View Full Version : "iheasysgaurd.exe" - Messed up with ComboFix
AdventAmy
2010-01-24, 23:04
Hello,
Recently I got something called "Antivirus Protection 2009" or something similar to that, I can't remember (executable was iheasysgaurd.exe). The virus disabled my internet browsing, though I was still receiving packets. I ran ComboFix, not knowing I wasn't supposed to, and it deleted some stuff and restored my internet browsing abilities to a degree. Basically, connecting to the internet is really spotty, and now some of my shortcut buttons don't function.
Here is my log. Thx.
_________________
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:00:13 PM, on 1/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Brother\Brmfcmon\BRMFCWND.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\SPEEDB~1\vaproxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BRMFCWND.EXE /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Amerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [SpeedBitVideoAccelerator] C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 11306 bytes
http://forums.spybot.info/showthread.php?p=356536#post356536
Welcome to the forum,
This forum , myself and sUbs will not be responsible if you run Combofix on your own and damage your system. Its a very powerful tool and not to be taken lightly.
C:\ComboFix.txt <--You can find the log here, post it please
AdventAmy
2010-02-02, 05:00
ComboFix 10-01-04.01 - Amerz 01/08/2010 19:55:17.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2335 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Amerz\LOCALS~1\Temp\install_flash_player.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\AVSredirect.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.
2010-01-09 00:17 . 2010-01-09 00:17 388096 ----a-r- c:\documents and settings\Amerz\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-09 00:17 . 2010-01-09 00:17 -------- d-----w- c:\program files\TrendMicro
2010-01-09 00:16 . 2010-01-09 00:16 -------- d-----w- c:\program files\ERUNT
2010-01-08 23:55 . 2010-01-09 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-08 23:55 . 2010-01-08 23:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-08 16:31 . 2010-01-08 23:20 -------- d-----w- c:\documents and settings\Amerz\Local Settings\Application Data\ypglat
2010-01-08 03:02 . 2008-11-20 00:22 25216 ----a-w- c:\windows\system32\drivers\tap0901.sys
2010-01-08 03:02 . 2010-01-08 03:02 -------- d-----w- c:\program files\S.A.D
2010-01-07 02:57 . 2010-01-07 02:57 -------- d-----w- c:\program files\DivX
2010-01-07 02:57 . 2010-01-07 02:57 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-02 08:18 . 2010-01-02 08:18 -------- d-----w- c:\program files\Easy Video Converter
2010-01-02 07:54 . 2009-09-27 14:39 369152 ----a-w- c:\windows\system32\avisynth.dll
2010-01-02 07:54 . 2004-02-22 15:11 719872 ----a-w- c:\windows\system32\devil.dll
2010-01-02 07:54 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\yv12vfw.dll
2010-01-02 07:54 . 2004-01-25 05:00 70656 ----a-w- c:\windows\system32\i420vfw.dll
2010-01-02 07:54 . 2010-01-02 07:54 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-02 07:53 . 2008-03-16 13:30 216064 --sh--r- c:\windows\system32\nbDX.dll
2010-01-02 07:53 . 2007-02-21 11:47 31232 --sh--r- c:\windows\system32\msfDX.dll
2010-01-02 07:53 . 2006-05-03 10:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2010-01-02 07:53 . 2010-01-02 07:53 -------- d-----w- c:\program files\eRightSoft
2010-01-02 07:35 . 2010-01-02 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Solid MP4 Video Converter
2009-12-29 21:34 . 2009-12-29 21:34 -------- d-----w- C:\ViewSonic
2009-12-25 04:54 . 2009-12-25 04:54 0 ----a-w- c:\windows\nsreg.dat
2009-12-25 04:54 . 2009-12-25 04:54 -------- d-----w- c:\documents and settings\Amerz\Local Settings\Application Data\Mozilla
2009-12-10 15:19 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-12-10 15:19 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 23:13 . 2009-03-26 11:11 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-01-08 23:13 . 2009-03-28 07:11 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-01-08 03:08 . 2009-08-25 07:42 820048 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-29 21:33 . 2009-03-28 05:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-25 18:34 . 2009-03-31 07:09 -------- d-----w- c:\documents and settings\Amerz\Application Data\Skype
2009-12-25 13:42 . 2009-11-26 13:34 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-25 05:46 . 2009-03-31 07:11 -------- d-----w- c:\documents and settings\Amerz\Application Data\skypePM
2009-12-23 22:02 . 2009-03-28 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-23 19:42 . 2009-03-28 20:36 30008 ----a-w- c:\documents and settings\Amerz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 02:41 . 2009-07-10 19:18 -------- d-----w- c:\program files\Google
2009-12-20 04:55 . 2009-03-28 05:13 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-05 19:02 . 2009-07-22 00:54 -------- d-----w- c:\documents and settings\Amerz\Application Data\Apple Computer
2009-12-05 17:22 . 2009-12-05 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-12-05 05:58 . 2009-06-10 03:25 -------- d-----w- c:\documents and settings\Amerz\Application Data\gtk-2.0
2009-12-04 15:03 . 2009-12-04 15:03 251376 ----a-w- c:\documents and settings\Amerz\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-29 05:51 . 2009-03-26 17:27 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-11-24 19:38 . 2009-07-03 03:44 -------- d-----w- c:\program files\SpeedBit Video Accelerator
2009-11-24 06:29 . 2009-03-28 17:54 -------- d-----w- c:\program files\Microsoft Works
2009-11-24 05:12 . 2009-11-24 05:12 -------- d-----w- c:\documents and settings\Amerz\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2009-11-24 05:12 . 2009-11-24 05:12 -------- d-----w- c:\program files\TweetDeck
2009-11-24 05:12 . 2009-05-16 16:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-24 05:08 . 2009-11-24 05:12 38208 ----a-w- c:\documents and settings\Amerz\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-24 05:08 . 2009-11-24 05:12 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-23 19:35 . 2009-11-23 19:35 488968 ----a-w- c:\documents and settings\Amerz\Application Data\Real\Update\temp\~Upg0\setup.exe
2009-11-03 00:51 . 2009-11-03 00:51 9728 ----a-w- c:\windows\system32\wceprv.dll
2009-10-31 03:49 . 2009-10-31 03:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-25 19:54 . 2009-10-25 19:54 128 ----a-w- c:\documents and settings\Amerz\Local Settings\Application Data\fusioncache.dat
2009-10-21 16:45 . 2008-01-22 01:43 33792 ----a-w- c:\windows\system32\identprv.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-03 10:06 . 2010-01-02 07:53 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2010-01-02 07:53 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2010-01-02 07:53 216064 --sh--r- c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Amerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-28 133104]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2009-07-03 2823784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-13 2043160]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-02 198160]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-10-26 1024000]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2009-01-09 114688]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BRMFCWND.EXE" [2009-01-19 1150976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2009-01-09 114688]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
c:\documents and settings\Amerz\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 20:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-21 23:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Documents and Settings\\Amerz\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Amerz\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Amerz\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/28/2009 2:25 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/28/2009 2:25 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [3/28/2009 2:25 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/28/2009 2:25 PM 297752]
R2 CGVPNCliSrvc;CyberGhost VPN Client;c:\program files\S.A.D\CyberGhost VPN\CGVPNCliService.exe [1/7/2010 10:02 PM 2211328]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/31/2009 2:46 AM 24652]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/10/2009 2:18 PM 133104]
S3 8b7d3d5b-c84b-4311-9b80-95c86fe76cd7;8b7d3d5b-c84b-4311-9b80-95c86fe76cd7;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [4/29/2009 10:09 AM 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [4/29/2009 10:09 AM 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [4/29/2009 10:09 AM 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [4/29/2009 10:09 AM 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [4/29/2009 10:09 AM 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [4/29/2009 10:09 AM 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [4/29/2009 10:09 AM 115752]
.
Contents of the 'Scheduled Tasks' folder
2009-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-07-04 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8238790906.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 06:52]
2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-10 19:18]
2010-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-10 19:18]
2010-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1177238915-725345543-1003Core.job
- c:\documents and settings\Amerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-28 06:59]
2010-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1177238915-725345543-1003UA.job
- c:\documents and settings\Amerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-28 06:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.speedbit.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
FF - ProfilePath - c:\documents and settings\Amerz\Application Data\Mozilla\Firefox\Profiles\8o4p3snn.default\
FF - plugin: c:\documents and settings\Amerz\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Amerz\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-exynfjmb - c:\documents and settings\Amerz\Local Settings\Application Data\ypglat\iheasysguard.exe
HKLM-Run-exynfjmb - c:\documents and settings\Amerz\Local Settings\Application Data\ypglat\iheasysguard.exe
AddRemove-{E82FBDF4-8C89-4513-B8D8-23378MP4VIDEO}_is1 - c:\program files\Solid MP4 Video Converter\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 19:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BrMfcWnd = c:\program files\Brother\Brmfcmon\BRMFCWND.EXE /AUTORUN??? ????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1292428093-1177238915-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ee,57,dc,1c,b5,fd,6d,f8,b0,22,8f,26,f3,fd,b3,a1,13,e9,ec,9d,a7,ba,d9,
22,2e,e2,f7,a5,36,1f,f9,b7,68,0e,4e,fa,bb,b8,a1,55,42,e0,6c,fd,b4,4e,f1,42,\
"??"=hex:55,b3,e5,5e,f4,a1,00,a2,ad,27,97,a2,9e,c1,c5,5d
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:c3,e0,de,8e,be,04,c2,9f,1d,20,1b,65,04,64,00,9a,2a,cf,52,8a,50,
9e,47,3c,05,e8,28,ce,54,4b,3a,c6,8e,04,bb,9a,1c,5f,3a,17,47,bb,ec,2c,56,10,\
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:c3,e0,de,8e,be,04,c2,9f,1d,20,1b,65,04,64,00,9a,2a,cf,52,8a,50,
9e,47,3c,05,e8,28,ce,54,4b,3a,c6,8e,04,bb,9a,1c,5f,3a,17,47,bb,ec,2c,56,10,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1076)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'lsass.exe'(1132)
c:\progra~1\SPEEDB~1\sblsp.dll
c:\program files\SpeedBit Video Accelerator\ConfigDB.dll
c:\program files\SpeedBit Video Accelerator\Accelerator.dll
c:\windows\system32\WININET.dll
c:\program files\SpeedBit Video Accelerator\CommPipe.dll
c:\program files\SpeedBit Video Accelerator\Collector.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-01-08 19:59:56
ComboFix-quarantined-files.txt 2010-01-09 00:59
Pre-Run: 76,827,549,696 bytes free
Post-Run: 77,324,259,328 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FE4F1A6DD300D52CC8BB5F950FA00EE1
Good Morning,
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.
c:\windows\system32\rpcnetp.exe
c:\windows\system32\rpcnet.dll
If the site is busy you can try this one
http://virusscan.jotti.org/en
AdventAmy
2010-02-04, 01:36
rpcnetp.exe
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.30 Win32.SuspectCrc!IK
AhnLab-V3 5.0.0.2 2010.01.30 -
AntiVir 7.9.1.154 2010.01.29 -
Antiy-AVL 2.0.3.7 2010.01.28 -
Authentium 5.2.0.5 2010.01.30 -
Avast 4.8.1351.0 2010.01.30 -
AVG 9.0.0.730 2010.01.30 -
BitDefender 7.2 2010.01.30 -
CAT-QuickHeal 10.00 2010.01.30 -
ClamAV 0.96.0.0-git 2010.01.30 -
Comodo 3761 2010.01.30 ApplicUnsaf.Win32.Spy.Agent.~chn
DrWeb 5.0.1.12222 2010.01.30 -
eSafe 7.0.17.0 2010.01.28 Win32.PossibleThreat
eTrust-Vet 35.2.7271 2010.01.29 -
F-Prot 4.5.1.85 2010.01.29 -
F-Secure 9.0.15370.0 2010.01.30 -
Fortinet 4.0.14.0 2010.01.30 W32/Agent.SW!tr
GData 19 2010.01.30 -
Ikarus T3.1.1.80.0 2010.01.30 Win32.SuspectCrc
Jiangmin 13.0.900 2010.01.28 -
K7AntiVirus 7.10.960 2010.01.29 -
Kaspersky 7.0.0.125 2010.01.30 -
McAfee 5876 2010.01.29 -
McAfee+Artemis 5876 2010.01.29 -
McAfee-GW-Edition 6.8.5 2010.01.30 Heuristic.BehavesLike.Win32.CodeInjection.L
Microsoft 1.5406 2010.01.30 -
NOD32 4821 2010.01.30 -
Norman 6.04.03 2010.01.30 -
nProtect 2009.1.8.0 2010.01.30 -
Panda 10.0.2.2 2010.01.30 -
PCTools 7.0.3.5 2010.01.30 -
Prevx 3.0 2010.01.30 -
Rising 22.32.05.04 2010.01.30 -
Sophos 4.50.0 2010.01.30 -
Sunbelt 3.2.1858.2 2010.01.30 -
Symantec 20091.2.0.41 2010.01.30 -
TheHacker 6.5.1.0.172 2010.01.30 -
TrendMicro 9.120.0.1004 2010.01.30 -
VBA32 3.12.12.1 2010.01.29 -
ViRobot 2010.1.30.2164 2010.01.30 -
VirusBuster 5.0.21.0 2010.01.30 -
Additional information
File size: 17408 bytes
MD5 : e7babe72c260552670f164ba6052c2cd
SHA1 : 5134dd732e9411fdfd5d5be395c7204cd24720d6
SHA256: c67c8cf3a68e0c772d84037b8b48e9da33b2eedf934d0f3bbcd9a8f6c27bb454
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x34A1
timedatestamp.....: 0x45676914 (Fri Nov 24 22:50:12 2006)
machinetype.......: 0x14C (Intel I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x35E6 0x3600 6.40 1dab061d6abecab9679d769f97ebb222
.data 0x5000 0x168 0x200 1.00 b5c9aecf7688efa830499f6fdd77d747
.cdata 0x6000 0x23C 0x400 1.32 6ebcb80197a3d86a6514765527f0a8c9
.reloc 0x7000 0x338 0x400 5.81 68487b3d7b3b6e699e7b50df1f7f5126
( 4 imports )
> advapi32.dll: RegCloseKey, RegDeleteValueA, RegQueryValueExA, DuplicateTokenEx, RegOpenKeyExA, RegOpenKeyA, RegEnumValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenProcessToken, StartServiceCtrlDispatcherA, SetTokenInformation, CreateProcessAsUserA
> kernel32.dll: SetFilePointer, RtlUnwind, LocalAlloc, CreateProcessA, GetModuleHandleA, GetStdHandle, SetEvent, LocalFree, ReadFile, TerminateProcess, WriteProcessMemory, ReadProcessMemory, ResetEvent, LeaveCriticalSection, lstrcmpiA, ExitProcess, InitializeCriticalSection, CreateEventA, GetModuleFileNameA, GetProcAddress, WaitForSingleObject, WaitForMultipleObjects, ExitThread, TerminateThread, CreateRemoteThread, GetVersion, OpenProcess, EnterCriticalSection, lstrlenA, GetExitCodeThread, CreateThread, GetCurrentProcessId, CloseHandle, SetThreadPriority, ResumeThread, GetLastError, CreateFileA, FreeLibrary, RaiseException, lstrcpyA, GetOverlappedResult, WriteFile, CopyFileA, SetStdHandle, GetCurrentThreadId, lstrcatA, DeleteCriticalSection, VirtualAllocEx, VirtualFreeEx, Sleep, LoadLibraryA, GetEnvironmentVariableA
> user32.dll: DefWindowProcA, wsprintfA, PostQuitMessage, RegisterClassA, TranslateMessage, GetMessageA, PeekMessageA, PostMessageA, DispatchMessageA, CreateWindowExA, SetTimer, PostThreadMessageA, KillTimer
> wsock32.dll: -, -
( 1 exports )
> rpcnetp
TrID : File type identification
50.0% (.EXE) Generic Win/DOS Executable (2002/3)
49.9% (.EXE) DOS Executable Generic (2000/1)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=e7babe72c260552670f164ba6052c2cd
ssdeep: 384:ZsGXp8CWaNqI26hYW1HY0AjQCvRS3VZ2uryLfPj:Zlp8HDEhJHNAVvRSFIu+P
PEiD : -
RDS : NSRL Reference Data Set
-
rpcnet.dll
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.29 -
AhnLab-V3 5.0.0.2 2010.01.29 -
AntiVir 7.9.1.154 2010.01.29 -
Antiy-AVL 2.0.3.7 2010.01.28 -
Authentium 5.2.0.5 2010.01.29 -
Avast 4.8.1351.0 2010.01.29 -
AVG 9.0.0.730 2010.01.29 -
BitDefender 7.2 2010.01.29 -
CAT-QuickHeal 10.00 2010.01.29 -
ClamAV 0.96.0.0-git 2010.01.29 -
Comodo 3754 2010.01.29 -
DrWeb 5.0.1.12222 2010.01.29 -
eSafe 7.0.17.0 2010.01.28 -
eTrust-Vet 35.2.7271 2010.01.29 -
F-Prot 4.5.1.85 2010.01.29 -
F-Secure 9.0.15370.0 2010.01.29 -
Fortinet 4.0.14.0 2010.01.28 -
GData 19 2010.01.29 -
Ikarus T3.1.1.80.0 2010.01.29 -
Jiangmin 13.0.900 2010.01.28 -
K7AntiVirus 7.10.960 2010.01.29 -
Kaspersky 7.0.0.125 2010.01.29 -
McAfee 5876 2010.01.29 -
McAfee+Artemis 5876 2010.01.29 -
McAfee-GW-Edition 6.8.5 2010.01.29 -
Microsoft 1.5406 2010.01.29 -
NOD32 4818 2010.01.29 -
Norman 6.04.03 2010.01.29 -
nProtect 2009.1.8.0 2010.01.29 -
Panda 10.0.2.2 2010.01.29 -
PCTools 7.0.3.5 2010.01.29 -
Prevx 3.0 2010.01.29 -
Rising 22.32.04.03 2010.01.29 -
Sophos 4.50.0 2010.01.29 -
Sunbelt 3.2.1858.2 2010.01.29 -
Symantec 20091.2.0.41 2010.01.29 -
TheHacker 6.5.1.0.170 2010.01.29 -
TrendMicro 9.120.0.1004 2010.01.29 -
VBA32 3.12.12.1 2010.01.29 -
ViRobot 2010.1.29.2162 2010.01.29 -
VirusBuster 5.0.21.0 2010.01.29 -
Additional information
File size: 56680 bytes
MD5 : 2f4158cfe7801a73beaa7e8a9dfcad26
SHA1 : 54f8866720054252de75a2f05643ce98b5a9d253
SHA256: c959993db45d484da3a811f2dd6a8bf522fcd15afa05b46053e061db500d66f3
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1C10
timedatestamp.....: 0x49AD6B29 (Tue Mar 3 18:38:49 2009)
machinetype.......: 0x14C (Intel I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9129 0x9200 6.51 9becfb7d2513d33591ab673115bba95f
.data 0xB000 0x1D74 0x1E00 3.36 62bbc527cc88a05d5c449d6103467740
.cdata 0xD000 0x298 0x400 2.66 c93e206aac1e4e4b1506d414a18738eb
.rsrc 0xE000 0x448 0x600 2.54 66c04b9abc0c570bb3b2612f0ccfd50b
.reloc 0xF000 0x9EE 0xA00 6.24 3a404a244b8c32be9260e308210f9344
( 7 imports )
> advapi32.dll: ControlService, DeleteService, CreateServiceA, QueryServiceConfigA, ChangeServiceConfigA, OpenSCManagerA, OpenServiceA, QueryServiceStatus, StartServiceA, CloseServiceHandle, EqualSid, RegisterServiceCtrlHandlerA, SetServiceStatus, StartServiceCtrlDispatcherA, DuplicateTokenEx, SetTokenInformation, CreateProcessAsUserA, RegOpenKeyA, RegCreateKeyExA, RegSetValueExA, SetKernelObjectSecurity, RegDeleteKeyA, RegDeleteValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, OpenProcessToken, GetTokenInformation, AdjustTokenPrivileges, GetKernelObjectSecurity, AllocateAndInitializeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclA, FreeSid
> kernel32.dll: lstrcatA, lstrcpyA, MapViewOfFile, CreateFileMappingA, SetEvent, ResetEvent, WaitForSingleObject, LocalAlloc, CreateThread, GetLastError, BackupRead, BackupWrite, OpenProcess, GetCurrentProcessId, GetCurrentProcess, FreeLibrary, GetProcAddress, LoadLibraryA, DeleteFileA, lstrlenA, CreateFileA, BackupSeek, GetFileAttributesExA, SetFileTime, SetFileAttributesA, CreateEventA, GetVersionExA, GetSystemDirectoryA, FindClose, FindFirstFileA, lstrcmpiA, lstrcmpA, LoadLibraryExA, GetModuleHandleA, WriteFile, GetWindowsDirectoryA, GetEnvironmentVariableA, GetExitCodeThread, WaitForMultipleObjects, CreateRemoteThread, VirtualFreeEx, WriteProcessMemory, VirtualAllocEx, SetFilePointer, CopyFileA, GetModuleFileNameA, SetStdHandle, TerminateProcess, CreateProcessA, ReadProcessMemory, GetStdHandle, HeapAlloc, HeapFree, GetProcessHeap, RaiseException, GetVersion, RtlUnwind, ClearCommError, PurgeComm, GetOverlappedResult, EnterCriticalSection, LeaveCriticalSection, WaitCommEvent, SetCommMask, ReadFile, Sleep, DeleteCriticalSection, SetThreadPriority, InitializeCriticalSection, SetCommTimeouts, SetCommState, GetCommState, SetupComm, GetCommProperties, GetCurrentThreadId, GetLocalTime, GetCommandLineA, FlushFileBuffers, ExitProcess, ResumeThread, GetComputerNameA, TerminateThread, LocalFree, CloseHandle, UnmapViewOfFile, ExitThread
> netapi32.dll: Netbios
> tapi32.dll: lineDeallocateCall, lineMakeCall, lineSetDevConfig, lineGetID, lineSetStatusMessages, lineGetDevCaps, lineInitialize, lineGetDevConfig, lineOpen, lineShutdown, lineGetCallStatus, lineDrop, lineClose
> user32.dll: PeekMessageA, KillTimer, PostMessageA, GetMessageA, TranslateMessage, PostQuitMessage, DefWindowProcA, wsprintfA, RegisterClassA, CreateWindowExA, DispatchMessageA, MsgWaitForMultipleObjects, SendMessageA, PostThreadMessageA, SetTimer
> userenv.dll: CreateEnvironmentBlock, DestroyEnvironmentBlock
> wsock32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -
( 1 exports )
> ServiceMain
TrID : File type identification
Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=2f4158cfe7801a73beaa7e8a9dfcad26
ssdeep: 768:kJTMRW36uadqY3bIxaiXssKrXbdURa1MRAn/v2mN90ebqAMt2IHjPz3Ot0qPG4Pb:LW3/aEwsK7iCMun/eAeydt0Yw4G4
PEiD : -
RDS : NSRL Reference Data Set
-
They may be ok, just upload this one to Jotti
http://virusscan.jotti.org/en
c:\windows\system32\rpcnetp.exe
AdventAmy
2010-02-04, 04:05
Oh wups, I messed up. Those results are from old files -- not mine.
I ran the test again on all files mentioned:
rpcnetp.exe
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.04 Win32.SuspectCrc!IK
AhnLab-V3 5.0.0.2 2010.02.03 -
AntiVir 7.9.1.158 2010.02.03 -
Antiy-AVL 2.0.3.7 2010.02.03 -
Authentium 5.2.0.5 2010.02.04 -
Avast 4.8.1351.0 2010.02.02 -
AVG 9.0.0.730 2010.02.03 -
BitDefender 7.2 2010.02.04 -
CAT-QuickHeal 10.00 2010.02.03 -
ClamAV 0.96.0.0-git 2010.02.03 -
Comodo 3811 2010.02.04 ApplicUnsaf.Win32.Spy.Agent.~chn
DrWeb 5.0.1.12222 2010.02.04 -
eSafe 7.0.17.0 2010.02.03 Win32.PossibleThreat
eTrust-Vet 35.2.7278 2010.02.03 -
F-Prot 4.5.1.85 2010.02.03 -
F-Secure 9.0.15370.0 2010.02.03 -
Fortinet 4.0.14.0 2010.02.04 W32/Agent.SW!tr
GData 19 2010.02.04 -
Ikarus T3.1.1.80.0 2010.02.03 Win32.SuspectCrc
K7AntiVirus 7.10.966 2010.02.03 -
Kaspersky 7.0.0.125 2010.02.04 -
McAfee 5881 2010.02.03 -
McAfee+Artemis 5881 2010.02.03 -
McAfee-GW-Edition 6.8.5 2010.02.03 Heuristic.BehavesLike.Win32.CodeInjection.L
Microsoft 1.5406 2010.02.03 -
NOD32 4833 2010.02.03 -
Norman 6.04.03 2010.02.03 .dropper
nProtect 2009.1.8.0 2010.02.03 -
Panda 10.0.2.2 2010.02.03 -
PCTools 7.0.3.5 2010.02.04 -
Prevx 3.0 2010.02.04 -
Rising 22.33.03.01 2010.02.04 -
Sophos None 2010.02.04 -
Sunbelt 3.2.1858.2 2010.02.04 -
TheHacker 6.5.1.0.179 2010.02.04 -
TrendMicro 9.120.0.1004 2010.02.03 -
VBA32 3.12.12.1 2010.02.03 -
ViRobot 2010.2.3.2170 2010.02.03 -
VirusBuster 5.0.21.0 2010.02.03 -
Additional information
File size: 17408 bytes
MD5...: e7babe72c260552670f164ba6052c2cd
SHA1..: 5134dd732e9411fdfd5d5be395c7204cd24720d6
SHA256: c67c8cf3a68e0c772d84037b8b48e9da33b2eedf934d0f3bbcd9a8f6c27bb454
ssdeep: 384:ZsGXp8CWaNqI26hYW1HY0AjQCvRS3VZ2uryLfPj:Zlp8HDEhJHNAVvRSFIu+
P
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x34a1
timedatestamp.....: 0x45676914 (Fri Nov 24 21:50:12 2006)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x35e6 0x3600 6.40 1dab061d6abecab9679d769f97ebb222
.data 0x5000 0x168 0x200 1.00 b5c9aecf7688efa830499f6fdd77d747
.cdata 0x6000 0x23c 0x400 1.32 6ebcb80197a3d86a6514765527f0a8c9
.reloc 0x7000 0x338 0x400 5.81 68487b3d7b3b6e699e7b50df1f7f5126
( 4 imports )
> WSOCK32.dll: -, -
> USER32.dll: DefWindowProcA, wsprintfA, PostQuitMessage, RegisterClassA, TranslateMessage, GetMessageA, PeekMessageA, PostMessageA, DispatchMessageA, CreateWindowExA, SetTimer, PostThreadMessageA, KillTimer
> KERNEL32.dll: SetFilePointer, RtlUnwind, LocalAlloc, CreateProcessA, GetModuleHandleA, GetStdHandle, SetEvent, LocalFree, ReadFile, TerminateProcess, WriteProcessMemory, ReadProcessMemory, ResetEvent, LeaveCriticalSection, lstrcmpiA, ExitProcess, InitializeCriticalSection, CreateEventA, GetModuleFileNameA, GetProcAddress, WaitForSingleObject, WaitForMultipleObjects, ExitThread, TerminateThread, CreateRemoteThread, GetVersion, OpenProcess, EnterCriticalSection, lstrlenA, GetExitCodeThread, CreateThread, GetCurrentProcessId, CloseHandle, SetThreadPriority, ResumeThread, GetLastError, CreateFileA, FreeLibrary, RaiseException, lstrcpyA, GetOverlappedResult, WriteFile, CopyFileA, SetStdHandle, GetCurrentThreadId, lstrcatA, DeleteCriticalSection, VirtualAllocEx, VirtualFreeEx, Sleep, LoadLibraryA, GetEnvironmentVariableA
> ADVAPI32.dll: RegCloseKey, RegDeleteValueA, RegQueryValueExA, DuplicateTokenEx, RegOpenKeyExA, RegOpenKeyA, RegEnumValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenProcessToken, StartServiceCtrlDispatcherA, SetTokenInformation, CreateProcessAsUserA
( 1 exports )
rpcnetp
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
rpcnet.dll
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.02 -
AhnLab-V3 5.0.0.2 2010.02.01 -
AntiVir 7.9.1.156 2010.02.02 -
Antiy-AVL 2.0.3.7 2010.02.02 -
Authentium 5.2.0.5 2010.02.02 -
Avast 4.8.1351.0 2010.02.02 -
AVG 9.0.0.730 2010.02.01 -
BitDefender 7.2 2010.02.02 -
CAT-QuickHeal 10.00 2010.02.02 -
ClamAV 0.96.0.0-git 2010.02.02 -
Comodo 3790 2010.02.02 -
DrWeb 5.0.1.12222 2010.02.02 -
eSafe 7.0.17.0 2010.02.02 -
eTrust-Vet 35.2.7276 2010.02.02 -
F-Prot 4.5.1.85 2010.02.01 -
F-Secure 9.0.15370.0 2010.02.02 -
Fortinet 4.0.14.0 2010.02.02 -
GData 19 2010.02.02 -
Ikarus T3.1.1.80.0 2010.02.02 -
Jiangmin 13.0.900 2010.02.02 -
K7AntiVirus 7.10.962 2010.02.01 -
Kaspersky 7.0.0.125 2010.02.02 -
McAfee 5879 2010.02.01 -
McAfee+Artemis 5879 2010.02.01 -
McAfee-GW-Edition 6.8.5 2010.02.02 -
Microsoft 1.5406 2010.02.02 -
NOD32 4827 2010.02.02 -
Norman 6.04.03 2010.02.02 -
nProtect 2009.1.8.0 2010.02.02 -
Panda 10.0.2.2 2010.02.01 -
PCTools 7.0.3.5 2010.02.02 -
Prevx 3.0 2010.02.04 -
Rising 22.33.01.04 2010.02.02 -
Sophos 4.50.0 2010.02.02 -
Sunbelt 3.2.1858.2 2010.02.02 -
TheHacker 6.5.1.0.176 2010.02.02 -
TrendMicro 9.120.0.1004 2010.02.02 -
VBA32 3.12.12.1 2010.02.01 -
ViRobot 2010.2.2.2168 2010.02.02 -
VirusBuster 5.0.21.0 2010.02.01 -
Additional information
File size: 56680 bytes
MD5...: 2f4158cfe7801a73beaa7e8a9dfcad26
SHA1..: 54f8866720054252de75a2f05643ce98b5a9d253
SHA256: c959993db45d484da3a811f2dd6a8bf522fcd15afa05b46053e061db500d66f3
ssdeep: 768:kJTMRW36uadqY3bIxaiXssKrXbdURa1MRAn/v2mN90ebqAMt2IHjPz3Ot0qP
G4Pb:LW3/aEwsK7iCMun/eAeydt0Yw4G4
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1c10
timedatestamp.....: 0x49ad6b29 (Tue Mar 03 17:38:49 2009)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x9129 0x9200 6.51 9becfb7d2513d33591ab673115bba95f
.data 0xb000 0x1d74 0x1e00 3.36 62bbc527cc88a05d5c449d6103467740
.cdata 0xd000 0x298 0x400 2.66 c93e206aac1e4e4b1506d414a18738eb
.rsrc 0xe000 0x448 0x600 2.54 66c04b9abc0c570bb3b2612f0ccfd50b
.reloc 0xf000 0x9ee 0xa00 6.24 3a404a244b8c32be9260e308210f9344
( 7 imports )
> WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -
> TAPI32.dll: lineDeallocateCall, lineMakeCall, lineSetDevConfig, lineGetID, lineSetStatusMessages, lineGetDevCaps, lineInitialize, lineGetDevConfig, lineOpen, lineShutdown, lineGetCallStatus, lineDrop, lineClose
> NETAPI32.dll: Netbios
> USERENV.dll: CreateEnvironmentBlock, DestroyEnvironmentBlock
> KERNEL32.dll: lstrcatA, lstrcpyA, MapViewOfFile, CreateFileMappingA, SetEvent, ResetEvent, WaitForSingleObject, LocalAlloc, CreateThread, GetLastError, BackupRead, BackupWrite, OpenProcess, GetCurrentProcessId, GetCurrentProcess, FreeLibrary, GetProcAddress, LoadLibraryA, DeleteFileA, lstrlenA, CreateFileA, BackupSeek, GetFileAttributesExA, SetFileTime, SetFileAttributesA, CreateEventA, GetVersionExA, GetSystemDirectoryA, FindClose, FindFirstFileA, lstrcmpiA, lstrcmpA, LoadLibraryExA, GetModuleHandleA, WriteFile, GetWindowsDirectoryA, GetEnvironmentVariableA, GetExitCodeThread, WaitForMultipleObjects, CreateRemoteThread, VirtualFreeEx, WriteProcessMemory, VirtualAllocEx, SetFilePointer, CopyFileA, GetModuleFileNameA, SetStdHandle, TerminateProcess, CreateProcessA, ReadProcessMemory, GetStdHandle, HeapAlloc, HeapFree, GetProcessHeap, RaiseException, GetVersion, RtlUnwind, ClearCommError, PurgeComm, GetOverlappedResult, EnterCriticalSection, LeaveCriticalSection, WaitCommEvent, SetCommMask, ReadFile, Sleep, DeleteCriticalSection, SetThreadPriority, InitializeCriticalSection, SetCommTimeouts, SetCommState, GetCommState, SetupComm, GetCommProperties, GetCurrentThreadId, GetLocalTime, GetCommandLineA, FlushFileBuffers, ExitProcess, ResumeThread, GetComputerNameA, TerminateThread, LocalFree, CloseHandle, UnmapViewOfFile, ExitThread
> USER32.dll: PeekMessageA, KillTimer, PostMessageA, GetMessageA, TranslateMessage, PostQuitMessage, DefWindowProcA, wsprintfA, RegisterClassA, CreateWindowExA, DispatchMessageA, MsgWaitForMultipleObjects, SendMessageA, PostThreadMessageA, SetTimer
> ADVAPI32.dll: ControlService, DeleteService, CreateServiceA, QueryServiceConfigA, ChangeServiceConfigA, OpenSCManagerA, OpenServiceA, QueryServiceStatus, StartServiceA, CloseServiceHandle, EqualSid, RegisterServiceCtrlHandlerA, SetServiceStatus, StartServiceCtrlDispatcherA, DuplicateTokenEx, SetTokenInformation, CreateProcessAsUserA, RegOpenKeyA, RegCreateKeyExA, RegSetValueExA, SetKernelObjectSecurity, RegDeleteKeyA, RegDeleteValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, OpenProcessToken, GetTokenInformation, AdjustTokenPrivileges, GetKernelObjectSecurity, AllocateAndInitializeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclA, FreeSid
( 1 exports )
ServiceMain
RDS...: NSRL Reference Data Set
-
trid..: Generic Win/DOS Executable (50.0%)
DOS Executable Generic (49.9%)
sigcheck:
publisher....: Absolute Software Corp.
copyright....: Copyright (c) 1997-2009 Absolute Software Corporation. All Rights Reserved.
product......: Installation/Management Application
description..: rpcnet
original name: rpcnet.dll
internal name: rpcnet
file version.: 8.0.885.0
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
I think you ok. How are things running now ?
AdventAmy
2010-02-04, 05:18
The system seems stable, however, my shortcut keys don't work and that is rather annoying.
Also, my laptop takes a very very long time to connect to the internet. It will catch a signal eventually, but it used to be instant.
Good Morning,
You should post here for help with the shortcuts and the internet as we just do malware removal on this forum. Like Safer its free but you need to register.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken