Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: I have several trojans, please help.

  1. #1
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default I have several trojans, please help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:46:18 AM, on 3/13/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\skull\Desktop\HiJackThis\smartscanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uedit32.exe,C:\WINDOWS\system32\symstore.exe,
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1229559034382
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

    --
    End of file - 4236 bytes

  2. #2
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default

    Hello,

    Thanks for getting back to me. Here are the logs you requested.


    DDS (Ver_09-02-01.01) - NTFSx86
    Run by skull at 13:51:40.94 on Sun 03/15/2009
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.204 [GMT -7:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated)

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\McShield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\skull\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-12 213640]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-12 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\McShield.exe [2008-6-12 144704]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-12 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-12 79304]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-12 35272]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-12 40552]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-12 34216]

    =============== Created Last 30 ================

    2009-03-12 22:54 116,224 a------- c:\windows\sed.exe
    2009-03-12 22:54 <DIR> --d----- C:\ComboFix
    2009-03-12 07:15 <DIR> --d----- c:\docume~1\skull\applic~1\Malwarebytes
    2009-03-12 07:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-03-12 07:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-12 07:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-03-12 07:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-03-12 06:59 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
    2009-03-12 06:56 6 a------- c:\windows\_id.dat
    2009-03-12 06:56 128 a------- c:\windows\adobe.bat
    2009-03-11 17:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-03-11 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-03-10 22:21 130,150 a------- c:\windows\system32\adx.exe

    ==================== Find3M ====================

    2009-03-14 21:33 182,656 a------- c:\windows\system32\drivers\ndis.sys
    2009-03-10 07:18 410,984 a------- c:\windows\system32\deploytk.dll
    2009-03-01 00:35 1,744 a------- c:\windows\system32\d3d9caps.dat
    2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
    2009-01-19 18:13 4,212 ----h--- c:\windows\system32\zllictbl.dat
    2009-01-01 13:20 1,632 a------- c:\windows\system32\d3d8caps.dat
    2008-12-20 16:15 826,368 a------- c:\windows\system32\wininet.dll
    2008-12-18 09:27 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

    ============= FINISH: 13:52:37.61 ===============




    ==== System Restore Points ===================

    RP1: 3/12/2009 10:03:19 PM - System Checkpoint
    RP2: 3/13/2009 9:36:20 PM - Software Distribution Service 3.0

    ==== Installed Programs ======================


    ==== Event Viewer Messages From Past Week ========

    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:38:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    3/11/2009 8:38:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/11/2009 4:03:44 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    3/11/2009 8:39:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip
    3/11/2009 9:16:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    3/12/2009 5:57:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
    3/12/2009 7:52:37 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
    3/12/2009 9:47:01 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
    3/12/2009 3:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips mfehidk P3
    3/12/2009 9:54:24 PM, error: SRService [104] - The System Restore initialization process failed.
    3/12/2009 9:54:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    3/14/2009 8:06:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    3/13/2009 8:16:36 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    3/13/2009 8:16:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

    ==== End Of File ===========================

  4. #4
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Please post contents of attach.txt file too
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #5
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default

    Hello Again,

    Here is the attached.txt contents.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-02-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/12/2008 3:21:50 PM
    System Uptime: 3/15/2009 1:29:11 PM (0 hours ago)

    Motherboard: Intel Corporation | | D815EEA
    Processor: Intel Pentium III processor | J4L1 | 996/133mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 19 GiB total, 12.546 GiB free.
    D: is FIXED (NTFS) - 298 GiB total, 6.944 GiB free.
    E: is CDROM ()
    F: is CDROM (CDFS)
    G: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 3/12/2009 10:03:19 PM - System Checkpoint
    RP2: 3/13/2009 9:36:20 PM - Software Distribution Service 3.0

    ==== Installed Programs ======================


    ==== Event Viewer Messages From Past Week ========

    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:39:39 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    3/11/2009 8:38:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    3/11/2009 8:38:35 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/11/2009 4:03:44 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    3/11/2009 8:39:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec mfehidk MPFP MRxSmb NetBIOS NetBT P3 RasAcd Rdbss Tcpip
    3/11/2009 9:16:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    3/12/2009 5:57:04 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips P3
    3/12/2009 7:52:37 AM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
    3/12/2009 9:47:01 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
    3/12/2009 3:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips mfehidk P3
    3/12/2009 9:54:24 PM, error: SRService [104] - The System Restore initialization process failed.
    3/12/2009 9:54:24 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    3/14/2009 8:06:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    3/13/2009 8:16:36 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
    3/13/2009 8:16:41 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.

    ==== End Of File ===========================

  6. #6
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Do NOT run 'fixes' before helpers have analyzed HJT log

    Hi

    I noticed you've run ComboFix by yourself though it's not recommended. Post contents of ComboFix.txt file back here.
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default

    Hello

    I had a hard time trying to stop McAfee, all sorts of popup alerts from McAfee occurred during the combofix scan, I hope the combofix scan isn't tainted. Here are the scan results.


    ComboFix 09-03-15.01 - skull 2009-03-17 6:00:17.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.323 [GMT -7:00]
    Running from: c:\documents and settings\skull\Desktop\Malware Utilities\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning enabled* (Updated)
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\userinit.exe . . . is infected!!

    c:\windows\system32\spoolsv.exe . . . is infected!!

    c:\windows\explorer.exe . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_PROTECT
    -------\Legacy_RESTORE


    ((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
    .

    2009-03-12 07:15 . 2009-03-12 07:15 <DIR> d-------- c:\documents and settings\skull\Application Data\Malwarebytes
    2009-03-12 07:15 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-03-12 07:15 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-03-12 07:14 . 2009-03-12 07:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-03-12 07:14 . 2009-03-12 07:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-03-12 06:59 . 2009-03-14 21:31 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
    2009-03-12 06:56 . 2009-03-12 16:44 128 --a------ c:\windows\adobe.bat
    2009-03-12 06:56 . 2009-03-12 07:00 6 --a------ c:\windows\_id.dat
    2009-03-11 17:07 . 2009-03-13 21:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-03-11 17:07 . 2009-03-11 17:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-02-17 09:21 . 2009-02-18 09:53 <DIR> d-------- c:\documents and settings\skull\Application Data\Move Networks

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-17 13:09 55,808 ----a-w c:\windows\system32\ipconfig.exe
    2009-03-17 13:04 57,856 ----a-w c:\windows\system32\spoolsv.exe
    2009-03-17 13:04 1,033,728 ----a-w c:\windows\explorer.exe
    2009-03-17 13:03 43,534 ----a-w c:\windows\system32\userinit.exe
    2009-03-17 13:02 19,968 ----a-w c:\windows\system32\qprocess.exe
    2009-03-17 13:01 8,192 ----a-w c:\windows\system32\winhlp32.exe
    2009-03-17 13:01 33,291 ----a-w c:\windows\system32\dmremote.exe
    2009-03-17 13:01 27,648 ----a-w c:\windows\system32\conime.exe
    2009-03-17 13:01 124,928 ----a-w c:\windows\system32\net1.exe
    2009-03-17 13:01 1,414,656 ----a-w c:\windows\system32\mmc.exe
    2009-03-17 12:59 19,968 ----a-w c:\windows\system32\route.exe
    2009-03-17 12:58 33,282 ----a-w c:\windows\system32\expand.exe
    2009-03-17 12:55 135,680 ----a-w c:\windows\system32\taskmgr.exe
    2009-03-17 12:53 9,216 ----a-w c:\windows\system32\find.exe
    2009-03-17 12:53 56,837 ----a-w c:\windows\system32\grpconv.exe
    2009-03-17 12:53 29,705 ----a-w c:\windows\system32\attrib.exe
    2009-03-17 12:53 27,136 ----a-w c:\windows\system32\findstr.exe
    2009-03-17 12:53 24,576 ----a-w c:\windows\system32\sort.exe
    2009-03-17 12:53 17,920 ----a-w c:\windows\system32\ping.exe
    2009-03-17 12:53 14,336 ----a-w c:\windows\system32\runonce.exe
    2009-03-17 12:52 155,648 ----a-w c:\windows\system32\wscript.exe
    2009-03-17 12:52 103,936 ----a-w c:\windows\system32\logagent.exe
    2009-03-17 12:51 62,479 ----a-w c:\windows\system32\shmgrate.exe
    2009-03-17 12:51 514,560 ----a-w c:\windows\system32\logonui.exe
    2009-03-17 12:51 45,568 ----a-w c:\windows\system32\drwtsn32.exe
    2009-03-17 12:51 11,776 ----a-w c:\windows\system32\regsvr32.exe
    2009-03-17 12:50 45,568 ----a-w c:\windows\system32\mshta.exe
    2009-03-17 12:50 33,280 ----a-w c:\windows\system32\rundll32.exe
    2009-03-17 12:50 31,744 ----a-w c:\windows\system32\ntsd.exe
    2009-03-17 12:50 163,863 ----a-w c:\windows\regedit.exe
    2009-03-17 12:48 5,632 ----a-w c:\windows\system32\cisvc.exe
    2009-03-17 12:48 33,280 ----a-w c:\windows\system32\clipsrv.exe
    2009-03-17 12:48 25,088 ----a-w c:\windows\system32\defrag.exe
    2009-03-17 12:42 15,360 ----a-w c:\windows\system32\ctfmon.exe
    2009-03-17 12:38 220,672 ----a-w c:\windows\system32\logon.scr
    2009-03-17 12:31 44,544 ----a-w c:\windows\system32\alg.exe
    2009-03-17 12:30 135,168 ----a-w c:\windows\system32\cscript.exe
    2009-03-17 06:26 46,083 ----a-w c:\windows\system32\verclsid.exe
    2009-03-17 06:24 150,528 ----a-w c:\windows\system32\imapi.exe
    2009-03-17 06:19 69,120 ----a-w c:\windows\system32\notepad.exe
    2009-03-15 20:29 --------- d-----w c:\program files\McAfee
    2009-03-15 04:33 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
    2009-03-11 05:53 --------- d-----w c:\program files\Passware
    2009-03-10 14:18 410,984 ----a-w c:\windows\system32\deploytk.dll
    2009-03-10 14:18 --------- d-----w c:\program files\Java
    2009-02-26 15:25 --------- d-----w c:\program files\Microsoft Silverlight
    2009-02-11 06:08 --------- d-----w c:\documents and settings\skull\Application Data\Rokario
    2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
    2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
    2008-12-17 15:02 19,879,397 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_12_17_06_50_24_full.dmp.zip
    2008-12-17 14:26 21,151,628 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_12_16_23_33_18_full.dmp.zip
    .

    ------- Sigcheck -------

    2009-03-17 06:04 1033728 5a4d8cc07e31b75a8faa2ca71a891227 c:\windows\explorer.exe
    2009-03-17 06:04 1033216 d78403dde72b995e9935a221d323d46b c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    2009-03-17 06:04 1050640 2105f8a69c3501eff39ab6ada0f68655 c:\windows\$NtServicePackUninstall$\explorer.exe
    2009-03-17 06:04 1032192 edb9f04ea7f23a802e04774e7eaaa23e c:\windows\$NtUninstallKB938828$\explorer.exe
    2009-03-17 06:04 1033728 5a4d8cc07e31b75a8faa2ca71a891227 c:\windows\ServicePackFiles\i386\explorer.exe

    2009-03-17 06:10 32777 308efaca62b76ae855021c55a65732ad c:\windows\$NtServicePackUninstall$\ctfmon.exe
    2009-03-17 06:11 32770 ad072b71e2d100cb47b1ef6e96c60fc6 c:\windows\ServicePackFiles\i386\ctfmon.exe
    2009-03-17 05:42 15360 66bb9ece6fc265c1017439a1a6bb8f39 c:\windows\system32\ctfmon.exe

    2009-03-17 06:03 57856 f96661661dc6055125b7f338ef77e3c4 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    2009-03-17 06:03 57856 0236d8d8c0315e118feea7ed6c9affeb c:\windows\$NtServicePackUninstall$\spoolsv.exe
    2009-03-17 06:03 57856 5fa50e76687c593444dec40eefcb67a4 c:\windows\$NtUninstallKB896423$\spoolsv.exe
    2009-03-17 06:03 57856 b80ab4b1a18ec8540b48669273ac14ee c:\windows\ServicePackFiles\i386\spoolsv.exe
    2009-03-17 06:04 57856 b80ab4b1a18ec8540b48669273ac14ee c:\windows\system32\spoolsv.exe

    2009-03-17 06:03 24576 3f3bda164bbfbcbd2e3f204a1cf1d484 c:\windows\$NtServicePackUninstall$\userinit.exe
    2009-03-17 06:03 26112 c26536de363fef4e42a23c20fd6e7fea c:\windows\ServicePackFiles\i386\userinit.exe
    2009-03-17 06:03 43534 d6afbe536f5dddc7b0bfe95649ecccc9 c:\windows\system32\userinit.exe
    .
    ((((((((((((((((((((((((((((( snapshot@2009-03-12_22.57.54.33 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2005-06-11 00:17:13 75,264 ----a-w c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    + 2009-03-17 13:03:55 57,856 ----a-w c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    - 2007-06-13 11:26:03 1,050,624 ----a-w c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    + 2009-03-17 13:04:12 1,033,216 ----a-w c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    - 2007-06-13 10:23:07 1,050,624 -c----w c:\windows\$NtServicePackUninstall$\explorer.exe
    + 2009-03-17 13:04:10 1,050,640 -c--a-w c:\windows\$NtServicePackUninstall$\explorer.exe
    - 2006-02-28 12:00:00 182,656 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
    + 2006-02-28 12:00:00 182,912 -c----w c:\windows\$NtServicePackUninstall$\ndis.sys
    - 2005-06-10 23:53:32 75,264 -c----w c:\windows\$NtServicePackUninstall$\spoolsv.exe
    + 2009-03-17 13:03:54 57,856 -c--a-w c:\windows\$NtServicePackUninstall$\spoolsv.exe
    - 2006-02-28 12:00:00 41,984 -c----w c:\windows\$NtServicePackUninstall$\userinit.exe
    + 2009-03-17 13:03:43 24,576 -c--a-w c:\windows\$NtServicePackUninstall$\userinit.exe
    - 2006-02-28 12:00:00 75,264 -c----w c:\windows\$NtUninstallKB896423$\spoolsv.exe
    + 2009-03-17 13:03:56 57,856 -c--a-w c:\windows\$NtUninstallKB896423$\spoolsv.exe
    - 2006-02-28 12:00:00 1,049,600 -c----w c:\windows\$NtUninstallKB938828$\explorer.exe
    + 2009-03-17 13:04:07 1,032,192 -c--a-w c:\windows\$NtUninstallKB938828$\explorer.exe
    - 2005-10-21 03:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
    + 2005-10-21 03:02:28 184,832 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
    + 2009-03-17 13:04:52 166,912 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
    - 2008-04-14 00:12:38 229,376 ----a-w c:\windows\inf\unregmp2.exe
    + 2009-03-17 06:25:41 208,896 ----a-w c:\windows\inf\unregmp2.exe
    - 2008-04-13 18:53:32 575,488 ------w c:\windows\network diagnostic\xpnetdiag.exe
    + 2009-03-17 12:50:37 575,506 ----a-w c:\windows\network diagnostic\xpnetdiag.exe
    - 2000-08-31 15:00:00 48,128 ----a-w c:\windows\NIRCMD.exe
    + 2009-03-17 13:01:02 31,744 ----a-w c:\windows\NIRCMD.exe
    - 2000-08-31 15:00:00 179,712 ----a-w c:\windows\SWREG.exe
    + 2009-03-17 12:54:36 162,304 ----a-w c:\windows\SWREG.exe
    - 2000-08-31 15:00:00 155,136 ----a-w c:\windows\SWSC.exe
    + 2009-03-17 13:03:27 137,728 ----a-w c:\windows\SWSC.exe
    - 2008-04-14 00:12:14 407,040 ----a-w c:\windows\system32\cmd.exe
    + 2009-03-17 12:49:55 389,120 ----a-w c:\windows\system32\cmd.exe
    - 2008-04-14 00:12:15 27,136 ----a-w c:\windows\system32\Com\comrepl.exe
    + 2009-03-17 13:01:33 27,151 ----a-w c:\windows\system32\Com\comrepl.exe
    - 2008-04-14 00:12:15 23,552 ----a-w c:\windows\system32\Com\comrereg.exe
    + 2009-03-17 13:01:34 6,144 ----a-w c:\windows\system32\Com\comrereg.exe
    - 2009-03-13 04:12:08 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2009-03-17 12:34:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2009-03-13 04:12:08 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-03-17 12:34:56 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2009-03-15 05:10:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031420090315\index.dat
    - 2009-03-13 04:12:08 262,144 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2009-03-17 12:34:56 344,064 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
    - 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
    + 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
    - 2008-04-14 00:12:17 22,528 ----a-w c:\windows\system32\dllhost.exe
    + 2009-03-17 12:48:59 5,120 ----a-w c:\windows\system32\dllhost.exe
    - 2008-04-14 00:12:17 242,176 ----a-w c:\windows\system32\dmadmin.exe
    + 2009-03-17 12:49:00 224,768 ----a-w c:\windows\system32\dmadmin.exe
    - 2008-06-27 13:08:40 79,240 ----a-w c:\windows\system32\drivers\mfeavfk.sys
    + 2009-01-09 19:03:40 79,304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
    - 2008-06-27 13:08:40 35,240 ----a-w c:\windows\system32\drivers\mfebopk.sys
    + 2009-01-09 19:03:40 35,272 ----a-w c:\windows\system32\drivers\mfebopk.sys
    - 2008-06-27 13:08:40 207,656 ----a-w c:\windows\system32\drivers\mfehidk.sys
    + 2009-01-09 19:03:40 213,640 ----a-w c:\windows\system32\drivers\mfehidk.sys
    - 2008-06-20 12:41:38 34,152 ----a-w c:\windows\system32\drivers\mferkdk.sys
    + 2009-01-09 19:03:06 34,216 ----a-w c:\windows\system32\drivers\mferkdk.sys
    - 2008-06-27 13:08:40 40,488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
    + 2009-01-09 19:03:40 40,552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
    - 2008-06-02 21:55:42 120,136 ----a-w c:\windows\system32\drivers\Mpfp.sys
    + 2008-10-23 20:08:54 120,136 ----a-w c:\windows\system32\drivers\Mpfp.sys
    - 2008-12-18 17:31:06 111,784 ----a-w c:\windows\system32\FNTCACHE.DAT
    + 2009-03-14 13:18:50 111,784 ----a-w c:\windows\system32\FNTCACHE.DAT
    - 2008-12-19 09:10:15 88,064 ------w c:\windows\system32\ie4uinit.exe
    + 2009-03-17 05:37:32 70,656 ----a-w c:\windows\system32\ie4uinit.exe
    - 2008-12-19 09:10:15 31,232 ----a-w c:\windows\system32\ieudinit.exe
    + 2009-03-17 12:51:34 13,824 ----a-w c:\windows\system32\ieudinit.exe
    - 2008-04-14 00:12:24 92,672 ----a-w c:\windows\system32\locator.exe
    + 2009-03-17 12:49:15 75,264 ----a-w c:\windows\system32\locator.exe
    - 2006-01-21 23:01:22 42,496 ----a-w c:\windows\system32\Macromed\Flash\genuinst.exe
    + 2009-03-17 12:51:00 25,088 ----a-w c:\windows\system32\Macromed\Flash\genuinst.exe
    - 2008-04-14 00:12:25 53,248 ----a-w c:\windows\system32\mnmsrvc.exe
    + 2009-03-17 12:49:04 32,768 ----a-w c:\windows\system32\mnmsrvc.exe
    - 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
    + 2009-02-25 20:54:59 24,768,960 ----a-w c:\windows\system32\MRT.exe
    - 2008-04-14 00:12:27 23,552 ----a-w c:\windows\system32\msdtc.exe
    + 2009-03-17 12:49:06 23,553 ----a-w c:\windows\system32\msdtc.exe
    - 2008-04-14 00:12:28 96,256 ----a-w c:\windows\system32\msiexec.exe
    + 2009-03-17 12:49:08 78,848 ----a-w c:\windows\system32\msiexec.exe
    - 2008-04-14 00:12:29 128,512 ----a-w c:\windows\system32\netdde.exe
    + 2009-03-17 12:49:10 111,104 ----a-w c:\windows\system32\netdde.exe
    - 2008-04-14 00:12:31 126,976 ----a-w c:\windows\system32\progman.exe
    + 2009-03-17 12:49:53 109,568 ----a-w c:\windows\system32\progman.exe
    - 2008-04-14 00:12:32 80,384 ----a-w c:\windows\system32\rdpclip.exe
    + 2009-03-17 12:49:50 62,976 ----a-w c:\windows\system32\rdpclip.exe
    - 2006-02-28 12:00:00 150,016 ----a-w c:\windows\system32\rsvp.exe
    + 2009-03-17 12:49:16 132,608 ----a-w c:\windows\system32\rsvp.exe
    - 2008-04-14 00:12:33 113,152 ----a-w c:\windows\system32\scardsvr.exe
    + 2009-03-17 12:49:18 95,744 ----a-w c:\windows\system32\scardsvr.exe
    - 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
    + 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
    - 2008-04-14 00:12:34 158,720 ----a-w c:\windows\system32\sessmgr.exe
    + 2009-03-17 12:49:12 158,747 ----a-w c:\windows\system32\sessmgr.exe
    - 2008-04-14 00:12:35 107,008 ----a-w c:\windows\system32\smlogsvc.exe
    + 2009-03-17 12:49:21 89,600 ----a-w c:\windows\system32\smlogsvc.exe
    - 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
    + 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
    - 2008-04-14 00:12:38 90,624 ----a-w c:\windows\system32\tlntsvr.exe
    + 2009-03-17 12:49:23 73,216 ----a-w c:\windows\system32\tlntsvr.exe
    - 2008-04-14 00:12:38 35,840 ----a-w c:\windows\system32\ups.exe
    + 2009-03-17 12:49:25 18,432 ----a-w c:\windows\system32\ups.exe
    - 2008-04-14 00:12:38 307,200 ----a-w c:\windows\system32\vssvc.exe
    + 2009-03-17 12:49:27 289,792 ----a-w c:\windows\system32\vssvc.exe
    - 2008-04-14 00:12:40 144,384 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
    + 2009-03-17 12:49:29 126,464 ----a-w c:\windows\system32\wbem\wmiapsrv.exe
    - 2008-04-14 00:12:40 235,520 ----a-w c:\windows\system32\wbem\wmiprvse.exe
    + 2009-03-16 21:23:12 218,112 ----a-w c:\windows\system32\wbem\wmiprvse.exe
    + 2009-03-17 13:07:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_784.dat
    - 2000-08-31 15:00:00 73,284 ----a-w c:\windows\VFIND.exe
    + 2009-03-17 13:01:18 52,804 ----a-w c:\windows\VFIND.exe
    + 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-03-17 15360]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2277888]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Program Files\\Shareaza\\Shareaza.exe"=
    "c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

    .
    Contents of the 'Scheduled Tasks' folder

    2008-06-12 c:\windows\Tasks\McDefragTask.job
    - c:\windows\system32\defrag.exe [2009-03-17 05:48]

    2008-06-12 c:\windows\Tasks\McQcTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-17 06:08:42
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\Common Files\McAfee\MNA\McNASvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
    c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
    c:\progra~1\McAfee\VIRUSS~1\mcvsmap.exe
    c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-17 6:12:49 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-17 13:12:39
    ComboFix2.txt 2009-03-13 05:58:49

    Pre-Run: 13,339,693,056 bytes free
    Post-Run: 13,322,797,056 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    288 --- E O F --- 2009-03-17 12:51:58

  8. #8
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,300

    Default

    Hi

    Upload following files to http://www.virustotal.com and post back the results, please:
    c:\windows\system32\userinit.exe
    c:\windows\system32\spoolsv.exe
    c:\windows\explorer.exe
    Microsoft Windows Insider MVP 2016-2018
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default

    Hello,

    Here is the results for userinit.exe


    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.03.18 -
    AhnLab-V3 5.0.0.2 2009.03.18 -
    AntiVir 7.9.0.116 2009.03.17 -
    Authentium 5.1.0.4 2009.03.17 -
    Avast 4.8.1335.0 2009.03.17 -
    AVG 8.0.0.237 2009.03.17 -
    BitDefender 7.2 2009.03.18 -
    CAT-QuickHeal 10.00 2009.03.18 -
    ClamAV 0.94.1 2009.03.18 -
    Comodo 1062 2009.03.17 -
    DrWeb 4.44.0.09170 2009.03.18 -
    eSafe 7.0.17.0 2009.03.17 -
    eTrust-Vet 31.6.6388 2009.03.09 -
    F-Prot 4.4.4.56 2009.03.17 -
    F-Secure 8.0.14470.0 2009.03.18 -
    Fortinet 3.117.0.0 2009.03.18 -
    GData 19 2009.03.18 -
    Ikarus T3.1.1.45.0 2009.03.18 -
    K7AntiVirus 7.10.674 2009.03.17 -
    Kaspersky 7.0.0.125 2009.03.18 -
    McAfee 5556 2009.03.17 -
    McAfee+Artemis 5556 2009.03.17 -
    McAfee-GW-Edition 6.7.6 2009.03.17 -
    Microsoft 1.4502 2009.03.17 -
    NOD32 3944 2009.03.17 -
    Norman 6.00.06 2009.03.17 -
    nProtect 2009.1.8.0 2009.03.18 -
    Panda 10.0.0.10 2009.03.18 -
    PCTools 4.4.2.0 2009.03.17 -
    Prevx1 V2 2009.03.18 -
    Rising 21.21.20.00 2009.03.18 -
    Sophos 4.39.0 2009.03.18 -
    Sunbelt 3.2.1858.2 2009.03.18 -
    Symantec 1.4.4.12 2009.03.18 -
    TheHacker 6.3.3.0.283 2009.03.16 -
    TrendMicro 8.700.0.1004 2009.03.18 -
    VBA32 3.12.10.1 2009.03.17 -
    ViRobot 2009.3.18.1653 2009.03.18 -
    VirusBuster 4.6.5.0 2009.03.17 -
    Additional information
    File size: 43534 bytes
    MD5...: d6afbe536f5dddc7b0bfe95649ecccc9
    SHA1..: 1602902729e715ac569fc40c1d5c508d2a86e8bd
    SHA256: 306f01336ceeb93f56d34a3c227dd3528904b02e4e8e9bcb5b300d8de0db636c
    SHA512: 5c4f63c755437288231cd2f369e043bc997d1a1e0bbe011a82f85b5574fb1ed9
    7dd10bed07c08870710c96161c8f53ff1dc7499d1efb6e9ea510f9b6fbb98c12
    ssdeep: 768:eRMJi8jDLIDSAaQFxfftjaLacmkLGKOq:eRMJbDMDSA7FxffJaLaSLG9q

    PEiD..: -
    TrID..: File type identification
    Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x54ad
    timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
    .data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
    .rsrc 0x8000 0x5c00 0x5000 0.69 9573830b89698276564aefa4298faf3c

    ( 9 imports )
    > USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
    > ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
    > CRYPT32.dll: CryptProtectData
    > WINSPOOL.DRV: SpoolerInit
    > ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
    > NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
    > WLDAP32.dll: -, -, -, -, -, -
    > msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
    > KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW

    ( 0 exports )

  10. #10
    Junior Member
    Join Date
    Nov 2008
    Posts
    14

    Default

    Results for spoolsv.exe




    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.03.18 -
    AhnLab-V3 5.0.0.2 2009.03.18 -
    AntiVir 7.9.0.116 2009.03.17 -
    Authentium 5.1.0.4 2009.03.17 -
    Avast 4.8.1335.0 2009.03.17 -
    AVG 8.0.0.237 2009.03.17 -
    BitDefender 7.2 2009.03.18 -
    CAT-QuickHeal 10.00 2009.03.18 -
    ClamAV 0.94.1 2009.03.18 -
    Comodo 1062 2009.03.17 -
    DrWeb 4.44.0.09170 2009.03.18 -
    eSafe 7.0.17.0 2009.03.17 -
    eTrust-Vet 31.6.6388 2009.03.09 -
    F-Prot 4.4.4.56 2009.03.17 -
    F-Secure 8.0.14470.0 2009.03.18 -
    Fortinet 3.117.0.0 2009.03.18 -
    GData 19 2009.03.18 -
    Ikarus T3.1.1.45.0 2009.03.18 -
    K7AntiVirus 7.10.674 2009.03.17 -
    Kaspersky 7.0.0.125 2009.03.18 -
    McAfee 5556 2009.03.17 -
    McAfee+Artemis 5556 2009.03.17 -
    McAfee-GW-Edition 6.7.6 2009.03.17 -
    Microsoft 1.4502 2009.03.17 -
    NOD32 3944 2009.03.17 -
    Norman 6.00.06 2009.03.17 -
    nProtect 2009.1.8.0 2009.03.18 -
    Panda 10.0.0.10 2009.03.18 -
    PCTools 4.4.2.0 2009.03.17 -
    Prevx1 V2 2009.03.18 -
    Rising 21.21.20.00 2009.03.18 -
    Sophos 4.39.0 2009.03.18 -
    Sunbelt 3.2.1858.2 2009.03.18 -
    Symantec 1.4.4.12 2009.03.18 -
    TheHacker 6.3.3.0.283 2009.03.16 -
    TrendMicro 8.700.0.1004 2009.03.18 -
    VBA32 3.12.10.1 2009.03.17 -
    ViRobot 2009.3.18.1653 2009.03.18 -
    VirusBuster 4.6.5.0 2009.03.17 -
    Additional information
    File size: 57856 bytes
    MD5...: b80ab4b1a18ec8540b48669273ac14ee
    SHA1..: 616c17502413c930cccf6d3e39674bcdb2820c93
    SHA256: 647321b104b4ae46c016782bac71c1883a03efee01f4cc5987c166056472f025
    SHA512: a64356551492d6d4698d97fb147a1f054abb26048cb4a8590ef0e56441d4ec50
    96e2fb528786cab73f9cd141ba6dbbd3cd550a64e5b6f57cbdb7ccd51047d00a
    ssdeep: 768:FE4EVpgSavGlAMm1yMvsCeq+H8O+j8f1b1mDV3D+JMG/dXplJigo:QgSHlAM
    mxUC/OUVIrOgo

    PEiD..: -
    TrID..: File type identification
    Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x461b
    timedatestamp.....: 0x48025ce1 (Sun Apr 13 19:20:01 2008)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0xba70 0xbc00 5.96 d9b4f450aa98b3936118e3a3c42ed657
    .data 0xd000 0x13b4 0x1400 2.24 887444c39cada5bd753c428783e0009b
    .rsrc 0xf000 0xe00 0xe00 6.18 8b7aa680680d5c40e90647de12607611

    ( 6 imports )
    > ADVAPI32.dll: SetServiceStatus, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, GetLengthSid, InitializeAcl, AddAccessAllowedAce, AddAccessDeniedAce, GetAce, SetSecurityDescriptorDacl, GetSecurityDescriptorLength, MakeSelfRelativeSD, RegDisablePredefinedCache, RegOpenKeyExW, RegCloseKey, RegisterServiceCtrlHandlerExW, StartServiceCtrlDispatcherW
    > GDI32.dll: bMakePathNameW, GdiInitSpool, GdiGetSpoolMessage
    > KERNEL32.dll: GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, GetCurrentProcessId, SetUnhandledExceptionFilter, GetModuleHandleA, GetCurrentThreadId, GetTickCount, UnhandledExceptionFilter, QueryPerformanceCounter, FreeLibrary, InterlockedExchange, GetModuleHandleW, GetLastError, ExitThread, CloseHandle, WaitForSingleObject, CreateEventW, CreateThread, ExitProcess, Sleep, OpenEventW, LoadLibraryA, InitializeCriticalSection, LocalFree, LocalAlloc, SetEvent, LeaveCriticalSection, EnterCriticalSection, SetLastError, OpenProcess, InterlockedIncrement, RaiseException, InterlockedDecrement, GetProcAddress, GetSystemDirectoryW
    > msvcrt.dll: __initenv, _exit, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _XcptFilter, wcsrchr, wcslen, _c_exit, _stricmp, _wcsnicmp, _except_handler3
    > ntdll.dll: RtlValidRelativeSecurityDescriptor
    > RPCRT4.dll: RpcServerRegisterIf2, I_RpcBindingIsClientLocal, I_RpcSessionStrictContextHandle, RpcRaiseException, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2, RpcServerUseProtseqEpA, I_RpcSsDontSerializeContext, RpcMgmtSetServerStackSize, RpcServerListen

    ( 12 exports )
    YDriverUnloadComplete, YEndDocPrinter, YFlushPrinter, YGetPrinter, YGetPrinterDriver2, YGetPrinterDriverDirectory, YReadPrinter, YSeekPrinter, YSetJob, YSetPort, YSplReadPrinter, YWritePrinter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •