Jump to content

Backdoor.Bot ==> taskbar and networking issues


Recommended Posts

  • Replies 112
  • Created
  • Last Reply

Top Posters In This Topic

While I was waiting for your reply, I took the liberty to run a full (all files, maximum archive recursion thing, high heuristic, etc..) rootkit scan using the latest antivir engine with latest definitions.

It's stuck on this file:

c:\windows\wlan\setup_iss\xp_iss\driver_only\install\setup.iss

Harddrive light isn't blinking as it usually does during scans and CPU usage according to Task Manager is 4%

==> I think it's hung.

I will abort this scan and carry out chkdsk.

Link to post
Share on other sites

chkdsk returned "volume is clean."

In normal Windows, I downloaded a randomized PrevX installation file, PrevX installed itself in a random path and I closed a VMWare tray icon ... PrevX completed its scan and came up with two "Medium Risk Malware infections" that I have on other computers since a very long time. I have never had problelms entering Safe Mode on those computers.

The concerned files are:

- mwxpcpanelctrlsx4x3.ocx ( c:\program files\matlab\r2010a\toolbox\rtw\targets\xpc\xpc\xpcmngr\ocx\ )

- mwxpcpanelctrlsx4x2.ocx ( c:\program files\matlab\r2010a\toolbox\rtw\targets\xpc\xpc\xpcmngr\ocx\ )

Link to post
Share on other sites

Delete your copy of ComboFix, download a new fresh one and then:

Open Notepad and copy and paste the text in the code box below into it:

Driver::
agqCPQ

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

I thought you might want to look at a log from Antivir before ComboFix potentialy modifies anything:

Avira AntiVir Personal

Report file date: Saturday, January 29, 2011 03:58

Scanning for 2435637 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : Waheb

Computer name : EMACHINE-70C055

Version information:

BUILD.DAT : 10.0.0.609 31824 Bytes 07/01/32 09:43:00

AVSCAN.EXE : 10.0.3.5 435368 Bytes 07/01/32 05:39:56

AVSCAN.DLL : 10.0.3.0 46440 Bytes 17/04/31 09:57:04

LUKE.DLL : 10.0.3.2 104296 Bytes 07/01/32 05:40:06

LUKERES.DLL : 10.0.0.1 12648 Bytes 26/02/31 20:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 19/11/30 14:33:40

VBASE001.VDF : 7.11.0.0 13342208 Bytes 08/01/32 14:33:40

VBASE002.VDF : 7.11.0.1 2048 Bytes 08/01/32 14:33:40

VBASE003.VDF : 7.11.0.2 2048 Bytes 08/01/32 14:33:40

VBASE004.VDF : 7.11.0.3 2048 Bytes 08/01/32 14:33:40

VBASE005.VDF : 7.11.0.4 2048 Bytes 08/01/32 14:33:40

VBASE006.VDF : 7.11.0.5 2048 Bytes 08/01/32 14:33:40

VBASE007.VDF : 7.11.0.6 2048 Bytes 08/01/32 14:33:40

VBASE008.VDF : 7.11.0.7 2048 Bytes 08/01/32 14:33:40

VBASE009.VDF : 7.11.0.8 2048 Bytes 08/01/32 14:33:40

VBASE010.VDF : 7.11.0.9 2048 Bytes 08/01/32 14:33:40

VBASE011.VDF : 7.11.0.10 2048 Bytes 08/01/32 14:33:40

VBASE012.VDF : 7.11.0.11 2048 Bytes 08/01/32 14:33:40

VBASE013.VDF : 7.11.0.52 128000 Bytes 10/01/32 14:33:40

VBASE014.VDF : 7.11.0.91 226816 Bytes 14/01/32 14:33:40

VBASE015.VDF : 7.11.0.122 136192 Bytes 15/01/32 14:33:40

VBASE016.VDF : 7.11.0.156 122880 Bytes 18/01/32 14:33:40

VBASE017.VDF : 7.11.0.185 146944 Bytes 21/01/32 14:33:40

VBASE018.VDF : 7.11.0.228 132608 Bytes 24/01/32 14:33:40

VBASE019.VDF : 7.11.1.5 148480 Bytes 28/01/32 14:33:40

VBASE020.VDF : 7.11.1.37 156672 Bytes 02/02/32 14:33:40

VBASE021.VDF : 7.11.1.65 140800 Bytes 05/02/32 14:33:40

VBASE022.VDF : 7.11.1.87 225280 Bytes 06/02/32 14:33:40

VBASE023.VDF : 7.11.1.124 125440 Bytes 09/02/32 14:33:40

VBASE024.VDF : 7.11.1.155 132096 Bytes 12/02/32 14:33:40

VBASE025.VDF : 7.11.1.189 451072 Bytes 15/02/32 14:33:40

VBASE026.VDF : 7.11.1.230 138752 Bytes 19/02/32 14:33:40

VBASE027.VDF : 7.11.2.12 164352 Bytes 22/02/32 07:22:19

VBASE028.VDF : 7.11.2.13 2048 Bytes 22/02/32 07:22:20

VBASE029.VDF : 7.11.2.14 2048 Bytes 22/02/32 07:22:20

VBASE030.VDF : 7.11.2.15 2048 Bytes 22/02/32 07:22:22

VBASE031.VDF : 7.11.2.31 71168 Bytes 23/02/32 16:45:49

Engineversion : 8.2.4.150

AEVDF.DLL : 8.1.2.1 106868 Bytes 19/02/32 14:33:38

AESCRIPT.DLL : 8.1.3.52 1282426 Bytes 19/02/32 14:33:38

AESCN.DLL : 8.1.7.2 127349 Bytes 19/02/32 14:33:38

AESBX.DLL : 8.1.3.2 254324 Bytes 19/02/32 14:33:38

AERDL.DLL : 8.1.9.2 635252 Bytes 19/02/32 14:33:38

AEPACK.DLL : 8.2.4.8 512374 Bytes 19/02/32 14:33:38

AEOFFICE.DLL : 8.1.1.15 205178 Bytes 19/02/32 14:33:38

AEHEUR.DLL : 8.1.2.68 3178870 Bytes 19/02/32 14:33:38

AEHELP.DLL : 8.1.16.0 246136 Bytes 19/02/32 14:33:36

AEGEN.DLL : 8.1.5.2 397683 Bytes 19/02/32 14:33:36

AEEMU.DLL : 8.1.3.0 393589 Bytes 19/02/32 14:33:36

AECORE.DLL : 8.1.19.2 196983 Bytes 19/02/32 14:33:36

AEBB.DLL : 8.1.1.0 53618 Bytes 19/02/32 14:33:36

AVWINLL.DLL : 10.0.0.0 19304 Bytes 07/01/32 05:39:56

AVPREF.DLL : 10.0.0.0 44904 Bytes 07/01/32 05:39:54

AVREP.DLL : 10.0.0.8 62209 Bytes 21/02/32 18:05:10

AVREG.DLL : 10.0.3.2 53096 Bytes 07/01/32 05:39:54

AVSCPLR.DLL : 10.0.3.2 84328 Bytes 07/01/32 05:39:56

AVARKT.DLL : 10.0.22.6 231784 Bytes 07/01/32 05:39:52

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 07/01/32 05:39:53

SQLITE3.DLL : 3.6.19.0 355688 Bytes 06/07/31 11:27:22

AVSMTP.DLL : 10.0.0.17 63848 Bytes 07/01/32 05:39:56

NETNT.DLL : 10.0.0.0 11624 Bytes 06/07/31 11:27:21

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 13/02/31 10:10:20

RCTEXT.DLL : 10.0.58.0 97128 Bytes 07/01/32 05:40:20

Configuration settings for the scan:

Jobname.............................: Scan for Rootkits and active malware

Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\rootkit.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 99

Smart extensions....................: on

Deviating archive types.............: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, +ISO,

Macro heuristic.....................: on

File heuristic......................: high

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Saturday, January 29, 2011 03:58

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware\schedulerqueue

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'avcenter.exe' - '76' Module(s) have been scanned

Scan process 'avscan.exe' - '65' Module(s) have been scanned

Scan process 'msdtc.exe' - '42' Module(s) have been scanned

Scan process 'dllhost.exe' - '62' Module(s) have been scanned

Scan process 'dllhost.exe' - '48' Module(s) have been scanned

Scan process 'vssvc.exe' - '51' Module(s) have been scanned

Scan process 'unsecapp.exe' - '39' Module(s) have been scanned

Scan process 'LMworker.exe' - '20' Module(s) have been scanned

Scan process 'alg.exe' - '35' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '43' Module(s) have been scanned

Scan process 'btwdins.exe' - '23' Module(s) have been scanned

Scan process 'vmnetdhcp.exe' - '15' Module(s) have been scanned

Scan process 'vmware-authd.exe' - '63' Module(s) have been scanned

Scan process 'IAANTMon.exe' - '38' Module(s) have been scanned

Scan process 'vmnat.exe' - '20' Module(s) have been scanned

Scan process 'vmware-usbarbitrator.exe' - '24' Module(s) have been scanned

Scan process 'UpdaterService.exe' - '23' Module(s) have been scanned

Scan process 'svchost.exe' - '44' Module(s) have been scanned

Scan process 'sqlwriter.exe' - '30' Module(s) have been scanned

Scan process 'mbamservice.exe' - '50' Module(s) have been scanned

Scan process 'jqs.exe' - '35' Module(s) have been scanned

Scan process 'hasplms.exe' - '40' Module(s) have been scanned

Scan process 'dsiwmis.exe' - '41' Module(s) have been scanned

Scan process 'hpotdd01.exe' - '36' Module(s) have been scanned

Scan process 'hpohmr08.exe' - '32' Module(s) have been scanned

Scan process 'BTTray.exe' - '50' Module(s) have been scanned

Scan process 'ctfmon.exe' - '27' Module(s) have been scanned

Scan process 'avgnt.exe' - '54' Module(s) have been scanned

Scan process 'jusched.exe' - '23' Module(s) have been scanned

Scan process 'Apntex.exe' - '22' Module(s) have been scanned

Scan process 'Acrotray.exe' - '28' Module(s) have been scanned

Scan process 'ApMsgFwd.exe' - '25' Module(s) have been scanned

Scan process 'vsnp325.exe' - '21' Module(s) have been scanned

Scan process 'Apoint.exe' - '42' Module(s) have been scanned

Scan process 'snuvcdsm.exe' - '20' Module(s) have been scanned

Scan process 'LManager.exe' - '65' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '25' Module(s) have been scanned

Scan process 'RTHDCPL.EXE' - '38' Module(s) have been scanned

Scan process 'iaanotif.exe' - '40' Module(s) have been scanned

Scan process 'igfxpers.exe' - '25' Module(s) have been scanned

Scan process 'hkcmd.exe' - '28' Module(s) have been scanned

Scan process 'Explorer.EXE' - '112' Module(s) have been scanned

Scan process 'svchost.exe' - '36' Module(s) have been scanned

Scan process 'sched.exe' - '48' Module(s) have been scanned

Scan process 'spoolsv.exe' - '68' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'svchost.exe' - '170' Module(s) have been scanned

Scan process 'SbieSvc.exe' - '28' Module(s) have been scanned

Scan process 'svchost.exe' - '42' Module(s) have been scanned

Scan process 'svchost.exe' - '53' Module(s) have been scanned

Scan process 'avshadow.exe' - '28' Module(s) have been scanned

Scan process 'avguard.exe' - '56' Module(s) have been scanned

Scan process 'lsass.exe' - '61' Module(s) have been scanned

Scan process 'services.exe' - '29' Module(s) have been scanned

Scan process 'winlogon.exe' - '68' Module(s) have been scanned

Scan process 'csrss.exe' - '16' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting to scan executable files (registry).

The registry was scanned ( '547' files ).

Starting the file scan:

Begin scan in 'C:' <OS>

C:\Program Files\LibreOffice 3\Basis\program\python-core-2.6.1\lib\test\testtar.tar

[0] Archive type: TAR (tape archiver)

--> gnu/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/123/longname

[WARNING] Internal error!

[WARNING] Internal error!

End of the scan: Saturday, January 29, 2011 08:51

Used time: 4:53:13 Hour(s)

The scan has been done completely.

55896 Scanned directories

2312791 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

2312791 Files not concerned

17921 Archives were scanned

2 Warnings

0 Notes

1155440 Objects were scanned with rootkit scan

1 Hidden objects were found

Link to post
Share on other sites

ComboFix 11-01-28.03 - Waheb 01/29/2011 14:43:10.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1256.966.1033.18.1013.274 [GMT 3:00]

Running from: c:\documents and settings\Waheb\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Waheb\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))

.

2011-01-28 14:10 . 2011-01-28 14:10 6656 ----a-w- c:\windows\system32\F9551908.exe

2011-01-28 10:24 . 2011-01-28 10:24 6656 ----a-w- c:\windows\system32\BD7EBD1C.exe

2011-01-27 17:55 . 2011-01-27 17:55 -------- d-----w- c:\documents and settings\Waheb\Application Data\Hoyle FaceCreator

2011-01-27 17:55 . 2011-01-27 17:55 -------- d-----w- c:\documents and settings\Waheb\Application Data\Hoyle

2011-01-27 17:54 . 2008-03-05 12:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll

2011-01-27 11:50 . 2011-01-27 11:53 -------- d-----w- c:\program files\fsumfrontend-1.5.5.1-bin

2011-01-26 21:05 . 2011-01-26 21:05 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\WinZip Courier

2011-01-26 20:26 . 2011-01-26 20:26 -------- d-----w- c:\windows\system32\NtmsData

2011-01-26 18:29 . 2010-12-20 15:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-26 18:29 . 2011-01-26 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-26 18:29 . 2010-12-20 15:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-25 17:18 . 2011-01-25 17:18 -------- d-----w- c:\program files\IObit

2011-01-25 17:18 . 2011-01-25 17:18 -------- d-----w- c:\documents and settings\Waheb\Application Data\IObit

2011-01-25 12:01 . 2011-01-25 12:01 -------- d-----w- c:\documents and settings\Administrator

2011-01-24 19:03 . 2011-01-24 19:03 -------- d-----w- c:\documents and settings\Waheb\Application Data\Avira

2011-01-24 18:56 . 2010-12-13 05:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-24 18:56 . 2010-12-13 05:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-01-24 18:56 . 2010-06-17 11:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-01-24 18:56 . 2010-06-17 11:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-01-24 18:56 . 2011-01-24 18:56 -------- d-----w- c:\program files\Avira

2011-01-24 18:56 . 2011-01-24 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-01-24 17:32 . 2011-01-24 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipEC

2011-01-24 17:32 . 2011-01-24 17:32 -------- d-----w- c:\program files\WinZip Courier

2011-01-24 17:20 . 2011-01-24 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipSE

2011-01-24 17:20 . 2011-01-24 17:20 -------- d-----w- c:\program files\WinZip Self-Extractor

2011-01-23 10:37 . 2011-01-23 10:37 -------- d-----w- c:\windows\lhsp

2011-01-23 10:36 . 2011-01-23 10:36 -------- d-----w- c:\windows\speech

2011-01-23 10:36 . 2011-01-23 10:36 -------- d-----w- c:\program files\QFIT

2011-01-23 08:29 . 2011-01-23 08:29 -------- d-----w- c:\documents and settings\Waheb\Application Data\TreeCardGames

2011-01-23 08:28 . 2011-01-23 08:29 -------- d-----w- c:\program files\Sudoku Up

2011-01-23 07:58 . 2011-01-27 07:31 -------- d-----w- c:\documents and settings\Waheb\Application Data\MahJong Suite

2011-01-23 07:57 . 2011-01-23 09:12 -------- d-----w- c:\program files\MahJong Suite

2011-01-23 07:51 . 2011-01-23 07:51 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\WinZip

2011-01-23 06:48 . 2011-01-23 06:50 -------- d-----w- c:\documents and settings\Waheb\Application Data\avidemux

2011-01-23 06:48 . 2011-01-23 06:48 -------- d-----w- c:\program files\Avidemux 2.5

2011-01-23 05:07 . 2011-01-24 16:11 -------- d-----w- c:\program files\e-Sword

2011-01-23 05:07 . 2011-01-23 05:07 -------- d-----w- c:\program files\Common Files\EzTools

2011-01-23 05:07 . 2011-01-23 05:07 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\Downloaded Installations

2011-01-19 17:31 . 2011-01-19 17:31 -------- d-----w- c:\documents and settings\Waheb\Application Data\Microsoft FxCop

2011-01-19 17:15 . 2011-01-19 17:15 -------- d-----w- c:\program files\Microsoft FxCop 1.36

2011-01-19 17:03 . 2011-01-19 17:03 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\assembly

2011-01-19 17:03 . 2011-01-19 17:03 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\Deployment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-17 13:02 . 2010-12-17 13:02 100843 ----a-w- c:\windows\SVCFilterDesign Uninstaller.exe

2010-12-17 13:02 . 2010-12-17 13:02 141567 ----a-w- c:\windows\PIEL Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 126948 ----a-w- c:\windows\MeterBasic Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 173041 ----a-w- c:\windows\Helical Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 219975 ----a-w- c:\windows\Diplexer Uninstaller.exe

2010-12-08 08:13 . 2010-12-08 06:55 2478272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2010-12-08 06:56 . 2010-12-08 06:56 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll

2010-12-01 10:44 . 2010-12-01 10:44 100560 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys

2010-12-01 10:44 . 2010-12-10 20:26 143248 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys

2010-12-01 10:44 . 2010-12-10 20:26 41936 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys

2010-12-01 10:44 . 2010-12-01 10:44 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll

2010-12-01 10:44 . 2010-12-01 10:44 111504 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys

2010-11-29 13:25 . 2010-11-29 13:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-29 13:25 . 2010-10-23 16:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-26 20:30 . 2010-11-26 19:04 67 ----a-w- c:\documents and settings\Waheb\update.bat

2010-11-22 11:30 . 2010-10-23 16:09 31744 ----a-w- c:\windows\system32\maplec.dll

2010-11-22 11:30 . 2010-10-23 16:09 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll

2010-11-22 11:30 . 2010-10-23 16:09 20480 ----a-w- c:\windows\system32\maplecompat.dll

2010-11-18 18:12 . 2010-05-16 21:59 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-11 10:48 . 2010-11-11 10:48 70768 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-11-11 10:48 . 2010-11-11 10:48 854128 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-11-11 10:48 . 2010-12-10 23:07 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-11-11 10:48 . 2010-12-10 23:07 404080 ----a-w- c:\windows\system32\vmnat.exe

2010-11-11 10:47 . 2010-12-10 23:07 760432 ----a-w- c:\windows\system32\vnetlib.dll

2010-11-11 10:47 . 2010-12-10 23:06 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-11-11 10:46 . 2010-11-11 10:46 51312 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-11-11 10:46 . 2010-11-11 10:46 32752 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-11-11 10:46 . 2010-12-10 23:07 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-11-11 09:31 . 2010-11-11 09:31 32368 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-11-11 09:04 . 2010-11-11 09:04 252528 ----a-w- c:\windows\system32\vmnc.dll

2010-11-11 07:04 . 2010-11-11 07:04 31280 ----a-w- c:\windows\system32\drivers\vmusb.sys

2010-11-11 07:04 . 2010-11-11 07:04 59952 ----a-w- c:\windows\system32\vnetinst.dll

2010-11-11 07:04 . 2010-11-11 07:04 18736 ----a-w- c:\windows\system32\drivers\vmnet.sys

2010-11-11 07:04 . 2010-11-11 07:04 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys

2010-11-09 14:52 . 2010-05-17 08:40 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-07 17:17 . 2010-10-23 16:48 333840 ----a-w- c:\windows\system32\mltcpip32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 93712 ----a-w- c:\windows\system32\mltcp32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 88080 ----a-w- c:\windows\system32\mlshm32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 167952 ----a-w- c:\windows\system32\mlmodule32.dll

2010-11-07 17:17 . 2010-10-23 16:48 79376 ----a-w- c:\windows\system32\mlmap32.mlp

2010-11-07 17:16 . 2010-10-23 16:48 369680 ----a-w- c:\windows\system32\ml32i3.dll

2010-11-07 17:16 . 2010-10-23 16:48 260112 ----a-w- c:\windows\system32\ml32i2.dll

2010-11-07 17:16 . 2010-10-23 16:48 253968 ----a-w- c:\windows\system32\ml32i1.dll

2010-11-06 00:26 . 2010-05-17 08:40 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2010-05-17 08:40 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2010-05-17 08:40 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2010-05-17 08:40 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2010-05-17 08:40 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-11-01 11:27 . 2010-11-01 11:27 217088 ----a-w- c:\windows\system32\DownloadXPro.dll

.

((((((((((((((((((((((((((((( SnapShot@2011-01-26_16.59.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-01-29 00:19 . 2011-01-29 00:19 16384 c:\windows\temp\Perflib_Perfdata_eac.dat

+ 2011-01-29 00:20 . 2011-01-29 00:20 16384 c:\windows\temp\Perflib_Perfdata_e54.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3216664]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-10-17 404200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-16 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-16 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-16 141336]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"RTHDCPL"="RTHDCPL.EXE" [2010-03-12 19521056]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2009-12-11 59936]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-04-08 908368]

"PLFSetL"="c:\windows\PLFSetL.exe" [2010-02-12 99712]

"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2010-02-12 202112]

"snuvcdsm"="c:\windows\snuvcdsm.exe" [2010-02-12 30080]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-04-13 248440]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"snp325"="c:\windows\vsnp325.exe" [2007-05-10 835584]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-10-29 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-12 607584]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Hyperappel du Petit Larousse 2010.lnk - c:\program files\Larousse\Petit Larousse 2010\bin\Hyperappel.exe [2010-10-23 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Maple 13\\jre\\bin\\maple.exe"=

"c:\\Program Files\\eclipse\\eclipse.exe"=

"c:\\Program Files\\Maple 13\\jre\\bin\\java.exe"=

"c:\\Program Files\\Maxima-5.22.1\\bin\\xmaxima.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=

"c:\\Program Files\\Maple 14\\jre\\bin\\maple.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\WinWrapIDE.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.com"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\JRE\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\hasplms.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=

"c:\\Program Files\\Opera 11.00 beta\\opera.exe"=

"c:\\Program Files\\Le Petit Robert 2009 (3.2)\\RobertHA.exe"=

"c:\\Program Files\\Le Petit Robert 2009 (3.2)\\prnet.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\Mathematica.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\MathKernel.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\math.exe"=

"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 0 (0x0)

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [12/10/2010 23:26 143248]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [12/10/2010 23:26 41936]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/24/2011 21:56 135336]

R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [5/17/2010 11:40 312400]

R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2011 21:29 363344]

R2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [5/17/2010 02:33 243232]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 13:48 70768]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 539248]

R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/17/2010 11:40 60456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2011 21:29 20952]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [12/1/2010 13:44 100560]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [12/1/2010 13:44 111504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 13:16 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2010 17:22 135664]

S3 2A0D8282;2A0D8282;c:\windows\system32\2A0D8282.exe --> c:\windows\system32\2A0D8282.exe [?]

S3 A80FD0CE;A80FD0CE;c:\windows\system32\A80FD0CE.exe --> c:\windows\system32\A80FD0CE.exe [?]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 05:46 288112]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/17/2010 02:11 1691480]

S3 BD7EBD1C;BD7EBD1C;c:\windows\system32\BD7EBD1C.exe [1/28/2011 13:24 6656]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 17:51 30963576]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [11/13/2010 23:29 137344]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [11/13/2010 23:29 8320]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 20:37 4640000]

S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [1/13/2009 03:00 451456]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 13:37 517096]

S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 21:24 48128]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 13:16 753504]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/23/2009 06:08 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 03:09 239336]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 03:23 366936]

.

Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8287896517.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 21:52]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 14:22]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 14:22]

2011-01-28 c:\windows\Tasks\Minitab Software Update Manager.job

- c:\program files\Common Files\Minitab Shared\Software Manager\SoftwareManager.exe [2010-03-25 06:45]

2011-01-14 c:\windows\Tasks\WebReg 20110114134107.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-05 22:01]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0401&m=em350&r=0xph1010n125l0484wum5r46n2r739

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

IE: ????? ??? &???? Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: ????? ??? Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\documents and settings\Waheb\Application Data\Mozilla\Firefox\Profiles\7rc0ftad.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-29 15:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2076)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-01-29 15:17:59

ComboFix-quarantined-files.txt 2011-01-29 12:17

ComboFix2.txt 2011-01-26 22:49

ComboFix3.txt 2011-01-26 17:06

Pre-Run: 51,697,356,800 bytes free

Post-Run: 51,681,259,520 bytes free

- - End Of File - - 937D0D77AE9C1C557EFB71B3F0BAAA49

Link to post
Share on other sites

File name: F9551908.exe

Submission date: 2011-01-29 18:11:27 (UTC)

Current status: queued queued analysing finished

Result: 3/ 43 (7.0%)

Antivirus Version Last Update Result

AhnLab-V3 2011.01.27.01 2011.01.27 -

AntiVir 7.11.2.31 2011.01.28 -

Antiy-AVL 2.0.3.7 2011.01.28 -

Avast 4.8.1351.0 2011.01.29 -

Avast5 5.0.677.0 2011.01.29 -

AVG 10.0.0.1190 2011.01.29 -

BitDefender 7.2 2011.01.29 -

CAT-QuickHeal 11.00 2011.01.29 -

ClamAV 0.96.4.0 2011.01.29 -

Commtouch 5.2.11.5 2011.01.28 -

Comodo 7531 2011.01.29 -

DrWeb 5.0.2.03300 2011.01.29 -

Emsisoft 5.1.0.1 2011.01.29 -

eSafe 7.0.17.0 2011.01.27 -

eTrust-Vet 36.1.8126 2011.01.28 -

F-Prot 4.6.2.117 2011.01.28 -

F-Secure 9.0.16160.0 2011.01.29 -

Fortinet 4.2.254.0 2011.01.29 W32/CodecPack.GX!tr.dldr

GData 21 2011.01.29 -

Ikarus T3.1.1.97.0 2011.01.29 -

Jiangmin 13.0.900 2011.01.29 -

K7AntiVirus 9.78.3680 2011.01.29 -

Kaspersky 7.0.0.125 2011.01.29 Trojan-Downloader.Win32.CodecPack.sjt

McAfee 5.400.0.1158 2011.01.29 -

McAfee-GW-Edition 2010.1C 2011.01.29 -

Microsoft 1.6502 2011.01.29 -

NOD32 5830 2011.01.29 -

Norman 6.06.12 2011.01.29 -

nProtect 2011-01-18.01 2011.01.18 -

Panda 10.0.3.5 2011.01.29 Suspicious file

PCTools 7.0.3.5 2011.01.27 -

Prevx 3.0 2011.01.29 -

Rising 23.42.04.06 2011.01.28 -

Sophos 4.61.0 2011.01.29 -

SUPERAntiSpyware 4.40.0.1006 2011.01.29 -

Symantec 20101.3.0.103 2011.01.29 -

TheHacker 6.7.0.1.120 2011.01.26 -

TrendMicro 9.120.0.1004 2011.01.29 -

TrendMicro-HouseCall 9.120.0.1004 2011.01.29 -

VBA32 3.12.14.3 2011.01.29 -

VIPRE 8240 2011.01.29 -

ViRobot 2011.1.29.4282 2011.01.29 -

VirusBuster 13.6.171.1 2011.01.29 -

Additional informationShow all

MD5 : 2f5b3d5bcab8eaec43263edf7a45a918

SHA1 : 377b704b6a99f784ff2e2f24e8789ee5d1ba019f

SHA256: a9e4ce36ca738ec265db23a2eeec643bdc256df0686062b69cf4660ad4bbeaea

ssdeep: 96:nPUW2eBXPNBxBWtY1ZuC1PS8A28e9lZGC0e:nc4l58Y17jA2XeBe

File size : 6656 bytes

First seen: 2010-02-08 10:29:15

Last seen : 2011-01-29 18:11:27

TrID:

Win32 Executable Generic (38.4%)

Win32 Dynamic Link Library (generic) (34.1%)

Win16/32 Executable Delphi generic (9.3%)

Generic Win/DOS Executable (9.0%)

DOS Executable Generic (9.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x1C0C

timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)

machinetype......: 0x14c (I386)

[[ 6 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

CODE, 0x1000, 0xCB8, 0xE00, 5.94, f838ddf4b795968e326b06b0e42fb162

DATA, 0x2000, 0x8, 0x200, 0.04, 532dd4aa9cd9b1a3dad1f0b610d1d6cc

BSS, 0x3000, 0xA2321, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

.idata, 0xA6000, 0x284, 0x400, 3.23, 31e8b75f00ee72119e8f0d98f58a0573

.reloc, 0xA7000, 0x110, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

.rsrc, 0xA8000, 0x200, 0x200, 0.08, 793d208c86af793cc8cd917d5a9d29e0

[[ 3 import(s) ]]

advapi32.dll: RegisterServiceCtrlHandlerW, SetServiceStatus, StartServiceCtrlDispatcherW

kernel32.dll: VirtualProtectEx, Sleep, SetErrorMode, LocalUnlock, LocalReAlloc, LocalLock, LocalFree, LocalAlloc, HeapFree, HeapAlloc, GetVolumeInformationW, GetProcessHeap, GetModuleHandleW, GetCommandLineW, FindFirstFileExW, FindClose, ExitProcess

ntdll.dll: ZwQueryInformationFile, ZwCreateFile, ZwClose, RtlInitUnicodeString

ExifTool:

file metadata

CodeSize: 3584

EntryPoint: 0x1c0c

FileSize: 6.5 kB

FileType: Win32 EXE

ImageVersion: 0.0

InitializedDataSize: 2560

LinkerVersion: 2.25

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 1.0

PEType: PE32

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 1992:06:20 00:22:17+02:00

UninitializedDataSize: 0

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=73640

Collect::[8]
c:\windows\system32\2A0D8282.exe
c:\windows\system32\A80FD0CE.exe
c:\windows\system32\BD7EBD1C.exe
c:\windows\system32\F9551908.exe
c:\windows\system32\BD7EBD1C.exe

Driver::
2A0D8282
A80FD0CE
BD7EBD1C

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

File name: BD7EBD1C.exe

Submission date: 2011-01-29 18:15:14 (UTC)

Current status: queued (#86) queued (#87) analysing finished

Result: 3/ 43 (7.0%)

Antivirus Version Last Update Result

AhnLab-V3 2011.01.27.01 2011.01.27 -

AntiVir 7.11.2.31 2011.01.28 -

Antiy-AVL 2.0.3.7 2011.01.28 -

Avast 4.8.1351.0 2011.01.29 -

Avast5 5.0.677.0 2011.01.29 -

AVG 10.0.0.1190 2011.01.29 -

BitDefender 7.2 2011.01.29 -

CAT-QuickHeal 11.00 2011.01.29 -

ClamAV 0.96.4.0 2011.01.29 -

Commtouch 5.2.11.5 2011.01.28 -

Comodo 7531 2011.01.29 -

DrWeb 5.0.2.03300 2011.01.29 -

Emsisoft 5.1.0.1 2011.01.29 -

eSafe 7.0.17.0 2011.01.27 -

eTrust-Vet 36.1.8126 2011.01.28 -

F-Prot 4.6.2.117 2011.01.29 -

F-Secure 9.0.16160.0 2011.01.29 -

Fortinet 4.2.254.0 2011.01.29 W32/CodecPack.GX!tr.dldr

GData 21 2011.01.29 -

Ikarus T3.1.1.97.0 2011.01.29 -

Jiangmin 13.0.900 2011.01.29 -

K7AntiVirus 9.78.3680 2011.01.29 -

Kaspersky 7.0.0.125 2011.01.29 Trojan-Downloader.Win32.CodecPack.sjt

McAfee 5.400.0.1158 2011.01.29 -

McAfee-GW-Edition 2010.1C 2011.01.29 -

Microsoft 1.6502 2011.01.29 -

NOD32 5830 2011.01.29 -

Norman 6.06.12 2011.01.29 -

nProtect 2011-01-18.01 2011.01.18 -

Panda 10.0.3.5 2011.01.29 Suspicious file

PCTools 7.0.3.5 2011.01.27 -

Prevx 3.0 2011.01.29 -

Rising 23.42.04.06 2011.01.28 -

Sophos 4.61.0 2011.01.29 -

SUPERAntiSpyware 4.40.0.1006 2011.01.29 -

Symantec 20101.3.0.103 2011.01.29 -

TheHacker 6.7.0.1.120 2011.01.26 -

TrendMicro 9.120.0.1004 2011.01.29 -

TrendMicro-HouseCall 9.120.0.1004 2011.01.29 -

VBA32 3.12.14.3 2011.01.29 -

VIPRE 8240 2011.01.29 -

ViRobot 2011.1.29.4282 2011.01.29 -

VirusBuster 13.6.171.1 2011.01.29 -

Additional informationShow all

MD5 : 2f5b3d5bcab8eaec43263edf7a45a918

SHA1 : 377b704b6a99f784ff2e2f24e8789ee5d1ba019f

SHA256: a9e4ce36ca738ec265db23a2eeec643bdc256df0686062b69cf4660ad4bbeaea

ssdeep: 96:nPUW2eBXPNBxBWtY1ZuC1PS8A28e9lZGC0e:nc4l58Y17jA2XeBe

File size : 6656 bytes

First seen: 2010-02-08 10:29:15

Last seen : 2011-01-29 18:15:14

TrID:

Win32 Executable Generic (38.4%)

Win32 Dynamic Link Library (generic) (34.1%)

Win16/32 Executable Delphi generic (9.3%)

Generic Win/DOS Executable (9.0%)

DOS Executable Generic (9.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x1C0C

timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)

machinetype......: 0x14c (I386)

[[ 6 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

CODE, 0x1000, 0xCB8, 0xE00, 5.94, f838ddf4b795968e326b06b0e42fb162

DATA, 0x2000, 0x8, 0x200, 0.04, 532dd4aa9cd9b1a3dad1f0b610d1d6cc

BSS, 0x3000, 0xA2321, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

.idata, 0xA6000, 0x284, 0x400, 3.23, 31e8b75f00ee72119e8f0d98f58a0573

.reloc, 0xA7000, 0x110, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

.rsrc, 0xA8000, 0x200, 0x200, 0.08, 793d208c86af793cc8cd917d5a9d29e0

[[ 3 import(s) ]]

advapi32.dll: RegisterServiceCtrlHandlerW, SetServiceStatus, StartServiceCtrlDispatcherW

kernel32.dll: VirtualProtectEx, Sleep, SetErrorMode, LocalUnlock, LocalReAlloc, LocalLock, LocalFree, LocalAlloc, HeapFree, HeapAlloc, GetVolumeInformationW, GetProcessHeap, GetModuleHandleW, GetCommandLineW, FindFirstFileExW, FindClose, ExitProcess

ntdll.dll: ZwQueryInformationFile, ZwCreateFile, ZwClose, RtlInitUnicodeString

ExifTool:

file metadata

CodeSize: 3584

EntryPoint: 0x1c0c

FileSize: 6.5 kB

FileType: Win32 EXE

ImageVersion: 0.0

InitializedDataSize: 2560

LinkerVersion: 2.25

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 1.0

PEType: PE32

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 1992:06:20 00:22:17+02:00

UninitializedDataSize: 0

Link to post
Share on other sites

ComboFix 11-01-28.03 - Waheb 01/29/2011 21:52:46.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1256.966.1033.18.1013.302 [GMT 3:00]

Running from: c:\documents and settings\Waheb\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Waheb\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

file zipped: c:\windows\system32\BD7EBD1C.exe

file zipped: c:\windows\system32\F9551908.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\BD7EBD1C.exe

c:\windows\system32\F9551908.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_2A0D8282

-------\Legacy_A80FD0CE

-------\Legacy_BD7EBD1C

-------\Service_2A0D8282

-------\Service_A80FD0CE

-------\Service_BD7EBD1C

((((((((((((((((((((((((( Files Created from 2010-12-28 to 2011-01-29 )))))))))))))))))))))))))))))))

.

2011-01-27 17:55 . 2011-01-27 17:55 -------- d-----w- c:\documents and settings\Waheb\Application Data\Hoyle FaceCreator

2011-01-27 17:55 . 2011-01-27 17:55 -------- d-----w- c:\documents and settings\Waheb\Application Data\Hoyle

2011-01-27 17:54 . 2008-03-05 12:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll

2011-01-27 11:50 . 2011-01-27 11:53 -------- d-----w- c:\program files\fsumfrontend-1.5.5.1-bin

2011-01-26 21:05 . 2011-01-26 21:05 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\WinZip Courier

2011-01-26 20:26 . 2011-01-26 20:26 -------- d-----w- c:\windows\system32\NtmsData

2011-01-26 18:29 . 2010-12-20 15:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-26 18:29 . 2011-01-26 18:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-26 18:29 . 2010-12-20 15:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-25 17:18 . 2011-01-25 17:18 -------- d-----w- c:\program files\IObit

2011-01-25 17:18 . 2011-01-25 17:18 -------- d-----w- c:\documents and settings\Waheb\Application Data\IObit

2011-01-25 12:01 . 2011-01-25 12:01 -------- d-----w- c:\documents and settings\Administrator

2011-01-24 19:03 . 2011-01-24 19:03 -------- d-----w- c:\documents and settings\Waheb\Application Data\Avira

2011-01-24 18:56 . 2010-12-13 05:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-24 18:56 . 2010-12-13 05:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-01-24 18:56 . 2010-06-17 11:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2011-01-24 18:56 . 2010-06-17 11:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2011-01-24 18:56 . 2011-01-24 18:56 -------- d-----w- c:\program files\Avira

2011-01-24 18:56 . 2011-01-24 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-01-24 17:32 . 2011-01-24 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipEC

2011-01-24 17:32 . 2011-01-24 17:32 -------- d-----w- c:\program files\WinZip Courier

2011-01-24 17:20 . 2011-01-24 17:22 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZipSE

2011-01-24 17:20 . 2011-01-24 17:20 -------- d-----w- c:\program files\WinZip Self-Extractor

2011-01-23 10:37 . 2011-01-23 10:37 -------- d-----w- c:\windows\lhsp

2011-01-23 10:36 . 2011-01-23 10:36 -------- d-----w- c:\windows\speech

2011-01-23 10:36 . 2011-01-23 10:36 -------- d-----w- c:\program files\QFIT

2011-01-23 08:29 . 2011-01-23 08:29 -------- d-----w- c:\documents and settings\Waheb\Application Data\TreeCardGames

2011-01-23 08:28 . 2011-01-23 08:29 -------- d-----w- c:\program files\Sudoku Up

2011-01-23 07:58 . 2011-01-27 07:31 -------- d-----w- c:\documents and settings\Waheb\Application Data\MahJong Suite

2011-01-23 07:57 . 2011-01-23 09:12 -------- d-----w- c:\program files\MahJong Suite

2011-01-23 07:51 . 2011-01-23 07:51 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\WinZip

2011-01-23 06:48 . 2011-01-23 06:50 -------- d-----w- c:\documents and settings\Waheb\Application Data\avidemux

2011-01-23 06:48 . 2011-01-23 06:48 -------- d-----w- c:\program files\Avidemux 2.5

2011-01-23 05:07 . 2011-01-24 16:11 -------- d-----w- c:\program files\e-Sword

2011-01-23 05:07 . 2011-01-23 05:07 -------- d-----w- c:\program files\Common Files\EzTools

2011-01-23 05:07 . 2011-01-23 05:07 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\Downloaded Installations

2011-01-19 17:31 . 2011-01-19 17:31 -------- d-----w- c:\documents and settings\Waheb\Application Data\Microsoft FxCop

2011-01-19 17:15 . 2011-01-19 17:15 -------- d-----w- c:\program files\Microsoft FxCop 1.36

2011-01-19 17:03 . 2011-01-19 17:03 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\assembly

2011-01-19 17:03 . 2011-01-19 17:03 -------- d-----w- c:\documents and settings\Waheb\Local Settings\Application Data\Deployment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-17 13:02 . 2010-12-17 13:02 100843 ----a-w- c:\windows\SVCFilterDesign Uninstaller.exe

2010-12-17 13:02 . 2010-12-17 13:02 141567 ----a-w- c:\windows\PIEL Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 126948 ----a-w- c:\windows\MeterBasic Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 173041 ----a-w- c:\windows\Helical Uninstaller.exe

2010-12-17 13:01 . 2010-12-17 13:01 219975 ----a-w- c:\windows\Diplexer Uninstaller.exe

2010-12-08 08:13 . 2010-12-08 06:55 2478272 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll

2010-12-08 06:56 . 2010-12-08 06:56 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll

2010-12-01 10:44 . 2010-12-01 10:44 100560 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys

2010-12-01 10:44 . 2010-12-10 20:26 143248 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys

2010-12-01 10:44 . 2010-12-10 20:26 41936 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys

2010-12-01 10:44 . 2010-12-01 10:44 133648 ----a-w- c:\windows\system32\VBoxNetFltNotify.dll

2010-12-01 10:44 . 2010-12-01 10:44 111504 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys

2010-11-29 13:25 . 2010-11-29 13:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-29 13:25 . 2010-10-23 16:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-26 20:30 . 2010-11-26 19:04 67 ----a-w- c:\documents and settings\Waheb\update.bat

2010-11-22 11:30 . 2010-10-23 16:09 31744 ----a-w- c:\windows\system32\maplec.dll

2010-11-22 11:30 . 2010-10-23 16:09 212992 ----a-w- c:\windows\system32\WMIMPLEX.dll

2010-11-22 11:30 . 2010-10-23 16:09 20480 ----a-w- c:\windows\system32\maplecompat.dll

2010-11-18 18:12 . 2010-05-16 21:59 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-11 10:48 . 2010-11-11 10:48 70768 ----a-w- c:\windows\system32\drivers\vmci.sys

2010-11-11 10:48 . 2010-11-11 10:48 854128 ----a-w- c:\windows\system32\drivers\vmx86.sys

2010-11-11 10:48 . 2010-12-10 23:07 334448 ----a-w- c:\windows\system32\vmnetdhcp.exe

2010-11-11 10:48 . 2010-12-10 23:07 404080 ----a-w- c:\windows\system32\vmnat.exe

2010-11-11 10:47 . 2010-12-10 23:07 760432 ----a-w- c:\windows\system32\vnetlib.dll

2010-11-11 10:47 . 2010-12-10 23:06 24688 ----a-w- c:\windows\system32\drivers\VMkbd.sys

2010-11-11 10:46 . 2010-11-11 10:46 51312 ----a-w- c:\windows\system32\vmnetbridge.dll

2010-11-11 10:46 . 2010-11-11 10:46 32752 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys

2010-11-11 10:46 . 2010-12-10 23:07 26352 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys

2010-11-11 09:31 . 2010-11-11 09:31 32368 ----a-w- c:\windows\system32\drivers\hcmon.sys

2010-11-11 09:04 . 2010-11-11 09:04 252528 ----a-w- c:\windows\system32\vmnc.dll

2010-11-11 07:04 . 2010-11-11 07:04 31280 ----a-w- c:\windows\system32\drivers\vmusb.sys

2010-11-11 07:04 . 2010-11-11 07:04 59952 ----a-w- c:\windows\system32\vnetinst.dll

2010-11-11 07:04 . 2010-11-11 07:04 18736 ----a-w- c:\windows\system32\drivers\vmnet.sys

2010-11-11 07:04 . 2010-11-11 07:04 16560 ----a-w- c:\windows\system32\drivers\vmnetadapter.sys

2010-11-09 14:52 . 2010-05-17 08:40 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-07 17:17 . 2010-10-23 16:48 333840 ----a-w- c:\windows\system32\mltcpip32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 93712 ----a-w- c:\windows\system32\mltcp32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 88080 ----a-w- c:\windows\system32\mlshm32.mlp

2010-11-07 17:17 . 2010-10-23 16:48 167952 ----a-w- c:\windows\system32\mlmodule32.dll

2010-11-07 17:17 . 2010-10-23 16:48 79376 ----a-w- c:\windows\system32\mlmap32.mlp

2010-11-07 17:16 . 2010-10-23 16:48 369680 ----a-w- c:\windows\system32\ml32i3.dll

2010-11-07 17:16 . 2010-10-23 16:48 260112 ----a-w- c:\windows\system32\ml32i2.dll

2010-11-07 17:16 . 2010-10-23 16:48 253968 ----a-w- c:\windows\system32\ml32i1.dll

2010-11-06 00:26 . 2010-05-17 08:40 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:26 . 2010-05-17 08:40 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2010-05-17 08:40 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2010-05-17 08:40 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2010-05-17 08:40 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-11-01 11:27 . 2010-11-01 11:27 217088 ----a-w- c:\windows\system32\DownloadXPro.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SRS Audio Sandbox"="c:\program files\SRS Labs\Audio Sandbox\SRSSSC.exe" [2010-01-07 3216664]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-10-17 404200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-16 141336]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-16 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-16 141336]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"RTHDCPL"="RTHDCPL.EXE" [2010-03-12 19521056]

"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2009-12-11 59936]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"LManager"="c:\program files\Launch Manager\LManager.exe" [2010-04-08 908368]

"PLFSetL"="c:\windows\PLFSetL.exe" [2010-02-12 99712]

"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2010-02-12 202112]

"snuvcdsm"="c:\windows\snuvcdsm.exe" [2010-02-12 30080]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-04-13 248440]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"snp325"="c:\windows\vsnp325.exe" [2007-05-10 835584]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-10-29 611712]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-12 607584]

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]

hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

Hyperappel du Petit Larousse 2010.lnk - c:\program files\Larousse\Petit Larousse 2010\bin\Hyperappel.exe [2010-10-23 237568]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\Maple 13\\jre\\bin\\maple.exe"=

"c:\\Program Files\\eclipse\\eclipse.exe"=

"c:\\Program Files\\Maple 13\\jre\\bin\\java.exe"=

"c:\\Program Files\\Maxima-5.22.1\\bin\\xmaxima.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=

"c:\\Program Files\\Maple 14\\jre\\bin\\maple.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\WinWrapIDE.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.exe"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.com"=

"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\JRE\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\hasplms.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\Mathematica.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\MathKernel.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\7.0\\math.exe"=

"c:\\Program Files\\Opera 11.00 beta\\opera.exe"=

"c:\\Program Files\\Le Petit Robert 2009 (3.2)\\RobertHA.exe"=

"c:\\Program Files\\Le Petit Robert 2009 (3.2)\\prnet.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\Mathematica.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\MathKernel.exe"=

"c:\\Program Files\\Wolfram Research\\Mathematica\\8.0\\math.exe"=

"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [12/10/2010 23:26 143248]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [12/10/2010 23:26 41936]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/24/2011 21:56 135336]

R2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [5/17/2010 11:40 312400]

R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/26/2011 21:29 363344]

R2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [5/17/2010 02:33 243232]

R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [11/11/2010 13:48 70768]

R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [11/11/2010 12:31 539248]

R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [5/17/2010 11:40 60456]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/26/2011 21:29 20952]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [12/1/2010 13:44 100560]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [12/1/2010 13:44 111504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 13:16 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2010 17:22 135664]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 05:46 288112]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/17/2010 02:11 1691480]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 17:51 30963576]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [11/13/2010 23:29 137344]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [11/13/2010 23:29 8320]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 20:37 4640000]

S3 SNP325;USB PC Camera (SNPSTD325);c:\windows\system32\drivers\snp325.sys [1/13/2009 03:00 451456]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 13:37 517096]

S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [12/8/2009 21:24 48128]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 13:16 753504]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/23/2009 06:08 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 03:09 239336]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 03:23 366936]

.

Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8287896517.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 21:52]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 14:22]

2011-01-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-23 14:22]

2011-01-29 c:\windows\Tasks\Minitab Software Update Manager.job

- c:\program files\Common Files\Minitab Shared\Software Manager\SoftwareManager.exe [2010-03-25 06:45]

2011-01-14 c:\windows\Tasks\WebReg 20110114134107.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe [2003-04-05 22:01]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0401&m=em350&r=0xph1010n125l0484wum5r46n2r739

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

IE: ????? ??? &???? Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: ????? ??? Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\documents and settings\Waheb\Application Data\Mozilla\Firefox\Profiles\7rc0ftad.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=937811&p=

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adobe Contribute Toolbar: {01A8CA0A-4C96-465b-A49B-65C46FAD54F9} - c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}

FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-01-29 22:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1312)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\btmmhook.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

c:\program files\Apoint2K\ApMsgFwd.exe

c:\program files\Apoint2K\Apntex.exe

c:\windows\system32\hasplms.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\vmnat.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\windows\system32\vmnetdhcp.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\windows\system32\msiexec.exe

c:\program files\Launch Manager\LMworker.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-01-29 22:36:20 - machine was rebooted

ComboFix-quarantined-files.txt 2011-01-29 19:36

ComboFix2.txt 2011-01-29 12:18

ComboFix3.txt 2011-01-26 22:49

ComboFix4.txt 2011-01-26 17:06

Pre-Run: 51,611,131,904 bytes free

Post-Run: 51,499,290,624 bytes free

- - End Of File - - 45998DA4CA27C87928BA04FD3E4C46A1

Link to post
Share on other sites

File name: DownloadXPro.dll

Submission date: 2011-01-29 20:18:30 (UTC)

Current status: queued (#83) queued (#83) analysing finished

Result: 0/ 43 (0.0%)

Antivirus Version Last Update Result

AhnLab-V3 2011.01.27.01 2011.01.27 -

AntiVir 7.11.2.31 2011.01.28 -

Antiy-AVL 2.0.3.7 2011.01.28 -

Avast 4.8.1351.0 2011.01.29 -

Avast5 5.0.677.0 2011.01.29 -

AVG 10.0.0.1190 2011.01.29 -

BitDefender 7.2 2011.01.29 -

CAT-QuickHeal 11.00 2011.01.29 -

ClamAV 0.96.4.0 2011.01.29 -

Commtouch 5.2.11.5 2011.01.29 -

Comodo 7531 2011.01.29 -

DrWeb 5.0.2.03300 2011.01.29 -

Emsisoft 5.1.0.1 2011.01.29 -

eSafe 7.0.17.0 2011.01.27 -

eTrust-Vet 36.1.8126 2011.01.28 -

F-Prot 4.6.2.117 2011.01.29 -

F-Secure 9.0.16160.0 2011.01.29 -

Fortinet 4.2.254.0 2011.01.29 -

GData 21 2011.01.29 -

Ikarus T3.1.1.97.0 2011.01.29 -

Jiangmin 13.0.900 2011.01.29 -

K7AntiVirus 9.78.3680 2011.01.29 -

Kaspersky 7.0.0.125 2011.01.29 -

McAfee 5.400.0.1158 2011.01.29 -

McAfee-GW-Edition 2010.1C 2011.01.29 -

Microsoft 1.6502 2011.01.29 -

NOD32 5830 2011.01.29 -

Norman 6.06.12 2011.01.29 -

nProtect 2011-01-18.01 2011.01.18 -

Panda 10.0.3.5 2011.01.29 -

PCTools 7.0.3.5 2011.01.29 -

Prevx 3.0 2011.01.29 -

Rising 23.42.04.06 2011.01.28 -

Sophos 4.61.0 2011.01.29 -

SUPERAntiSpyware 4.40.0.1006 2011.01.29 -

Symantec 20101.3.0.103 2011.01.29 -

TheHacker 6.7.0.1.120 2011.01.26 -

TrendMicro 9.120.0.1004 2011.01.29 -

TrendMicro-HouseCall 9.120.0.1004 2011.01.29 -

VBA32 3.12.14.3 2011.01.29 -

VIPRE 8241 2011.01.29 -

ViRobot 2011.1.29.4282 2011.01.29 -

VirusBuster 13.6.171.1 2011.01.29 -

Additional informationShow all

MD5 : 81442cb75cdee12fd0aff730379678e6

SHA1 : 383e55bd0847b0f0c2f64118545cbe797a79711f

SHA256: 723f9ffaee38415c4e31afdf27a75ee09e3e901417bb01379e82b22e9ee674f4

ssdeep: 6144:kjPWcQDyL7y+HtY7Vyh2y2+Pz18XlaFPcEgZV1twHH:kjfMOI7Vyh23+bQWPMqn

File size : 217088 bytes

First seen: 2010-11-11 07:47:01

Last seen : 2011-01-29 20:18:30

TrID:

DirectShow filter (50.8%)

Windows OCX File (31.1%)

Win32 Executable MS Visual C++ (generic) (9.5%)

Windows Screen Saver (3.3%)

Win32 Executable Generic (2.1%)

sigcheck:

publisher....: DownloadXCtrl.com

copyright....: Copyright © 2010 DownloadXCtrl.com. All rights reserved.

product......: DownloadX ActiveX Download Control

description..: DownloadX ActiveX Download Control

original name: DownloadXPro.dll

internal name: DownloadXPro.dll

file version.: 1.5.2.0

comments.....:

signers......: -

signing date.: -

verified.....: Unsigned

PEiD: Armadillo v1.xx - v2.xx

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x2321D

timedatestamp....: 0x4CCEC048 (Mon Nov 01 13:27:36 2010)

machinetype......: 0x14c (I386)

[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x222CC, 0x23000, 6.31, 01792f3dd0b268a2b825cccdbe14008e

.rdata, 0x24000, 0x3AA9, 0x4000, 5.48, 2792e8f4a18f6083df37c741158d5395

.data, 0x28000, 0x4354, 0x5000, 3.53, fed1da01b6b1762e8f8e3358c0b6e4a2

.rsrc, 0x2D000, 0x3AC0, 0x4000, 4.67, cf61d6ae95a000ef0f7613dcab24c5f7

.reloc, 0x31000, 0x33EC, 0x4000, 5.83, aa71e8ebe13ffbb3f0646fc2d423a57b

[[ 14 import(s) ]]

KERNEL32.dll: GetCurrentProcess, FlushInstructionCache, VirtualAlloc, VirtualFree, GlobalAlloc, GlobalLock, GlobalUnlock, lstrlenW, CreateEventW, GetModuleHandleA, GetModuleFileNameW, InterlockedIncrement, InterlockedDecrement, DisableThreadLibraryCalls, SetEvent, MoveFileExW, SetFilePointerEx, ResetEvent, WaitForMultipleObjects, SetFilePointer, FlushFileBuffers, SetEndOfFile, GetTempPathW, FindFirstFileW, DeleteFileW, FindNextFileW, FindClose, ResumeThread, Sleep, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GetLocalTime, SystemTimeToFileTime, CreateDirectoryW, CloseHandle, ReadFile, WriteFile, CreateFileW, GetLocaleInfoW, GetNumberFormatW, CompareStringW, GetStringTypeW, GetLastError, GetTickCount, FreeLibrary, LoadLibraryW, GetProcAddress, LocalFree, LocalAlloc, MultiByteToWideChar

USER32.dll: SetWindowPos, EnableWindow, CreateWindowExW, ShowWindow, GetWindowRect, SendMessageW, PeekMessageW, TranslateMessage, DispatchMessageW, CharLowerBuffW, CharUpperBuffW, PostMessageW, GetKeyState, UpdateWindow, InvalidateRect, IsWindow, SetFocus, IsChild, GetFocus, GetParent, MessageBoxW, DestroyWindow, GetWindowLongW, GetSysColor, KillTimer, SetTimer, RedrawWindow, SetWindowLongW, IsWindowVisible, BeginPaint, GetClientRect, EndPaint, IntersectRect, EqualRect, OffsetRect, SetWindowRgn, UnionRect, PtInRect, FillRect, DefWindowProcW, RegisterWindowMessageW, GetSystemMetrics, CallWindowProcW

GDI32.dll: GetDeviceCaps, DeleteObject, CreateSolidBrush, CreateRectRgnIndirect, DeleteMetaFile, CloseMetaFile, SetWindowExtEx, SetWindowOrgEx, SaveDC, CreateMetaFileW, DeleteDC, SetViewportOrgEx, SetMapMode, RestoreDC, LPtoDP

comdlg32.dll: GetSaveFileNameW

SHELL32.dll: SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc

ole32.dll: CoTaskMemFree, CreateDataAdviseHolder, CoTaskMemAlloc, OleRegGetUserType, OleRegEnumVerbs, CoCreateInstance, OleRegGetMiscStatus, CreateOleAdviseHolder

OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -

WS2_32.dll: -, -, -, -, -, -, -, -, -, -

WININET.dll: InternetQueryOptionW

COMCTL32.dll: ImageList_Destroy, InitCommonControlsEx, ImageList_LoadImageW

ATL.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

MSVCP60.dll: __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@ABV01@IIABV_$allocator@G@1@@Z, _erase@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@II@Z, _erase@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@II@Z, _resize@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEXI@Z, _find@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, _insert@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IPBGI@Z, __9std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, _find_first_of@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, _npos@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@2IB, _assign@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z, __Freeze@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEXXZ, _replace@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IIPBGI@Z, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@PBDI@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, _assign@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@PBGI@Z, __C@_1___Nullstr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@CAPBGXZ@4GB, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@PBGABV_$allocator@G@1@@Z, _c_str@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEPBGXZ, __Tidy@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@AAEX_N@Z, __Freeze@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXXZ, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBDABV_$allocator@D@1@@Z, _c_str@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QBEPBDXZ, __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@ABV12@II@Z, __1_Winit@std@@QAE@XZ, __0_Winit@std@@QAE@XZ, __1Init@ios_base@std@@QAE@XZ, __0Init@ios_base@std@@QAE@XZ, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ID@Z, _resize@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEXI@Z, _find_last_of@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z, _substr@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBE_AV12@II@Z, __Hstd@@YA_AV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@ABV10@0@Z, _length@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIXZ, __8std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@0@Z, __9std@@YA_NABV_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@0@PBG@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@IG@Z, _append@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAEAAV12@PBGI@Z, __0_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QAE@ABV01@@Z, _rfind@_$basic_string@GU_$char_traits@G@std@@V_$allocator@G@2@@std@@QBEIPBGII@Z

CRYPT32.dll: CertGetNameStringW, CertDuplicateCertificateContext, CertVerifyTimeValidity, CertCloseStore, CertFindCertificateInStore, CertOpenSystemStoreW, CertFindChainInStore, CertVerifyCertificateChainPolicy, CertGetCertificateChain, CertFreeCertificateContext

MSVCRT.dll: wcstombs, _purecall, memmove, mbstowcs, wcscmp, _CxxThrowException, floor, ceil, _ftol, _vsnwprintf, _beginthreadex, qsort, memcmp, free, realloc, malloc, strtok, sscanf, __1type_info@@UAE@XZ, __dllonexit, _onexit, _initterm, _adjust_fdiv, wcscpy, strcat, wcsncpy, _snprintf, wcslen, strncpy, strstr, atoi, strcpy, strlen, __2@YAPAXI@Z, memcpy, memset

[[ 4 export(s) ]]

DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

ExifTool:

file metadata

CharacterSet: Unicode

CodeSize: 143360

Comments:

CompanyName: DownloadXCtrl.com

EntryPoint: 0x2321d

FileDescription: DownloadX ActiveX Download Control

FileFlagsMask: 0x003f

FileOS: Win32

FileSize: 212 kB

FileSubtype: 0

FileType: Win32 DLL

FileVersion: 1.5.2.0

FileVersionNumber: 1.5.2.0

ImageVersion: 0.0

InitializedDataSize: 69632

InternalName: DownloadXPro.dll

LanguageCode: English (U.S.)

LegalCopyright: Copyright © 2010 DownloadXCtrl.com. All rights reserved.

LegalTrademarks:

LinkerVersion: 6.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OLESelfRegister:

OSVersion: 4.0

ObjectFileType: Dynamic link library

OriginalFilename: DownloadXPro.dll

PEType: PE32

PrivateBuild:

ProductName: DownloadX ActiveX Download Control

ProductVersion: 1, 5, 2, 0

ProductVersionNumber: 1.5.2.0

SpecialBuild:

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2010:11:01 14:27:36+01:00

UninitializedDataSize: 0

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.