Jump to content

malware.trace results.txt

Guest Bomb123

Recommended Posts

Guest Bomb123

Hello, i ran a malwarebytes full scan and it detected a file called results.txt as malware.trace C:\WINDOWS\system32\config\systemprofile\results.txt (Malware.Trace) -> Quarantined and deleted successfully. Nothing else was detected. What is that file and why is it deetcted as malware? The computer in which i ran the scan is running very slowly but nothing else was found i also scanned with antivir and nothing was found.

This is what the detected file results.txt contains:

log=AegisP Protocol (network component): Uninstalled.

message=Driver Uninstall was successful

log=AegisP Protocol (device driver): Stopped.

log=AegisP Protocol (C:\WINDOWS\inf\AegisP.PNF): Deleted.

log=AegisP Protocol (C:\WINDOWS\inf\AegisP.inf): Deleted.

log=AegisP Protocol (C:\WINDOWS\system32\drivers\AegisP.sys): Deleted.


Thanks you in advance!

Link to post
Share on other sites

Guest Bomb123

Here is the gmer log...

GMER - http://www.gmer.net

Rootkit scan 2010-04-02 18:32:05

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT F80644F6 ZwCreateKey

SSDT F80644EC ZwCreateThread

SSDT F80644FB ZwDeleteKey

SSDT F8064505 ZwDeleteValueKey

SSDT F806450A ZwLoadKey

SSDT F80644D8 ZwOpenProcess

SSDT F80644DD ZwOpenThread

SSDT F8064514 ZwReplaceKey

SSDT F806450F ZwRestoreKey

SSDT F8064500 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

? xqdpv.sys M

Link to post
Share on other sites

Guest Bomb123

Here is the hijackthis log file if someone could take a look at it...

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 9:51:49, on 3.4.2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:









C:\Program Files\Avira\AntiVir Desktop\sched.exe



C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


C:\Program Files\Arcade\PCMService.exe

C:\Program Files\Launch Manager\LaunchAp.exe

C:\Program Files\Launch Manager\PowerKey.exe

C:\Program Files\Launch Manager\HotkeyApp.exe

C:\Program Files\Launch Manager\OSDCtrl.exe

C:\Program Files\Launch Manager\Wbutton.exe

C:\Program Files\Acer\eRecovery\Monitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe


C:\Program Files\Mobile Partner\Mobile Partner.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre6\bin\jqs.exe


C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe



C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe

O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC



O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"

O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"

O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"

O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"

O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"

O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"

O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"

O4 - HKLM\..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Mobile Partner] "C:\Program Files\Mobile Partner\Mobile Partner.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{660E976B-042B-4D6F-B709-D0FB2AE6D4AF}: NameServer =

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe

O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe

O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe

O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NetMeeting et

Link to post
Share on other sites

Guest Bomb123

Here is the rootrepeal logfile...

ROOTREPEAL © AD, 2007-2009


Scan Start Time: 2010/04/03 09:47

Program Version: Version

Windows Version: Windows XP SP3




Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAACE6000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF899C000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9D86000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files



Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-168FC5D6.pf

Status: Visible to the Windows API, but not on disk.

Path: c:\program files\mobile partner\log\atrecord.txt

Status: Size mismatch (API: 738713, Raw: 727685)

Path: c:\program files\mobile partner\log\trace_1.txt

Status: Size mismatch (API: 106247, Raw: 97655)

Path: c:\program files\mobile partner\log\func_trace.txt

Status: Size mismatch (API: 188276, Raw: 185540)

Path: c:\program files\mobile partner\log\callbalk_trace.txt

Status: Size mismatch (API: 376522, Raw: 370784)



#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xf8039506

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xf80394fc

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xf803950b

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xf8039515

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xf803951a

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xf80394e8

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xf80394ed

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xf8039524

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xf803951f

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xf8039510


Link to post
Share on other sites

Guest Bomb123

Well i ran combofix and it quarantined a file named acadproc.dll which seems to be belonging to microsoft... I dont know why it quarantined it but i quess it does not really matter... I will upload it to the latest malware threats forum...

Here is some parts from the combofix log file...

(((((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))))))









--------------------- Locked registrykeys ---------------------


Link to post
Share on other sites

Guest Bomb123

When i ran radix anti-rootkit it found two things propably worth mentioning...

18:59:15 - Performing check: "MBR":

Partition Table:


| Nr | Act | Head Sect Track | Head Sect Track | Offset | Length | OS |


| 1 | N | 001 01 0000 | 254 63 0127 | 0000003F | 005DE280 | 12 |

| 2 | Y | 000 01 0127 | 254 63 0255 | 005DE2BF | 021EF7E7 | 0C |

| 3 | N | 254 63 0255 | 254 63 0255 | 027CDAA6 | 022B785A | 0F |

| 4 | N | 000 00 0000 | 000 00 0000 | 00000000 | 00000000 | 00 |


MBR seems to be OK.(However it's not a standard Windows MBR that I know)

[X] Filter common false alarms.

18:58:35 - Performing check: "Hidden files":

This check can take some time depending on your harddisk size. You can interrupt it with the ESC key.

[*] C:\WINDOWS\Temp\TMP00000008EE15D6D286859796


Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.