winlogon C:\WINDOWS\$NtServicePackUninstall$
winlogon C:\WINDOWS\system32
winlogon C:\WINDOWS\ServicePackFiles\i386
winlogon.exe.vir C:\Qoobox\Quarantine\C\WINDOWS\system32
No Router folder in C:Programs
winlogon C:\WINDOWS\$NtServicePackUninstall$
winlogon C:\WINDOWS\system32
winlogon C:\WINDOWS\ServicePackFiles\i386
winlogon.exe.vir C:\Qoobox\Quarantine\C\WINDOWS\system32
No Router folder in C:Programs
Yes, there is no Router folder in Program Files but do you recognize these files:
c:\program files\Router\Arcor Wlan Router 100\bat.bat
c:\program files\Router\Arcor Wlan Router 100\ztnbatch.exe
c:\program files\Router\D-Link di 624\info.clr
c:\program files\Router\FRITZ!Box\data.box
c:\program files\Router\FRITZ!Box\info.clr
c:\program files\Router\FRITZ!Box\reconnect - Kopie.bat
c:\program files\Router\FRITZ!Box\reconnect.bat - Verknüpfung.lnk
c:\program files\Router\FRITZ!Box\reconnect.bat
c:\program files\Router\FRITZ!Box\voip.exe
I'd like also you to check some files for malware.
- Go to VirusTotal or Jotti's
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
- Copy/Paste the first file on the list into the white Upload a file box.
- Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
- After a while, a window will open, with details of what the scans found.
- Save the complete results in a Notepad/Word document on your desktop.
- Repeat for all files on the list.
- Post back results here, please.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
I do not recognize any of the files in the folder you referred to. I searched and could not find them. I have no "Router" directory.
Here is output from website. I had to drop one, but it was a repeat.
File winlogon.exe received on 12.19.2008 20:07:59 (CET)
Current status: finished
Result: 0/38 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.12.19.3 2008.12.19 -
AntiVir 7.9.0.45 2008.12.19 -
Authentium 5.1.0.4 2008.12.19 -
Avast 4.8.1281.0 2008.12.18 -
AVG 8.0.0.199 2008.12.19 -
BitDefender 7.2 2008.12.19 -
CAT-QuickHeal 10.00 2008.12.19 -
ClamAV 0.94.1 2008.12.19 -
Comodo 781 2008.12.19 -
DrWeb 4.44.0.09170 2008.12.19 -
eSafe 7.0.17.0 2008.12.18 -
eTrust-Vet 31.6.6269 2008.12.19 -
Ewido 4.0 2008.12.19 -
F-Prot 4.4.4.56 2008.12.19 -
F-Secure 8.0.14332.0 2008.12.19 -
Fortinet 3.117.0.0 2008.12.19 -
GData 19 2008.12.19 -
Ikarus T3.1.1.45.0 2008.12.19 -
K7AntiVirus 7.10.559 2008.12.19 -
Kaspersky 7.0.0.125 2008.12.19 -
McAfee 5469 2008.12.19 -
McAfee+Artemis 5468 2008.12.18 -
Microsoft 1.4205 2008.12.19 -
NOD32 3706 2008.12.19 -
Norman 5.80.02 2008.12.19 -
Panda 9.0.0.4 2008.12.19 -
PCTools 4.4.2.0 2008.12.19 -
Prevx1 V2 2008.12.19 -
Rising 21.08.42.00 2008.12.19 -
SecureWeb-Gateway 6.7.6 2008.12.19 -
Sophos 4.37.0 2008.12.19 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.19 -
TheHacker 6.3.1.4.193 2008.12.19 -
TrendMicro 8.700.0.1004 2008.12.19 -
VBA32 3.12.8.10 2008.12.18 -
ViRobot 2008.12.19.1527 2008.12.19 -
VirusBuster 4.5.11.0 2008.12.19 -
Additional information
File size: 502272 bytes
MD5...: 01c3346c241652f43aed8e2149881bfe
SHA1..: a5396141cab8b22d9d88b28a814089537dce366a
SHA256: affd0973cd3128083417d407f62bc4a635fc25b65dbf52e91d3ab4ae2f9c1b4a
SHA512: c2b4a1fe29b84b0dfd062de79db83ef85ecb238184957649512a951e5abed874
776f0b7c128cb33cd7cbb540d68ecac3a5ab09291fccecb64660b1a874e44090
ssdeep: 6144:2YuZlm8LRlBw662R1pqrc7FmxSqVw/T+SN1TrSnmhPnpdcrFIzdFz/N5Wjy
fTNQG:2VLBhic7Qy1vSneJFDNhp8
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x103d353
timedatestamp.....: 0x41107edc (Wed Aug 04 06:14:52 2004)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6f288 0x6f400 6.82 5a133ab60f38b5d739d86c8290fa5a3c
.data 0x71000 0x4d90 0x2000 6.20 baa64d00a5f8a540a38a60d2aff66f30
.rsrc 0x76000 0x9030 0x9200 3.62 b93cbbc049130e1bad3ea13d7512c074
( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, ExpandEnvironmentStringsW, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, DuplicateHandle, OpenProcess, GetOverlappedResult, GetVersionExA, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, DeleteCriticalSection, TlsGetValue, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: _vsnwprintf, wcslen, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, __set_app_type, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlSubAuthoritySid, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlCreateSecurityDescriptor, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtOpenDirectoryObject, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlInitString, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtSetInformationProcess
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, LsaCallAuthenticationPackage
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, KillTimer, GetMessageTime, SetLogonNotifyWindow, UnlockWindowStation, SetTimer, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, SetCursor, DefWindowProcW, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, RegisterClassW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, GetUserProfileDirectoryW, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, -
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon, _WinStationNotifyLogoff
> WINTRUST.dll: CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, getaddrinfo, -
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.a...ed8e2149881bfe
ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
File winlogon.exe.sample received on 12.19.2008 05:48:15 (CET)
Current status: finished
Result: 0/38 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.12.19.0 2008.12.19 -
AntiVir 7.9.0.45 2008.12.18 -
Authentium 5.1.0.4 2008.12.18 -
Avast 4.8.1281.0 2008.12.18 -
AVG 8.0.0.199 2008.12.18 -
BitDefender 7.2 2008.12.19 -
CAT-QuickHeal 10.00 2008.12.19 -
ClamAV 0.94.1 2008.12.18 -
Comodo 780 2008.12.19 -
DrWeb 4.44.0.09170 2008.12.18 -
eSafe 7.0.17.0 2008.12.18 -
eTrust-Vet 31.6.6268 2008.12.18 -
Ewido 4.0 2008.12.18 -
F-Prot 4.4.4.56 2008.12.18 -
F-Secure 8.0.14332.0 2008.12.19 -
Fortinet 3.117.0.0 2008.12.19 -
GData 19 2008.12.19 -
Ikarus T3.1.1.45.0 2008.12.19 -
K7AntiVirus 7.10.557 2008.12.18 -
Kaspersky 7.0.0.125 2008.12.19 -
McAfee 5468 2008.12.18 -
McAfee+Artemis 5468 2008.12.18 -
Microsoft 1.4205 2008.12.18 -
NOD32 3704 2008.12.18 -
Norman 5.80.02 2008.12.18 -
Panda 9.0.0.4 2008.12.18 -
PCTools 4.4.2.0 2008.12.18 -
Prevx1 V2 2008.12.19 -
Rising 21.08.40.00 2008.12.19 -
SecureWeb-Gateway 6.7.6 2008.12.18 -
Sophos 4.37.0 2008.12.19 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.19 -
TheHacker 6.3.1.4.191 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.19 -
VBA32 3.12.8.10 2008.12.18 -
ViRobot 2008.12.18.1526 2008.12.19 -
VirusBuster 4.5.11.0 2008.12.18 -
Additional information
File size: 507904 bytes
MD5...: ed0ef0a136dec83df69f04118870003e
SHA1..: f77a7cd78877527023ebfb35e83b75ef59d3df07
SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e
SHA512: c7de542a3298dc4a6dd40fce4dc839042384ef60774097d0717f66efae89bf30
09a0b758b896ba8dbb810d8867a168082d87d3c82d59e009bfe04b48f19556e4
ssdeep: 6144:kNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+
lcDKao6nSKHsRqOMgxZg
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x103e5e1
timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70a00 6.82 39d0278af55c2446adf638b9f0236aff
.data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
.rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187
( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, -, getaddrinfo
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.a...9f04118870003e
File winlogon.exe.sample received on 12.19.2008 05:48:15 (CET)
Current status: finished
Result: 0/38 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.12.19.0 2008.12.19 -
AntiVir 7.9.0.45 2008.12.18 -
Authentium 5.1.0.4 2008.12.18 -
Avast 4.8.1281.0 2008.12.18 -
AVG 8.0.0.199 2008.12.18 -
BitDefender 7.2 2008.12.19 -
CAT-QuickHeal 10.00 2008.12.19 -
ClamAV 0.94.1 2008.12.18 -
Comodo 780 2008.12.19 -
DrWeb 4.44.0.09170 2008.12.18 -
eSafe 7.0.17.0 2008.12.18 -
eTrust-Vet 31.6.6268 2008.12.18 -
Ewido 4.0 2008.12.18 -
F-Prot 4.4.4.56 2008.12.18 -
F-Secure 8.0.14332.0 2008.12.19 -
Fortinet 3.117.0.0 2008.12.19 -
GData 19 2008.12.19 -
Ikarus T3.1.1.45.0 2008.12.19 -
K7AntiVirus 7.10.557 2008.12.18 -
Kaspersky 7.0.0.125 2008.12.19 -
McAfee 5468 2008.12.18 -
McAfee+Artemis 5468 2008.12.18 -
Microsoft 1.4205 2008.12.18 -
NOD32 3704 2008.12.18 -
Norman 5.80.02 2008.12.18 -
Panda 9.0.0.4 2008.12.18 -
PCTools 4.4.2.0 2008.12.18 -
Prevx1 V2 2008.12.19 -
Rising 21.08.40.00 2008.12.19 -
SecureWeb-Gateway 6.7.6 2008.12.18 -
Sophos 4.37.0 2008.12.19 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.19 -
TheHacker 6.3.1.4.191 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.19 -
VBA32 3.12.8.10 2008.12.18 -
ViRobot 2008.12.18.1526 2008.12.19 -
VirusBuster 4.5.11.0 2008.12.18 -
Additional information
File size: 507904 bytes
MD5...: ed0ef0a136dec83df69f04118870003e
SHA1..: f77a7cd78877527023ebfb35e83b75ef59d3df07
SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e
SHA512: c7de542a3298dc4a6dd40fce4dc839042384ef60774097d0717f66efae89bf30
09a0b758b896ba8dbb810d8867a168082d87d3c82d59e009bfe04b48f19556e4
ssdeep: 6144:kNZlxEdL5RvGlcHF37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+
lcDKao6nSKHsRqOMgxZg
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x103e5e1
timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70a00 6.82 39d0278af55c2446adf638b9f0236aff
.data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
.rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187
( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, -, getaddrinfo
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.a...9f04118870003e
Antivirus Version Last Update Result
AhnLab-V3 2008.12.19.0 2008.12.18 -
AntiVir 7.9.0.45 2008.12.18 -
Authentium 5.1.0.4 2008.12.18 -
Avast 4.8.1281.0 2008.12.18 -
AVG 8.0.0.199 2008.12.18 -
BitDefender 7.2 2008.12.18 -
CAT-QuickHeal 10.00 2008.12.18 -
ClamAV 0.94.1 2008.12.18 -
Comodo 771 2008.12.17 -
DrWeb 4.44.0.09170 2008.12.18 -
eSafe 7.0.17.0 2008.12.18 -
eTrust-Vet 31.6.6267 2008.12.18 -
Ewido 4.0 2008.12.18 -
F-Prot 4.4.4.56 2008.12.18 -
F-Secure 8.0.14332.0 2008.12.18 -
Fortinet 3.117.0.0 2008.12.18 -
GData 19 2008.12.18 -
Ikarus T3.1.1.45.0 2008.12.18 -
K7AntiVirus 7.10.557 2008.12.18 -
Kaspersky 7.0.0.125 2008.12.18 -
McAfee 5468 2008.12.18 -
McAfee+Artemis 5468 2008.12.18 -
Microsoft 1.4205 2008.12.18 -
NOD32 3704 2008.12.18 -
Norman 5.80.02 2008.12.18 -
Panda 9.0.0.4 2008.12.18 -
PCTools 4.4.2.0 2008.12.18 -
Prevx1 V2 2008.12.18 -
Rising 21.08.32.00 2008.12.18 -
SecureWeb-Gateway 6.7.6 2008.12.18 -
Sophos 4.37.0 2008.12.18 -
Sunbelt 3.2.1801.2 2008.12.10 -
Symantec 10 2008.12.18 -
TheHacker 6.3.1.4.191 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.18 -
VBA32 3.12.8.10 2008.12.18 -
ViRobot 2008.12.18.1525 2008.12.18 -
VirusBuster 4.5.11.0 2008.12.18 -
Additional information
File size: 507904 bytes
MD5...: 3969440ba384d35317dbbdeeaae641ce
SHA1..: c87bb53e5dd5258e80df74ebd4f68aef193ea5af
SHA256: 80ec02f1c71f5249c0976b4ea96d9622899fca5591d47d87d4edc1897387c8f7
SHA512: 83830b5ed4f8bbed97065c892b98a98ac05cdd966f487c4c7faa3a19ef6ea857
c3935d1808d63cfd126c89e3295bade122afee5a3e14259da9ff437ab6249ccf
ssdeep: 6144:kNZlxEdL5RvGlcHJ37newMLao6nMnKHOD13XRnCfOVSePfLtisgZYl:jdz+
lc3Kao6nSKHsRqOMgxZg
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x103e5e1
timedatestamp.....: 0x48027549 (Sun Apr 13 21:04:09 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x70991 0x70a00 6.82 8b92c0dadae385ba7a05299c9a7cafbf
.data 0x72000 0x4e70 0x2000 6.28 44bd27282514b5e3a27b570106930d8d
.rsrc 0x77000 0x9020 0x9200 3.62 8b50f3590d97bb27639f10bacbc53187
( 20 imports )
> ADVAPI32.dll: ConvertStringSecurityDescriptorToSecurityDescriptorA, A_SHAInit, A_SHAUpdate, A_SHAFinal, LsaStorePrivateData, LsaRetrievePrivateData, LsaNtStatusToWinError, CryptGetUserKey, CryptGetKeyParam, CryptEncrypt, CryptSetProvParam, CryptSignHashW, CryptDeriveKey, CryptGetProvParam, RegOpenCurrentUser, RegDeleteKeyW, AddAccessAllowedAceEx, RegSetKeySecurity, I_ScSendTSMessage, MD5Init, MD5Update, MD5Final, SetFileSecurityA, AllocateLocallyUniqueId, LsaOpenPolicy, LsaQueryInformationPolicy, LsaFreeMemory, LsaClose, RegNotifyChangeKeyValue, QueryServiceConfigW, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, RegEnumKeyExW, GetCurrentHwProfileW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, FreeSid, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, AddAccessAllowedAce, InitializeAcl, GetLengthSid, AllocateAndInitializeSid, RegOpenKeyExW, CreateProcessAsUserW, DuplicateTokenEx, CloseServiceHandle, ControlService, StartServiceW, QueryServiceStatus, OpenServiceW, OpenSCManagerW, EqualSid, GetTokenInformation, RegSetValueExW, RegCreateKeyExW, CryptGenRandom, CryptDestroyHash, CryptVerifySignatureW, CryptSetHashParam, CryptGetHashParam, CryptHashData, CryptCreateHash, CryptDecrypt, ReportEventW, RegisterEventSourceW, CryptImportKey, CryptAcquireContextW, CryptReleaseContext, CryptDestroyKey, RegEnumValueW, RegQueryInfoKeyW, RegDeleteValueW, CredFree, CredDeleteW, CredEnumerateW, CopySid, GetSidLengthRequired, GetSidSubAuthority, GetSidSubAuthorityCount, GetUserNameW, OpenThreadToken, EnumServicesStatusW, ImpersonateLoggedOnUser, RegQueryValueExA, CheckTokenMembership, DeregisterEventSource, LsaGetUserName, RevertToSelf, LookupAccountSidW, IsValidSid, SetTokenInformation, LogonUserW, LookupAccountNameW, OpenProcessToken, SynchronizeWindows31FilesAndWindowsNTRegistry, QueryWindows31FilesMigration, AdjustTokenPrivileges, RegQueryInfoKeyA
> AUTHZ.dll: AuthzInitializeResourceManager, AuthzAccessCheck, AuthziFreeAuditEventType, AuthziInitializeAuditEvent, AuthziInitializeAuditParams, AuthziInitializeAuditEventType, AuthziLogAuditEvent, AuthzFreeAuditEvent, AuthzFreeResourceManager, AuthzFreeHandle
> CRYPT32.dll: CryptImportPublicKeyInfo, CryptVerifyMessageSignature, CertCreateCertificateContext, CertSetCertificateContextProperty, CertVerifyCertificateChainPolicy, CryptSignMessage, CertCloseStore, CertComparePublicKeyInfo, CryptExportPublicKeyInfo, CertFindExtension, CryptDecryptMessage, CertGetCertificateContextProperty, CertAddCertificateContextToStore, CertOpenStore, CertVerifySubjectCertificateContext, CertGetIssuerCertificateFromStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertEnumCertificatesInStore, CryptImportPublicKeyInfoEx
> GDI32.dll: RemoveFontResourceW, AddFontResourceW
> KERNEL32.dll: WTSGetActiveConsoleSessionId, GetTimeFormatW, GetUserDefaultLCID, FileTimeToSystemTime, FileTimeToLocalFileTime, GetProcAddress, LoadLibraryW, GetModuleHandleW, SystemTimeToFileTime, GetSystemTime, SetLastError, TerminateProcess, GetCurrentProcess, CreateTimerQueueTimer, CreateThread, lstrcpynW, GetShortPathNameW, GetProfileStringW, FreeLibrary, ReleaseSemaphore, CreateSemaphoreW, GetSystemInfo, GetComputerNameW, GetEnvironmentVariableW, WaitForSingleObjectEx, LoadResource, FindResourceW, SetThreadExecutionState, DeleteTimerQueueTimer, ResetEvent, GetSystemDirectoryW, TransactNamedPipe, SetNamedPipeHandleState, GetTickCount, CreateFileW, GlobalGetAtomNameW, VirtualLock, VirtualQuery, GetDriveTypeW, Beep, ExpandEnvironmentStringsW, OpenMutexW, QueueUserWorkItem, LeaveCriticalSection, EnterCriticalSection, DisconnectNamedPipe, SearchPathW, lstrcatW, LocalReAlloc, TerminateThread, ResumeThread, GetDiskFreeSpaceExW, GlobalMemoryStatusEx, DeleteFileW, WriteProfileStringW, ReadFile, FindVolumeClose, FindNextVolumeW, FindFirstVolumeW, FormatMessageW, SetPriorityClass, MoveFileExW, WaitForMultipleObjectsEx, GetExitCodeProcess, SleepEx, InterlockedExchange, FindClose, FindFirstFileW, GetWindowsDirectoryW, SetTimerQueueTimer, GetComputerNameA, GetVersionExW, VerSetConditionMask, WriteFile, WaitNamedPipeW, WaitForMultipleObjects, ConnectNamedPipe, GetVersionExA, DuplicateHandle, OpenProcess, GetOverlappedResult, lstrcmpW, SetEnvironmentVariableW, UnregisterWait, CreateNamedPipeW, CreateRemoteThread, CreateActCtxW, GetModuleFileNameW, ExitProcess, LoadLibraryExW, SetErrorMode, SetUnhandledExceptionFilter, GetPrivateProfileStringW, LocalSize, VirtualAlloc, VirtualQueryEx, DebugBreak, CreateFileA, InitializeCriticalSection, ProcessIdToSessionId, SetInformationJobObject, AssignProcessToJobObject, TerminateJobObject, PostQueuedCompletionStatus, PulseEvent, GetQueuedCompletionStatus, CreateIoCompletionPort, CreateJobObjectW, ActivateActCtx, DeactivateActCtx, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetSystemTimeAsFileTime, UnhandledExceptionFilter, GetModuleHandleA, GetStartupInfoA, GetCurrentProcessId, SetThreadPriority, GetCurrentThreadId, lstrcmpiW, GetProfileIntW, LoadLibraryExA, lstrcpyW, lstrlenW, Sleep, LocalAlloc, CreateEventW, GetExitCodeThread, SetThreadAffinityMask, GetProcessAffinityMask, CreateWaitableTimerW, CreateMutexW, OpenEventW, RegisterWaitForSingleObject, WaitForSingleObject, CreateProcessW, SetWaitableTimer, ReleaseMutex, SetEvent, UnregisterWaitEx, CloseHandle, lstrlenA, lstrcpyA, MultiByteToWideChar, GetACP, WideCharToMultiByte, HeapAlloc, GetProcessHeap, HeapFree, lstrcpynA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, lstrcmpiA, GetFileSize, SetFilePointer, GlobalAlloc, GlobalFree, GetLastError, LocalFree, lstrcatA, lstrcmpA, GetLogicalDriveStringsA, GetDriveTypeA, GetVolumeInformationW, GlobalMemoryStatus, CreateMutexA, FindResourceExW, LockResource, SizeofResource, VerifyVersionInfoW, GetSystemDirectoryA, GetCurrentThread, DelayLoadFailureHook, BaseInitAppcompatCacheSupport, OpenProfileUserMapping, CloseProfileUserMapping, BaseCleanupAppcompatCacheSupport, InitializeCriticalSectionAndSpinCount, VirtualProtect, CreateEventA, TlsSetValue, TlsGetValue, DeleteCriticalSection, TlsAlloc, VirtualFree, TlsFree
> msvcrt.dll: wcslen, _vsnwprintf, wcsncpy, wcsstr, atoi, wcstok, memmove, wcschr, swprintf, swscanf, _local_unwind2, _wcslwr, wcscmp, _snwprintf, malloc, _c_exit, _exit, _XcptFilter, _cexit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __3@YAXPAX@Z, __2@YAPAXI@Z, __CxxFrameHandler, _itow, _snprintf, _wtol, _strnicmp, sscanf, wcstombs, sprintf, strchr, strncmp, atof, _ftol, isspace, wcscpy, _controlfp, wcsncmp, _wcsupr, ceil, wcscat, _except_handler3, free, _wcsicmp
> NDdeApi.dll: -, -, -, -
> ntdll.dll: RtlSubAuthoritySid, RtlAllocateHeap, NtPowerInformation, NtSetSystemPowerState, NtRaiseHardError, RtlDeleteCriticalSection, NtOpenSymbolicLinkObject, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, NtLockProductActivationKeys, RtlTimeToTimeFields, NtUnmapViewOfSection, NtMapViewOfSection, NtOpenSection, NtQuerySymbolicLinkObject, NtQueryVolumeInformationFile, NtSetSecurityObject, RtlAdjustPrivilege, NtOpenFile, NtFsControlFile, RtlAllocateAndInitializeSid, RtlDestroyEnvironment, RtlFreeHeap, NtQueryInformationToken, NtShutdownSystem, RtlEnterCriticalSection, RtlLeaveCriticalSection, RtlInitializeCriticalSection, RtlCreateEnvironment, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeString, NtOpenKey, NtQueryValueKey, RtlInitializeSid, RtlLengthRequiredSid, NtAllocateLocallyUniqueId, RtlGetDaclSecurityDescriptor, RtlCopySid, RtlLengthSid, NtSetInformationThread, NtDuplicateToken, NtDuplicateObject, RtlEqualSid, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, NtClose, RtlOpenCurrentUser, RtlAddAce, RtlCreateAcl, RtlNtStatusToDosError, NtSetInformationProcess, NtQuerySystemInformation, NtCreateEvent, NtCreatePagingFile, RtlDosPathNameToNtPathName_U, RtlRegisterWait, NtSetValueKey, NtCreateKey, RtlTimeToSecondsSince1980, NtQuerySystemTime, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtOpenProcessToken, RtlInitString, RtlUnhandledExceptionFilter, NtQueryInformationProcess, DbgBreakPoint, RtlCheckProcessParameters, RtlSetThreadIsCritical, RtlSetProcessIsCritical, RtlGetNtProductType, NtInitiatePowerAction, DbgPrint, NtFilterToken, NtQueryInformationJobObject, NtOpenEvent, RtlGetAce, RtlQueryInformationAcl, NtQuerySecurityObject, RtlCompareUnicodeString, NtOpenDirectoryObject
> PROFMAP.dll: InitializeProfileMappingApi, RemapAndMoveUserW
> PSAPI.DLL: EnumProcesses, EnumProcessModules, GetModuleBaseNameW
> REGAPI.dll: RegDefaultUserConfigQueryW, RegUserConfigQuery
> RPCRT4.dll: RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcImpersonateClient, I_RpcMapWin32Status, RpcServerRegisterIf, RpcGetAuthorizationContextForClient, RpcFreeAuthorizationContext, RpcServerListen, RpcRevertToSelf, NdrServerCall2, UuidCreate
> Secur32.dll: LsaCallAuthenticationPackage, GetUserNameExW, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupDiGetDeviceRegistryPropertyW
> USER32.dll: SetFocus, EnumWindows, CreateWindowStationW, RegisterLogonProcess, RecordShutdownReason, LoadLocalFonts, UnhookWindowsHook, SetWindowsHookW, GetWindowTextW, CallNextHookEx, DialogBoxParamW, GetWindowPlacement, GetSystemMenu, DeleteMenu, SetWindowPlacement, SetUserObjectInformationW, GetAsyncKeyState, PostThreadMessageW, SetUserObjectSecurity, CreateDesktopW, GetMessageTime, SetTimer, SetLogonNotifyWindow, UnlockWindowStation, ReplyMessage, UnregisterHotKey, RegisterHotKey, OpenInputDesktop, GetUserObjectInformationW, CloseDesktop, RegisterDeviceNotificationW, SetThreadDesktop, CreateWindowExW, GetMessageW, TranslateMessage, RegisterWindowMessageW, RegisterClassW, SetCursor, FindWindowW, MessageBoxW, SendNotifyMessageW, PostQuitMessage, MsgWaitForMultipleObjects, GetWindowRect, GetSystemMetrics, PeekMessageW, DispatchMessageW, KillTimer, SetProcessWindowStation, UpdateWindow, ShowWindow, SetWindowPos, PostMessageW, ExitWindowsEx, EnumDisplayMonitors, SystemParametersInfoW, GetDlgItem, SendMessageW, CreateDialogParamW, DestroyWindow, GetWindowLongW, GetDlgItemTextW, EndDialog, SetWindowLongW, LoadStringW, SetWindowTextW, SetDlgItemTextW, wsprintfW, wsprintfA, LockWindowStation, MBToWCSEx, SetWindowStationUser, UpdatePerUserSystemParameters, DialogBoxIndirectParamW, wvsprintfW, SetLastErrorEx, LoadCursorW, CheckDlgButton, IsDlgButtonChecked, DefWindowProcW, CloseWindowStation, LoadImageW, GetParent, GetKeyState, GetDesktopWindow, SetForegroundWindow, SwitchDesktop, OpenDesktopW
> USERENV.dll: -, WaitForUserPolicyForegroundProcessing, GetAllUsersProfileDirectoryW, -, -, -, WaitForMachinePolicyForegroundProcessing, -, -, -, UnloadUserProfile, LoadUserProfileW, -, RegisterGPNotification, CreateEnvironmentBlock, DestroyEnvironmentBlock, UnregisterGPNotification, GetUserProfileDirectoryW
> VERSION.dll: GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
> WINSTA.dll: WinStationRequestSessionsList, WinStationQueryLogonCredentialsW, WinStationIsHelpAssistantSession, WinStationAutoReconnect, _WinStationWaitForConnect, _WinStationNotifyLogoff, WinStationDisconnect, _WinStationCallback, WinStationNameFromLogonIdW, _WinStationFUSCanRemoteUserDisconnect, WinStationEnumerate_IndexedW, WinStationGetMachinePolicy, WinStationQueryInformationW, WinStationFreeMemory, WinStationReset, _WinStationNotifyDisconnectPipe, WinStationConnectW, WinStationSetInformationW, WinStationShutdownSystem, WinStationCheckLoopBack, _WinStationNotifyLogon
> WINTRUST.dll: CryptCATAdminEnumCatalogFromHash, CryptCATCatalogInfoFromContext, CryptCATAdminCalcHashFromFileHandle, CryptCATAdminAcquireContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, WTHelperGetProvSignerFromChain, CryptCATAdminReleaseContext
> WS2_32.dll: -, -, getaddrinfo
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.a...dbbdeeaae641ce
CWSandbox info: http://research.sunbelt-software.com...dbbdeeaae641ce
Yes, you don't have it because ComboFix quarantined it.
I just asked if you recognize those file names from my list.
Please also re-run combofix and post back its log and a fresh hijackthis log.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
ComboFix first:
ComboFix 08-12-18.03 - Dad 2008-12-19 15:27:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.329 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.
2008-12-19 15:25 . 2008-12-19 15:26 <DIR> d-------- C:\32788R22FWJFW
2008-12-18 23:07 . 2008-12-18 23:07 1,661,209 --ahs---- c:\windows\system32\uaiujchk.ini
2008-12-16 19:12 . 2008-12-16 19:12 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 10:34 . 2008-12-06 10:34 <DIR> d-------- c:\program files\Mayoko
2008-11-27 22:13 . 2008-11-27 22:13 <DIR> d-------- c:\program files\iTunes
2008-11-27 22:13 . 2008-11-27 22:13 <DIR> d-------- c:\program files\iPod
2008-11-27 21:59 . 2008-11-27 21:59 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-27 21:58 . 2008-11-27 21:58 <DIR> d-------- c:\program files\MSECACHE
2008-11-27 21:00 . 2008-11-27 22:20 <DIR> d-------- c:\documents and settings\Dad\Application Data\Amazon
2008-11-27 20:59 . 2008-11-27 22:20 <DIR> d-------- c:\program files\Amazon
2008-11-26 16:43 . 2008-11-26 16:44 <DIR> d-------- c:\documents and settings\Dad\Application Data\vlc
2008-11-24 16:35 . 2008-11-24 16:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 16:32 . 2008-11-24 16:33 <DIR> d-------- c:\program files\QuickTime
2008-11-24 16:24 . 2008-11-24 16:24 2,274 --a------ c:\windows\system32\TDSSdxgp.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 19:48 --------- d-----w c:\program files\plugins
2008-12-19 17:44 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-19 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-19 17:15 --------- d-----w c:\documents and settings\Dad\Application Data\Apple Computer
2008-12-18 20:32 --------- d-----w c:\program files\Eraser
2008-12-18 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-18 04:53 --------- d-----w c:\documents and settings\Dad\Application Data\Free Download Manager
2008-12-07 04:59 89 ----a-w C:\drmHeader.bin
2008-11-28 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 02:49 --------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer
2008-11-24 21:31 --------- d-----w c:\program files\Common Files\Apple
2008-11-10 04:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 02:38 31,240 ----a-w c:\windows\Sysvxd.exe
2008-11-09 14:31 --------- d-----w c:\program files\DivX
2008-11-06 14:29 --------- d-----w c:\documents and settings\Dad\Application Data\Orbit
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-28 21:32 --------- d-----w c:\documents and settings\Dad\Application Data\GRETECH
2008-10-28 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\GRETECH
2008-10-28 14:49 --------- d-----w c:\program files\GRETECH
2008-10-26 13:48 7,722,488 ----a-w c:\program files\CryptLoad.exe
2008-10-25 01:35 --------- d-----w c:\documents and settings\Dad\Application Data\Newsbin
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 02:15 --------- d-----w c:\documents and settings\LocalService\Application Data\GrabPro
2008-10-24 02:05 161 ----a-w c:\documents and settings\Dad\xrt_log.dat
2008-10-24 01:37 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ----a-w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 3,067,904 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-10-16 01:00 1,499,136 ----a-w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2007-10-27 02:20 143,360 ----a-w c:\program files\RouterClient.exe
2007-10-15 05:54 6,013,987 ----a-w c:\program files\Common Files\WUSB54GS_20050428.exe
2007-09-24 00:07 0 ----a-w c:\documents and settings\Dad\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xorxhb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 16:01 67584 c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
--a------ 2007-09-18 22:35 2445359 c:\program files\Free Download Manager\fdm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-24 21:15 7311360 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--------- 2005-07-22 17:14 237568 c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2004-12-13 21:23 663552 c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-01 15:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 16:37 936960 c:\program files\verizon\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCMTR]
--a------ 2005-05-03 20:43 69632 c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 18:19 77312 c:\windows\arpwrmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-24 21:15 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 06:54 16010240 c:\windows\RTHDCPL.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"nah_Shell"=c:\documents and settings\Dad\nah_tjwm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"2088848b"=rundll32.exe "c:\windows\system32\xrvbjmmy.dll",b
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"vptray"=c:\progra~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51755:TCP"= 51755:TCP:*:Disabled:Emule Incoming
"64982:UDP"= 64982:UDP:*:Disabled:Emule Up
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-07-05 63352]
R2 WUSB54GSSVC;WUSB54GSSVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe" [2007-10-15 41025]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-10 99376]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45093754-5728-11dc-947e-0017318c8036}]
\Shell\AutoRun\command - j:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0972778-7ae3-11dc-949e-0017318c8036}]
\Shell\AutoRun\command - L:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.blackboard.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.wcu.edu
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\25koxfub.default\
FF - prefs.js: browser.startup.homepage - www.ajc.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 15:31:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-19 15:33:32
ComboFix-quarantined-files.txt 2008-12-19 20:32:23
ComboFix2.txt 2008-12-19 18:00:14
Pre-Run: 84,608,327,680 bytes free
Post-Run: 84,544,999,424 bytes free
233 --- E O F --- 2008-12-12 08:01:53
Now Hijack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:22 PM, on 12/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CryptLoad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\ComboFix\Catchme.tmp
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\proffish4898.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.blackboard.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.wcu.edu
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O20 - AppInit_DLLs: xorxhb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 7932 bytes
Open notepad and copy/paste the text in the codebox below into it:
Save this as "CFScript"Code:File:: c:\windows\system32\TDSSdxgp.dll c:\windows\system32\uaiujchk.ini Registry:: Trusted Zone: *.amaena.com Trusted Zone: *.avsystemcare.com Trusted Zone: *.blackboard.com Trusted Zone: *.onerateld.com Trusted Zone: *.safetydownload.com Trusted Zone: *.trustedantivirus.com Trusted Zone: *.virusschlacht.com Trusted Zone: *.wcu.edu [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=-
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
Combofix first, then Hijack this:
ComboFix 08-12-18.03 - Dad 2008-12-20 10:04:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.376 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\ComboFix.exe c:\documents and settings\Dad\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.
2008-12-20 10:03 . 2008-12-20 10:03 <DIR> d-------- C:\32788R22FWJFW
2008-12-19 22:55 . 2008-12-19 22:55 <DIR> d-------- c:\program files\BitTorrent
2008-12-19 22:55 . 2008-12-20 03:13 <DIR> d-------- c:\documents and settings\Dad\Application Data\BitTorrent
2008-12-19 22:48 . 2008-12-20 09:46 <DIR> d-------- c:\program files\DNA
2008-12-19 22:48 . 2008-12-19 22:48 <DIR> d-------- c:\program files\AskSearch
2008-12-19 22:48 . 2008-12-19 22:48 <DIR> d-------- c:\program files\AskBarDis
2008-12-19 22:48 . 2008-12-20 10:06 <DIR> d-------- c:\documents and settings\Dad\Application Data\DNA
2008-12-19 22:20 . 2008-12-19 22:20 <DIR> d-------- c:\program files\Any Video Converter
2008-12-19 22:20 . 2008-12-19 23:36 <DIR> d-------- c:\documents and settings\Dad\Application Data\Any Video Converter
2008-12-16 19:12 . 2008-12-16 19:12 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 10:34 . 2008-12-06 10:34 <DIR> d-------- c:\program files\Mayoko
2008-11-27 22:13 . 2008-11-27 22:13 <DIR> d-------- c:\program files\iTunes
2008-11-27 22:13 . 2008-11-27 22:13 <DIR> d-------- c:\program files\iPod
2008-11-27 21:59 . 2008-11-27 21:59 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-27 21:58 . 2008-11-27 21:58 <DIR> d-------- c:\program files\MSECACHE
2008-11-27 21:00 . 2008-11-27 22:20 <DIR> d-------- c:\documents and settings\Dad\Application Data\Amazon
2008-11-27 20:59 . 2008-11-27 22:20 <DIR> d-------- c:\program files\Amazon
2008-11-26 16:43 . 2008-11-26 16:44 <DIR> d-------- c:\documents and settings\Dad\Application Data\vlc
2008-11-24 16:35 . 2008-11-24 16:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 16:32 . 2008-11-24 16:33 <DIR> d-------- c:\program files\QuickTime
2008-11-24 16:24 . 2008-11-24 16:24 2,274 --a------ c:\windows\system32\TDSSdxgp.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 14:57 --------- d-----w c:\documents and settings\Dad\Application Data\Apple Computer
2008-12-20 08:15 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-20 08:13 --------- d-----w c:\program files\Eraser
2008-12-20 03:47 --------- d-----w c:\program files\Free Download Manager
2008-12-19 19:48 --------- d-----w c:\program files\plugins
2008-12-19 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-18 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-12 17:01 3,067,904 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 04:59 89 ----a-w C:\drmHeader.bin
2008-11-28 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 02:49 --------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer
2008-11-24 21:31 --------- d-----w c:\program files\Common Files\Apple
2008-11-10 04:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 02:38 31,240 ----a-w c:\windows\Sysvxd.exe
2008-11-09 14:31 --------- d-----w c:\program files\DivX
2008-11-06 14:29 --------- d-----w c:\documents and settings\Dad\Application Data\Orbit
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-28 21:32 --------- d-----w c:\documents and settings\Dad\Application Data\GRETECH
2008-10-28 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\GRETECH
2008-10-28 14:49 --------- d-----w c:\program files\GRETECH
2008-10-26 13:48 7,722,488 ----a-w c:\program files\CryptLoad.exe
2008-10-25 01:35 --------- d-----w c:\documents and settings\Dad\Application Data\Newsbin
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 02:15 --------- d-----w c:\documents and settings\LocalService\Application Data\GrabPro
2008-10-24 02:05 161 ----a-w c:\documents and settings\Dad\xrt_log.dat
2008-10-24 01:37 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ----a-w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ----a-w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2007-10-27 02:20 143,360 ----a-w c:\program files\RouterClient.exe
2007-10-15 05:54 6,013,987 ----a-w c:\program files\Common Files\WUSB54GS_20050428.exe
2007-09-24 00:07 0 ----a-w c:\documents and settings\Dad\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-19_12.58.14.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 17:24 325000 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xorxhb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 16:01 67584 c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-24 21:15 7311360 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--------- 2005-07-22 17:14 237568 c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2004-12-13 21:23 663552 c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-01 15:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 16:37 936960 c:\program files\verizon\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCMTR]
--a------ 2005-05-03 20:43 69632 c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 18:19 77312 c:\windows\arpwrmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-24 21:15 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 06:54 16010240 c:\windows\RTHDCPL.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"nah_Shell"=c:\documents and settings\Dad\nah_tjwm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"2088848b"=rundll32.exe "c:\windows\system32\xrvbjmmy.dll",b
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"vptray"=c:\progra~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51755:TCP"= 51755:TCP:*:Disabled:Emule Incoming
"64982:UDP"= 64982:UDP:*:Disabled:Emule Up
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-07-05 63352]
R2 WUSB54GSSVC;WUSB54GSSVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe" [2007-10-15 41025]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-10 99376]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45093754-5728-11dc-947e-0017318c8036}]
\Shell\AutoRun\command - j:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0972778-7ae3-11dc-949e-0017318c8036}]
\Shell\AutoRun\command - L:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Free Download Manager - c:\program files\Free Download Manager\fdm.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101760&l=dis
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.blackboard.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.wcu.edu
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\25koxfub.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=101760&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 10:08:52
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-12-20 10:10:46
ComboFix-quarantined-files.txt 2008-12-20 15:09:42
ComboFix2.txt 2008-12-19 20:33:34
ComboFix3.txt 2008-12-19 18:00:14
Pre-Run: 80,894,132,224 bytes free
Post-Run: 80,978,313,216 bytes free
249 --- E O F --- 2008-12-20 08:08:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:38 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\System32\svchost.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\ComboFix\Catchme.tmp
C:\Program Files\Trend Micro\HijackThis\proffish4898.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.blackboard.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.wcu.edu
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O20 - AppInit_DLLs: xorxhb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 7828 bytes
It looks like that you have installed BitTorrent DNA.
I assume that you uninstall it if you want to continue cleaning as it is against forum policy.
After that, please post back a fresh HijackThis log.
Please also tell me if you copied everything from codebox to CFScript?
Microsoft MVP Consumer Security 2008-2011
Member of ASAP and UNITE since 2006
I uninstalled Bittorrent, rebooted, reloaded the script box and reran combofix and HJ. Here are logs:
ComboFix 08-12-18.03 - Dad 2008-12-20 11:06:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.369 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad\Desktop\CFScript.txt
* Created a new restore point
FILE ::
c:\windows\system32\TDSSdxgp.dll
c:\windows\system32\uaiujchk.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\TDSSdxgp.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.
2008-12-19 22:48 . 2008-12-20 11:00 <DIR> d-------- c:\program files\DNA
2008-12-19 22:48 . 2008-12-19 22:48 <DIR> d-------- c:\program files\AskSearch
2008-12-19 22:48 . 2008-12-19 22:48 <DIR> d-------- c:\program files\AskBarDis
2008-12-19 22:48 . 2008-12-20 11:00 <DIR> d-------- c:\documents and settings\Dad\Application Data\DNA
2008-12-19 22:20 . 2008-12-19 22:20 <DIR> d-------- c:\program files\Any Video Converter
2008-12-19 22:20 . 2008-12-19 23:36 <DIR> d-------- c:\documents and settings\Dad\Application Data\Any Video Converter
2008-12-16 19:12 . 2008-12-16 19:12 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 10:34 . 2008-12-06 10:34 <DIR> d-------- c:\program files\Mayoko
2008-11-27 22:13 . 2008-11-27 22:13 <DIR> d-------- c:\program files\iTunes
2008-11-27 22:13 . 2008-11-27 22:13 <DIR> d-------- c:\program files\iPod
2008-11-27 21:59 . 2008-11-27 21:59 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-11-27 21:58 . 2008-11-27 21:58 <DIR> d-------- c:\program files\MSECACHE
2008-11-27 21:00 . 2008-11-27 22:20 <DIR> d-------- c:\documents and settings\Dad\Application Data\Amazon
2008-11-27 20:59 . 2008-11-27 22:20 <DIR> d-------- c:\program files\Amazon
2008-11-26 16:43 . 2008-11-26 16:44 <DIR> d-------- c:\documents and settings\Dad\Application Data\vlc
2008-11-24 16:35 . 2008-11-24 16:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-24 16:32 . 2008-11-24 16:33 <DIR> d-------- c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 15:54 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-20 15:51 --------- d-----w c:\program files\Eraser
2008-12-20 14:57 --------- d-----w c:\documents and settings\Dad\Application Data\Apple Computer
2008-12-20 03:47 --------- d-----w c:\program files\Free Download Manager
2008-12-19 19:48 --------- d-----w c:\program files\plugins
2008-12-19 17:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-18 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-12 17:01 3,067,904 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 04:59 89 ----a-w C:\drmHeader.bin
2008-11-28 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-28 02:49 --------- d-----w c:\documents and settings\Guest\Application Data\Apple Computer
2008-11-24 21:31 --------- d-----w c:\program files\Common Files\Apple
2008-11-10 04:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 02:38 31,240 ----a-w c:\windows\Sysvxd.exe
2008-11-09 14:31 --------- d-----w c:\program files\DivX
2008-11-06 14:29 --------- d-----w c:\documents and settings\Dad\Application Data\Orbit
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-28 21:32 --------- d-----w c:\documents and settings\Dad\Application Data\GRETECH
2008-10-28 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\GRETECH
2008-10-28 14:49 --------- d-----w c:\program files\GRETECH
2008-10-26 13:48 7,722,488 ----a-w c:\program files\CryptLoad.exe
2008-10-25 01:35 --------- d-----w c:\documents and settings\Dad\Application Data\Newsbin
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-24 02:15 --------- d-----w c:\documents and settings\LocalService\Application Data\GrabPro
2008-10-24 02:05 161 ----a-w c:\documents and settings\Dad\xrt_log.dat
2008-10-24 01:37 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ----a-w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ----a-w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ----a-w c:\windows\system32\dllcache\netapi32.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2007-10-27 02:20 143,360 ----a-w c:\program files\RouterClient.exe
2007-10-15 05:54 6,013,987 ----a-w c:\program files\Common Files\WUSB54GS_20050428.exe
2007-09-24 00:07 0 ----a-w c:\documents and settings\Dad\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot@2008-12-19_12.58.14.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 01:00:11 3,067,904 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:01:00 3,067,904 ----a-w c:\windows\system32\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 17:24 325000 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-11-07 14:16 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 16:01 67584 c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 11:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-01-24 21:15 7311360 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--------- 2005-07-22 17:14 237568 c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--------- 2004-12-13 21:23 663552 c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-12-01 15:04 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
--a------ 2007-03-11 16:37 936960 c:\program files\verizon\McciTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCMTR]
--a------ 2005-05-03 20:43 69632 c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-02 18:19 77312 c:\windows\arpwrmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-01-24 21:15 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-08 06:54 16010240 c:\windows\RTHDCPL.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"nah_Shell"=c:\documents and settings\Dad\nah_tjwm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"2088848b"=rundll32.exe "c:\windows\system32\xrvbjmmy.dll",b
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"vptray"=c:\progra~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51755:TCP"= 51755:TCP:*:Disabled:Emule Incoming
"64982:UDP"= 64982:UDP:*:Disabled:Emule Up
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [2006-07-05 63352]
R2 WUSB54GSSVC;WUSB54GSSVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GS.exe" [2007-10-15 41025]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-10 99376]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45093754-5728-11dc-947e-0017318c8036}]
\Shell\AutoRun\command - j:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0972778-7ae3-11dc-949e-0017318c8036}]
\Shell\AutoRun\command - L:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101760&l=dis
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amaena.com
Trusted Zone: *.avsystemcare.com
Trusted Zone: *.blackboard.com
Trusted Zone: *.onerateld.com
Trusted Zone: *.safetydownload.com
Trusted Zone: *.trustedantivirus.com
Trusted Zone: *.virusschlacht.com
Trusted Zone: *.wcu.edu
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\25koxfub.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=101760&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 11:07:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2008-12-20 11:09:10
ComboFix-quarantined-files.txt 2008-12-20 16:07:53
ComboFix2.txt 2008-12-20 15:10:48
ComboFix3.txt 2008-12-19 20:33:34
ComboFix4.txt 2008-12-19 18:00:14
Pre-Run: 84,000,145,408 bytes free
Post-Run: 83,981,701,120 bytes free
245 --- E O F --- 2008-12-20 08:08:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:38 AM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GS.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\System32\svchost.exe
C:\ComboFix\hidec.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\ComboFix\Catchme.tmp
C:\Program Files\Trend Micro\HijackThis\proffish4898.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101760&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.blackboard.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.wcu.edu
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O20 - AppInit_DLLs: xorxhb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WUSB54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 7828 bytes