.56
eSafe 7.0.17.0 2009.03.05 -
eTrust-Vet 31.6.6384 2009.03.05 Win32/Virut.17408
F-Prot 4.4.4.56 2009.03.06 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.03.06 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.03.06 -
GData 19 2009.03.06 Win32.Virtob.Gen.12
Ikarus T3.1.1.45.0 2009.03.06 -
K7AntiVirus 7.10.660 2009.03.06 -
Kaspersky 7.0.0.125 2009.03.06 Virus.Win32.Virut.ce
McAfee 5544 2009.03.05 W32/Virut.n.gen
McAfee+Artemis 5544 2009.03.05 W32/Virut.n.gen
Microsoft 1.4405 2009.03.06 Virus:Win32/Virut.BM
NOD32 3912 2009.03.06 Win32/Virut.NBK
Norman 6.00.06 2009.03.06 W32/Virut.BV
nProtect 2009.1.8.0 2009.03.06 -
Panda 10.0.0.10 2009.03.05 W32/Sality.AO
PCTools 4.4.2.0 2009.03.06 -
Prevx1 V2 2009.03.06 -
Rising 21.19.42.00 2009.03.06 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.03.06 Win32.Virut.Gen
Sophos 4.39.0 2009.03.06 W32/Scribble-A
Sunbelt 3.2.1858.2 2009.03.06 Win32.Virut.cf (v)
Symantec 1.4.4.12 2009.03.06 W32.Virut.CF
TheHacker 6.3.2.7.273 2009.03.06 W32/Virut.gen
TrendMicro 8.700.0.1004 2009.03.06 PE_VIRUX.D
VBA32 3.12.10.1 2009.03.05 Virus.Win32.Virut.X5
ViRobot 2009.3.6.1637 2009.03.06 -
VirusBuster 4.5.11.0 2009.03.05 -
Additional information
File size: 1050624 bytes
MD5...: bb37af240efc24d65ea621c0a63ea9c1
SHA1..: 88966d25e94a61a212a4f48a963d19734b1f5f13
SHA256: 111ddb0b010cd7fcfdfd843cf5807404173f545161cd9e87aee0be18d5dd8918
SHA512: 6e11a6db2921b1466ff4c824dd524c4ccc98ab5fc3380d820e4179f34bff89a8
481e258a2a597efea9a0e8d4131c72910c1de674807e4cf216e421d8ce3ba9b3
ssdeep: 24576:emfty/wAvN7lrvbkf8w0VnH1/g/J/kUw:empcN7Bbkf8THv9
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x102890
timedatestamp.....: 0x48025c30 (Sun Apr 13 19:17:04 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44c09 0x44e00 6.38 fd89c9ce334764ffdbb62637ad9b5809
.data 0x46000 0x1db4 0x1800 1.30 983f35021232560eaaa99fcbc1b7d359
.rsrc 0x48000 0xb2268 0xb2400 6.63 95339c37646fa93e3695e06572a21889
.reloc 0xfb000 0x8800 0x7a00 7.65 0c4a733eb596bda8889f4da158f28482

( 13 imports )
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> BROWSEUI.dll: -, -, -, -
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> SHDOCVW.dll: -, -, -
> SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )

=====> spoolserv.exe

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.06 Virus.Win32.Patched.B!IK
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.105 2009.03.06 W32/Virut.Gen
Authentium 5.1.0.4 2009.03.06 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.03.05 Win32:Vitro
AVG 8.0.0.237 2009.03.06 -
BitDefender 7.2 2009.03.06 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.03.06 W32.Virut.G
ClamAV 0.94.1 2009.03.06 -
Comodo 1027 2009.03.05 -
DrWeb 4.44.0.09170 2009.03.06 Win32.Virut.56
eSafe 7.0.17.0 2009.03.05 Suspicious File
eTrust-Vet 31.6.6384 2009.03.05 Win32/Virut.17408
F-Prot 4.4.4.56 2009.03.06 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.03.06 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.03.06 -
GData 19 2009.03.06 Win32.Virtob.Gen.12
Ikarus T3.1.1.45.0 2009.03.06 Virus.Win32.Patched.B
K7AntiVirus 7.10.660 2009.03.06 -
Kaspersky 7.0.0.125 2009.03.06 Virus.Win32.Virut.ce
McAfee 5544 2009.03.05 W32/Virut.n.gen
McAfee+Artemis 5544 2009.03.05 W32/Virut.n.gen
Microsoft 1.4405 2009.03.06 Virus:Win32/Virut.BM
NOD32 3912 2009.03.06 Win32/Virut.NBK
Norman 6.00.06 2009.03.06 -
nProtect 2009.1.8.0 2009.03.06 -
Panda 10.0.0.10 2009.03.05 W32/Sality.AO
PCTools 4.4.2.0 2009.03.06 -
Prevx1 V2 2009.03.06 -
Rising 21.19.42.00 2009.03.06 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.03.06 Win32.Virut.Gen
Sophos 4.39.0 2009.03.06 W32/Scribble-A
Sunbelt 3.2.1858.2 2009.03.06 Win32.Virut.cf (v)
Symantec 1.4.4.12 2009.03.06 W32.Virut.CF
TheHacker 6.3.2.7.273 2009.03.06 W32/Virut.gen
TrendMicro 8.700.0.1004 2009.03.06 PE_VIRUX.D
VBA32 3.12.10.1 2009.03.05 Virus.Win32.Virut.X5
ViRobot 2009.3.6.1637 2009.03.06 -
VirusBuster 4.5.11.0 2009.03.05 -
Additional information
File size: 74752 bytes
MD5...: f880fd57bdae7aa53cdfe1cf3b4221cc
SHA1..: bf8e25dd970301c051f4a229f6b6dca49a9f14c6
SHA256: b4a7e7c67bad47bf2157f699baa6970b91f12264e62fbdc448bce100ff5cbb6d
SHA512: 3fbfd8709bdd694142afe0ec67a6a346d94607e33fee7d5f2fcfc733bbc5a806
5e7366749170d9e778c03a6a8dbfd18ef16314d75c9f6e4fa0b1e32a29adb9aa
ssdeep: 1536:mgSHlAMmxUC/OUVIrOgozHuJY0m8irs/miW:GajLIrfozOJY0FMs/
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x13f16
timedatestamp.....: 0x48025ce1 (Sun Apr 13 19:20:01 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xba70 0xbc00 5.96 d9b4f450aa98b3936118e3a3c42ed657
.data 0xd000 0x13b4 0x1400 2.24 887444c39cada5bd753c428783e0009b
.rsrc 0xf000 0x5e00 0x5000 7.80 98e62529522bef51825d08fec5c2ad93

( 6 imports )
> ADVAPI32.dll: SetServiceStatus, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetLengthSid, InitializeAcl, AddAccessAllowedAce, AddAccessDeniedAce, GetAce, SetSecurityDescriptorDacl, GetSecurityDescriptorLength, MakeSelfRelativeSD, RegDisablePredefinedCache, RegOpenKeyExW, RegCloseKey, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW
> GDI32.dll: bMakePathNameW, GdiInitSpool, GdiGetSpoolMessage
> KERNEL32.dll: GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, GetCurrentProcessId, SetUnhandledExceptionFilter, GetModuleHandleA, GetCurrentThreadId, GetTickCount, UnhandledExceptionFilter, QueryPerformanceCounter, FreeLibrary, InterlockedExchange, GetModuleHandleW, GetLastError, ExitThread, CloseHandle, WaitForSingleObject, CreateEventW, CreateThread, ExitProcess, Sleep, OpenEventW, LoadLibraryA, InitializeCriticalSection, LocalFree, LocalAlloc, SetEvent, LeaveCriticalSection, EnterCriticalSection, SetLastError, OpenProcess, InterlockedIncrement, RaiseException, InterlockedDecrement, GetProcAddress, GetSystemDirectoryW
> msvcrt.dll: __initenv, _exit, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _XcptFilter, wcsrchr, wcslen, _c_exit, _stricmp, _wcsnicmp, _except_handler3
> ntdll.dll: RtlValidRelativeSecurityDescriptor
> RPCRT4.dll: RpcServerRegisterIf2, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, RpcRaiseException, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2, RpcServerUseProtseqEpA, I_RpcSsDontSerializeContext, RpcMgmtSetServerStackSize, RpcServerListen

( 12 exports )
YDriverUnloadComplete, YEndDocPrinter, YFlushPrinter, YGetPrinter, YGetPrinterDriver2, YGetPrinterDriverDirectory, YReadPrinter, YSeekPrinter, YSetJob, YSetPort, YSplReadPrinter, YWritePrinter

=====> userinit.exe

File userinit.exe received on 03.06.2009 16:08:09 (CET)
Current status: finished
Result: 25/39 (64.11%)
Compact
Print results
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:



Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.06 -
AhnLab-V3 5.0.0.2 2009.02.27 -
AntiVir 7.9.0.105 2009.03.06 W32/Virut.Gen
Authentium 5.1.0.4 2009.03.06 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.03.05 Win32:Vitro
AVG 8.0.0.237 2009.03.06 -
BitDefender 7.2 2009.03.06 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.03.06 W32.Virut.G
ClamAV 0.94.1 2009.03.06 -
Comodo 1027 2009.03.05 -
DrWeb 4.44.0.09170 2009.03.06 Win32.Virut.56
eSafe 7.0.17.0 2009.03.05 -
eTrust-Vet 31.6.6384 2009.03.05 Win32/Virut.17408
F-Prot 4.4.4.56 2009.03.06 W32/Patched.E.gen!Eldorado
F-Secure 8.0.14470.0 2009.03.06 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.03.06 -
GData 19 2009.03.06 Win32.Virtob.Gen.12
Ikarus T3.1.1.45.0 2009.03.06 -
K7AntiVirus 7.10.660 2009.03.06 -
Kaspersky 7.0.0.125 2009.03.06 Virus.Win32.Virut.ce
McAfee 5544 2009.03.05 W32/Virut.n.gen
McAfee+Artemis 5544 2009.03.05 W32/Virut.n.gen
Microsoft 1.4405 2009.03.06 Virus:Win32/Virut.BM
NOD32 3912 2009.03.06 Win32/Virut.NBK
Norman 6.00.06 2009.03.06 W32/Virut.BV
nProtect 2009.1.8.0 2009.03.06 -
Panda 10.0.0.10 2009.03.05 W32/Sality.AO
PCTools 4.4.2.0 2009.03.06 -
Prevx1 V2 2009.03.06 -
Rising 21.19.42.00 2009.03.06 Win32.Virut.bm
SecureWeb-Gateway 6.7.6 2009.03.06 Win32.Virut.Gen
Sophos 4.39.0 2009.03.06 W32/Scribble-A
Sunbelt 3.2.1858.2 2009.03.06 Win32.Virut.cf (v)
Symantec 1.4.4.12 2009.03.06 W32.Virut.CF
TheHacker 6.3.2.7.273 2009.03.06 W32/Virut.gen
TrendMicro 8.700.0.1004 2009.03.06 PE_VIRUX.D
VBA32 3.12.10.1 2009.03.05 Virus.Win32.Virut.X5
ViRobot 2009.3.6.1637 2009.03.06 -
VirusBuster 4.5.11.0 2009.03.05 -
Additional information
File size: 43008 bytes
MD5...: 79ce6163d1a0c399180d933d8ba0cb3a
SHA1..: 7445ba3fcf8ca2b24f02e49851f8d3482e817461
SHA256: 92451c09243b9be8f3d9c2976916fb0f1429b2d6bcb99dc4f6add3a2d82b5bd9
SHA512: 710b696727e38ec3691f3ff38d48c0763862bcca90e2171fb5e37b53796ec02b
dddb0b9cdf71828f75d9e8b9a7be97b9e7da27c8780217ab2bff55eea6636c01
ssdeep: 768:oRMJi8jDLIDSAaQFxfftjaLacmkLGKOqCHLuSXGOsxCFJ:oRMJbDMDSA7Fxf
fJaLaSLG9qKLFjfFJ
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8c8a
timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
.rsrc 0x8000 0x5c00 0x4e00 7.63 dd3240e88cfef24680e97fc736211da0

( 9 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
> WLDAP32.dll: -, -, -, -, -, -
> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW

( 0 exports )

Shaba
2009-03-06, 19:04
Those doesn't look good.

You have a file infector, virut, which has infected your important system files.

Solution for this is pretty easy but I think that you are not going to like it - reformatting.

That is unfortunately the only sensible solution.

You can backup all files except those with .exe, .scr and .html as virut infects those files.

If you need help with reformatting, let me know.

Shaba
2009-03-10, 18:30
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.