BleepingComputer.com: Fresh Hijack This Log

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Fresh Hijack This Log

#1 User is offline   abckid24 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 26
  • Joined: 29-December 05

Posted 05 December 2009 - 07:04 PM

Hi.. would someone be able to analyze my log? My computer seems to be infected with some stuff.. I've ran AVG and a couple syware programs..but nothing seems to be clearing up. Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:28 PM, on 12/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Compaq_Owner\Desktop\pppppppppp\XoftSpySE6\XoftSpySE.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hjt-data.trendmicro.com/hjt/analyze...?report=3560990
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [XoftSpySE] "C:\Documents and Settings\Compaq_Owner\Desktop\pppppppppp\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegGenie v2.0 - Trial Expired] "C:\Documents and Settings\Compaq_Owner\Desktop\pppppppppp\reg\RegGenieOnRebootExpired.exe"
O4 - HKCU\..\Run: [RegGenie v2.0] "C:\Documents and Settings\Compaq_Owner\Desktop\pppppppppp\reg\RegGenieOnReboot.exe"
O4 - HKUS\S-1-5-21-4246246997-3590910095-3040352822-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4246246997-3590910095-3040352822-1009\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-4246246997-3590910095-3040352822-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4246246997-3590910095-3040352822-1009\..\Run: [RegGenie v2.0 - Trial Expired] "C:\Documents and Settings\Compaq_Owner\Desktop\pppppppppp\reg\RegGenieOnRebootExpired.exe" (User '?')
O4 - HKUS\S-1-5-21-4246246997-3590910095-3040352822-1009\..\Run: [RegGenie v2.0] "C:\Documents and Settings\Compaq_Owner\Desktop\pppppppppp\reg\RegGenieOnReboot.exe" (User '?')
O4 - S-1-5-20 Startup: scandisk.dll (User '?')
O4 - S-1-5-20 Startup: scandisk.lnk = ? (User '?')
O4 - S-1-5-21-4246246997-3590910095-3040352822-1009 Startup: scandisk.dll (User '?')
O4 - S-1-5-21-4246246997-3590910095-3040352822-1009 Startup: scandisk.lnk = ? (User '?')
O4 - S-1-5-18 Startup: scandisk.dll (User '?')
O4 - S-1-5-18 Startup: scandisk.lnk = ? (User '?')
O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')
O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: scandisk.dll
O4 - Startup: scandisk.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C353292-0AD1-4F1E-A358-531FDE6AFC59}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C353292-0AD1-4F1E-A358-531FDE6AFC59}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS3\Services\Tcpip\..\{1C353292-0AD1-4F1E-A358-531FDE6AFC59}: NameServer = 192.168.1.1,192.168.1.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ccEvtMgr - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: ccISPwdSvc - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: ccProxy - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: ccSetMgr - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: comHost - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: IDriverT - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: LightScribeService - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: navapsvc - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NSCService - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVSvc - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\VRT81.tmp (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe

--
End of file - 13141 bytes

#2 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 19 December 2009 - 04:23 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.

Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 User is offline   abckid24 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 26
  • Joined: 29-December 05

Posted 21 December 2009 - 11:20 AM

Thank you for the reply...

=====================================
=====================================
DDS
=====================================
=====================================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Owner at 8:06:11.51 on Mon 12/21/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.141 [GMT -8:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\svchust.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wmdtc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\lsm32.sys
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,_IWMPEvents@0
mRun: [jiqmkjgm] c:\windows\system32\config\systemprofile\local settings\application data\djvvfk\xkufsysguard.exe
mRun: [wmpaonpf] c:\windows\system32\config\systemprofile\local settings\application data\didfqd\xvrnsysguard.exe
dRun: [notepad] rundll32.exe c:\docume~1\networ~1\ntload.dll,_IWMPEvents@0
dRun: [jiqmkjgm] c:\windows\system32\config\systemprofile\local settings\application data\djvvfk\xkufsysguard.exe
dRun: [wmpaonpf] c:\windows\system32\config\systemprofile\local settings\application data\didfqd\xvrnsysguard.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {24E794CE-267F-4083-B81B-19BDE10D0D5B} = 192.168.1.1,192.168.1.2

============= SERVICES / DRIVERS ===============

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-16 192112]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-16 202352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-16 169584]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-4 60928]
R2 Ias;Windows Device Access;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 Iprip;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-10-6 133744]
R2 Net_Login;Net_Login;c:\windows\svchust.exe [2009-12-13 766465]
R2 NetLogin;Net Login;c:\windows\svchost.exe [2009-12-8 1169408]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060104.006\NAVENG.Sys [2006-2-22 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060104.006\NavEx15.Sys [2006-2-22 750952]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-22 1119888]
S3 winsts;winsts;c:\windows\system32\winsts.sys [2004-8-4 2304]

=============== Created Last 30 ================

2009-12-28 06:55:49 7525 ----a-w- c:\windows\4d69steal1z549.ocx
2009-12-25 01:19:11 12737 ----a-w- c:\windows\5536sp9rse8z.dll
2009-12-24 07:58:36 6489 ----a-w- c:\windows\56792vi9uz736.dll
2009-12-23 11:25:54 9961 ----a-w- c:\windows\17z95viru559b.bin
2009-12-22 19:42:26 14992 ----a-w- c:\windows\599dbaczdoor2353.dll
2009-12-21 00:50:01 88576 ----a-w- c:\windows\system32\5.tmp
2009-12-21 00:50:00 88 ----a-w- c:\windows\system32\4.tmp
2009-12-20 01:40:44 88576 ----a-w- c:\windows\system32\24.tmp
2009-12-20 01:40:40 88 ----a-w- c:\windows\system32\23.tmp
2009-12-19 15:25:53 12555 ----a-w- c:\windows\z9253hack9ool655.cpl
2009-12-19 08:18:06 88576 ----a-w- c:\windows\system32\3.tmp
2009-12-19 08:18:05 88 ----a-w- c:\windows\system32\2.tmp
2009-12-19 07:00:19 0 d-sh--r- C:\cmdcons
2009-12-18 23:18:20 13305 ----a-w- c:\windows\759ds9zal869.cpl
2009-12-17 02:53:59 6169 ----a-w- c:\windows\4z27vi59543.ocx
2009-12-16 20:48:25 16177 ----a-w- c:\windows\7201spy5arz689.ocx
2009-12-14 07:00:43 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-14 07:00:32 1855 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_ER919AA-ABA SR1820NX NA620_YC_0Pres_QCNH610_E62NAheREA2_48_INAGAMI_SASUSTek Computer INC._V1.01_B3.01_T060209_WXH2_L409_M447_J160_7AMD_8Athlon 64_92.2_#080117_N_Z11C10620_G10DE0241_O_DHWP2647.MRK
2009-12-14 06:58:53 0 d-----w- c:\docume~1\compaq~1\applic~1\Symantec
2009-12-14 06:58:53 0 d-----w- c:\docume~1\compaq~1\applic~1\Intuit
2009-12-14 06:50:57 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-14 06:50:40 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-14 05:29:31 102401 ----a-w- c:\windows\sv2.exe
2009-12-14 05:02:10 0 d-sh--r- c:\windows\system32\dllcache
2009-12-14 00:03:28 766465 ----a-w- c:\windows\svchust.exe
2009-12-14 00:00:11 0 d-sh--w- C:\found.000
2009-12-13 04:26:39 0 d-----w- c:\program files\InternetSecurity2010
2009-12-13 03:29:27 46 ----a-w- C:\p2hhr.bat
2009-12-13 03:22:44 168 ----a-w- C:\fyjrshntjm108.bat
2009-12-13 02:55:29 0 d-----w- c:\program files\SopCast
2009-12-13 02:55:15 0 d-----w- c:\program files\Ask.com
2009-12-12 03:54:28 100958 ----a-w- C:\dror.exe
2009-12-12 03:54:26 76515 ----a-w- C:\pdvwd.exe
2009-12-12 03:54:26 180224 ----a-w- C:\nymeu.exe
2009-12-12 03:54:25 44032 ----a-w- C:\tdndhuv.exe
2009-12-12 03:54:13 337920 ----a-w- C:\CYQS.exe
2009-12-11 03:41:55 301056 ----a-w- C:\ccu.exe
2009-12-11 02:30:41 287744 ----a-w- C:\ycvz.exe
2009-12-10 11:37:20 287744 ----a-w- C:\pfL.exe
2009-12-09 19:51:18 18207 ----a-w- c:\windows\1ddabackdoo519z.bin
2009-12-09 03:59:38 112520 ----a-w- C:\ryiasu.exe
2009-12-09 03:59:37 74752 ----a-w- C:\eauxx.exe
2009-12-09 01:03:28 0 d-----w- C:\800cc9a67a25cb3093
2009-12-08 15:25:43 56 ----a-w- c:\windows\Micorsoft.bat
2009-12-08 12:09:10 1239 ----a-w- C:\shellfix.zip
2009-12-08 11:35:28 1169408 ----a-w- c:\windows\svchost.exe
2009-12-08 11:35:08 441857 ----a-w- c:\windows\isvchost.exe
2009-12-08 10:32:59 280576 ----a-w- c:\windows\PEV.exe
2009-12-08 10:32:59 182272 ----a-w- c:\windows\SWREG.exe
2009-12-08 10:32:59 118784 ----a-w- c:\windows\sed.exe
2009-12-08 10:32:59 100864 ----a-w- c:\windows\MBR.exe
2009-12-08 10:32:55 0 d-----w- C:\ComboFix
2009-12-08 02:33:34 382 ----a-w- c:\windows\explorer.RPT
2009-12-07 03:55:49 0 d-----w- c:\program files\MSSOAP
2009-12-07 03:55:07 1563008 ----a-w- c:\windows\WRSetup.dll
2009-12-07 03:55:06 0 d-----w- c:\program files\Webroot
2009-12-07 03:55:06 0 d-----w- c:\docume~1\compaq~1\applic~1\Webroot
2009-12-07 03:55:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2009-12-07 03:52:38 164 ----a-w- c:\windows\install.dat
2009-12-07 03:42:31 0 d-----w- c:\program files\a-squared Anti-Malware
2009-12-07 03:21:55 0 d-----w- c:\program files\a-squared Free
2009-12-04 19:42:48 0 d-----w- c:\program files\Input Director
2009-12-04 15:25:31 0 d-----w- C:\$AVG
2009-12-04 15:23:43 0 d-----w- c:\program files\AVG
2009-12-04 15:23:40 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-04 14:58:24 622 ----a-w- c:\windows\RegGenie.ini
2009-12-04 14:32:10 161816 ----a-w- c:\windows\RegGenieOnUninstall.exe
2009-12-04 14:30:45 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-12-04 14:30:44 0 d-----w- c:\program files\common files\ParetoLogic
2009-12-04 14:30:43 0 d-----w- c:\program files\common files\XoftSpySE
2009-12-04 14:30:41 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2009-12-03 07:05:29 7813 ----a-w- c:\windows\61c6thiz917355.cpl
2009-12-03 03:32:12 11819 ----a-w- c:\windows\6796backd5or68z.cpl
2009-11-28 05:11:36 14369 ----a-w- c:\windows\2c74d5wnloader19z1.ocx
2009-11-25 23:06:55 3216 ----a-w- c:\windows\951zdownloade5703.bin
2009-11-24 14:53:38 3939 ----a-w- c:\windows\5f9dvzr1859.cpl
2009-11-23 16:50:43 11198 ----a-w- c:\windows\16555virus995z.dll

==================== Find3M ====================

2009-11-12 12:33:17 15370 ----a-w- c:\windows\z5692w5rm79c.exe
2009-11-07 18:05:14 34816 ----a-r- c:\windows\Setup_ck.exe
2009-11-07 18:04:43 18944 ----a-w- c:\windows\Ckrfresh.exe
2009-11-07 18:04:43 173056 ----a-w- c:\windows\Ckconfig.exe
2009-11-07 03:32:02 32768 ----a-w- C:\yeoumtkh.exe
2009-11-07 03:32:01 66048 ----a-w- C:\sadcadwm.exe
2009-11-07 03:32:00 90624 ----a-w- C:\sacbnjm.exe
2009-11-07 03:31:57 66048 ----a-w- C:\fabbw.exe
2009-11-07 03:31:55 296448 ----a-w- C:\gvU9.exe
2009-11-07 03:31:49 97792 ----a-w- C:\juvau.exe
2009-11-07 03:31:49 39936 ----a-w- C:\jjxaejk.exe
2009-11-05 21:56:06 75264 ----a-w- C:\ktpubj.exe
2009-11-05 21:52:01 75264 ----a-w- C:\ltafa.exe
2009-11-04 21:22:08 6059 ----a-w- c:\windows\1645vir9z3.bin
2009-10-29 03:45:54 262144 ----a-w- C:\rfkykhaf.exe
2009-10-27 08:57:56 135367 ----a-w- c:\windows\zAdBHO.dll
2009-10-23 08:57:46 9538 ----a-w- c:\windows\35a1s9yw5ze1359.exe
2009-10-22 04:47:51 18074 ----a-w- c:\windows\7740addw9re1z55.dll
2009-10-15 08:34:11 13068 ----a-w- c:\windows\3afbbackdooz2599.dll
2009-10-10 23:43:34 11259 ----a-w- c:\windows\3205azd5are1969.bin
2009-10-08 15:31:46 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-08 15:31:44 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-08 15:31:44 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-08 15:31:14 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-06 06:57:15 15725 ----a-w- c:\windows\24180not-a-viruz59e.exe
2009-10-04 03:59:08 15316 ----a-w- c:\windows\6915spyz1f.bin
2009-10-02 18:19:04 1152470 ----a-w- c:\windows\UDB.zip
2009-10-01 04:30:48 9547 ----a-w- c:\windows\9409worz5b9.bin
2009-09-23 03:21:36 90112 ----a-w- c:\windows\DUMP4362.tmp
2009-09-23 02:53:18 90112 ----a-w- c:\windows\DUMP4527.tmp
2009-09-23 02:49:11 90112 ----a-w- c:\windows\DUMP494d.tmp
2009-09-23 02:47:49 90112 ----a-w- c:\windows\DUMP4517.tmp
2009-09-23 02:41:03 90112 ----a-w- c:\windows\DUMP49e9.tmp
2009-09-23 02:39:41 90112 ----a-w- c:\windows\DUMP4e00.tmp
2009-09-23 01:51:47 90112 ----a-w- c:\windows\DUMP5062.tmp
2009-09-23 01:29:09 90112 ----a-w- c:\windows\DUMP442d.tmp
2009-09-23 01:03:04 90112 ----a-w- c:\windows\DUMP4778.tmp
2009-09-23 00:55:46 90112 ----a-w- c:\windows\DUMP4f69.tmp
2009-09-23 00:53:31 90112 ----a-w- c:\windows\DUMP4f68.tmp
2009-09-23 00:49:39 90112 ----a-w- c:\windows\DUMP4853.tmp
2009-09-23 00:48:17 90112 ----a-w- c:\windows\DUMP49f9.tmp
2009-09-23 00:44:35 90112 ----a-w- c:\windows\DUMP44c9.tmp
2009-09-23 00:31:55 90112 ----a-w- c:\windows\DUMP4342.tmp
2004-08-04 11:00:00 29696 --sha-w- c:\windows\system32\notepad.dll
2004-08-04 11:00:00 29696 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2004-08-04 11:00:00 29696 --sha-w- c:\windows\system32\config\systemprofile\start menu\programs\startup\scandisk.dll

============= FINISH: 8:07:32.25 ===============

=====================================
=====================================
Attach
=====================================
=====================================

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/13/2009 10:58:28 PM
System Uptime: 12/20/2009 3:32:12 AM (29 hours ago)

Motherboard: ASUSTek Computer INC. | | NAGAMI
Processor: AMD Athlon™ 64 Processor 3400+ | Socket 939 | 2204/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 142 GiB total, 2.71 GiB free.
D: is FIXED (FAT32) - 7 GiB total, 0.339 GiB free.
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 12/13/2009 11:50:05 PM - System Checkpoint
RP2: 12/19/2009 5:58:53 PM - System Checkpoint
RP3: 12/20/2009 6:52:24 PM - System Checkpoint

==== Installed Programs ======================

5 Card Slingo from Compaq (remove only)
Adobe Reader 7.0
Agere Systems PCI-SV92PP Soft Modem
AstroPop Deluxe from Compaq (remove only)
Barnyard Invasion from Compaq (remove only)
Bejeweled 2 Deluxe from Compaq (remove only)
Blackhawk Striker 2 from Compaq (remove only)
Blasterball 2 from Compaq (remove only)
Blasterball 2 Remix from Compaq (remove only)
Boggle Supreme from Compaq (remove only)
Bookworm Deluxe from Compaq (remove only)
Bounce Symphony from Compaq (remove only)
BufferChm
CC_ccProxyExt
ccCommon
ccPxyCore
Chuzzle Deluxe from Compaq (remove only)
Compaq Connections (remove only)
Compaq Organize
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Crystal Maze from Compaq (remove only)
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
Easy Internet Sign-up
Family Feud
FATE from Compaq (remove only)
FullDPAppQFolder
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
HP Boot Optimizer
HP DVD Play 1.0
HP Game Console and games
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP Rhapsody
HP Software Update
HP Support Overview
HP Web Helper
HpSdpAppCoreApp
Insaniquarium Deluxe from Compaq (remove only)
InstantShareDevices
J2SE Runtime Environment 5.0 Update 5
Lemonade Tycoon 2 from Compaq (remove only)
Lexibox Deluxe from Compaq (remove only)
LightScribe 1.4.62.1
LiveUpdate 2.7 (Symantec Corporation)
Mah Jong Quest from Compaq (remove only)
Microsoft .NET Framework 1.1
Microsoft Money 2006
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Works
MSRedist
Netscape Browser (remove only)
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton WMI Update
NVIDIA Drivers
OptionalContentQFolder
PC-Doctor 5 for Windows
PhotoGallery
Polar Bowler from Compaq (remove only)
Polar Golfer from Compaq (remove only)
Puzzle Express from Compaq (remove only)
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
RealPlayer
Realtek High Definition Audio Driver
Remove WeatherBug Installer
Ricochet Lost Worlds from Compaq (remove only)
SCRABBLE from Compaq (remove only)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Shooting Stars Pool from Compaq (remove only)
Shrek 2 Ogre Bowler from Compaq (remove only)
SkinsHP1
Slingo Deluxe from Compaq (remove only)
Snowboard SuperJam from Compaq (remove only)
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
SPBBC
Super Granny from Compaq (remove only)
SymNet
Tradewinds from Compaq (remove only)
Unload
WebFldrs XP
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
WinRAR archiver
Zuma Deluxe from Compaq (remove only)

==== Event Viewer Messages From Past Week ========

12/20/2009 5:22:54 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
12/20/2009 5:22:54 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Documents and Settings\Compaq_Owner\Application Data\Azureus\plugins\azitunes\jacob-1.14.3-x86.dll. Reference error message: The operation completed successfully. .
12/20/2009 5:22:54 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
12/18/2009 11:37:41 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
12/18/2009 11:37:15 PM, error: Service Control Manager [7034] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:37:15 PM, error: Service Control Manager [7034] - The Server service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:37:15 PM, error: Service Control Manager [7034] - The Fast User Switching Compatibility service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:37:15 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:37:15 PM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:37:15 PM, error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:37:15 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:37:15 PM, error: Service Control Manager [7031] - The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
12/18/2009 11:36:17 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:36:13 PM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:36:04 PM, error: Service Control Manager [7034] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:36:02 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:36:01 PM, error: Service Control Manager [7034] - The Symantec Network Proxy service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Windows Time service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Secondary Logon service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Norton AntiVirus Auto-Protect Service service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7034] - The Automatic Updates service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:26:30 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/18/2009 11:26:30 PM, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/18/2009 11:26:30 PM, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
12/18/2009 11:21:57 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Installer service to connect.
12/18/2009 11:21:57 PM, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/18/2009 11:20:06 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
12/18/2009 11:19:58 PM, error: Service Control Manager [7034] - The Symantec Network Drivers Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
=====================================
=====================================
HijackThis
=====================================
=====================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:30 AM, on 12/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\svchust.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wmdtc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\lsm32.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [notepad] rundll32.exe C:\WINDOWS\system32\notepad.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [jiqmkjgm] C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\djvvfk\xkufsysguard.exe
O4 - HKLM\..\Run: [wmpaonpf] C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\didfqd\xvrnsysguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\DOCUME~1\NETWOR~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jiqmkjgm] C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\djvvfk\xkufsysguard.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [wmpaonpf] C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\didfqd\xvrnsysguard.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [notepad] rundll32.exe C:\DOCUME~1\NETWOR~1\ntload.dll,_IWMPEvents@0 (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{24E794CE-267F-4083-B81B-19BDE10D0D5B}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{24E794CE-267F-4083-B81B-19BDE10D0D5B}: NameServer = 192.168.1.1,192.168.1.2
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINDOWS\svchust.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9329 bytes
=====================================
=====================================
Symptoms
=====================================
=====================================
I've done a lot of different things within the 15 days of the original post. I have run a bunch of various anti-spyware/anti-malware/anti-virus services/programs. A lot of stuff was picked up and fixed. However, a lot of stuff is lingering and continues to come back. My major symptom seems to be jsut random errors popping up. On startup, I get the logouni.exe error (something along those lines). After continuously Xing and canceling out the error.. eventually the basic login window shows up. I click OK and windows starts up. Explorer.exe does not show up. I then ctl+alt+delete and I get an error for taskmngr.exe. I can only get to the task manager by doing ctl+alt+delete again while the error is still up. I then run explorer.exe from the task manager. Once in a while the same thing happens where I get an error for explorer.exe and I have to run the task again while the error is up to get the explorer to work. Along with those errors, I get a lot or random errors popping up at random times. It doesn't seem to happen as much anymore after running a bunch of tests, but they are still there. My firefox homepage seems to be stuck on "http://www.webweb123.com/". That seems to be about it for now. I will edit this post with other symptoms as they pop up or if I remeber a couple I left out..as well as exact error messages.

EDIT: Once in a while when I start up the machine, it boots up and gets to a certain point on startup and shuts down. I have probably restored windows around 10 times with the past month and a half.

Thanks for the help. :(

This post has been edited by abckid24: 21 December 2009 - 11:29 AM

#4 User is offline   abckid24 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 26
  • Joined: 29-December 05

Posted 21 December 2009 - 11:24 AM

Sorry.. forgot to add the RootRepeal log. It will be done in a couple minutes. I also wanted to note that the computer has actually been running a lot smoother the past couple of days. I unchecked a bunch of process and such in msconfig for startup.

#5 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 21 December 2009 - 12:19 PM

There's still quite a lot of things on your system that needs to be dealt with however, please post the RootRepeal log before we proceed and please refrain from making any changes to your system until I declare you're clean.

Some guidelines...

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 5 days with no reply, and working topics are closed after 7 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 User is offline   abckid24 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 26
  • Joined: 29-December 05

Posted 21 December 2009 - 02:51 PM

RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/21 08:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3507000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B42000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2FDD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\hpcpcuninstaller-6.3.2.116-5577497.exe
Status: Allocation size mismatch (API: 139264, Raw: 122880)

Path: c:\windows\rtlcpl.exe
Status: Allocation size mismatch (API: 9736192, Raw: 9711616)

Path: c:\windows\rtlupd.exe
Status: Allocation size mismatch (API: 376832, Raw: 356352)

Path: c:\windows\taskman.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\isuninst.exe
Status: Allocation size mismatch (API: 327680, Raw: 307200)

Path: c:\windows\notepad.exe
Status: Allocation size mismatch (API: 90112, Raw: 69632)

Path: c:\windows\twunk_32.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\miccal.exe
Status: Allocation size mismatch (API: 2183168, Raw: 2158592)

Path: c:\windows\agrsmdel.exe
Status: Allocation size mismatch (API: 90112, Raw: 69632)

Path: c:\windows\alcwzrd.exe
Status: Allocation size mismatch (API: 2834432, Raw: 2809856)

Path: C:\Documents and Settings\Compaq_Owner\ntload.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LocalService\ntload.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\NetworkService\ntload.dll
Status: Invisible to the Windows API!

Path: c:\program files\music_now\inetchk.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\program files\music_now\mn_drop.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\program files\netmeeting\cb32.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\program files\netmeeting\conf.exe
Status: Allocation size mismatch (API: 1052672, Raw: 1032192)

Path: c:\program files\netmeeting\wb32.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\program files\outlook express\oemig50.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\program files\outlook express\wabmig.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\program files\pc-doctor 5 for windows\isprocessactive.exe
Status: Allocation size mismatch (API: 114688, Raw: 86016)

Path: c:\program files\pc-doctor 5 for windows\pcbeep.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\program files\pc-doctor 5 for windows\pcdrengine.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\program files\pc-doctor 5 for windows\pcdrexdx.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\program files\pc-doctor 5 for windows\pcdrndisuioinstaller.exe
Status: Allocation size mismatch (API: 102400, Raw: 73728)

Path: c:\program files\pc-doctor 5 for windows\pcdsmartmonitor.exe
Status: Allocation size mismatch (API: 389120, Raw: 368640)

Path: c:\program files\pc-doctor 5 for windows\resourcebundlefilter.exe
Status: Allocation size mismatch (API: 40960, Raw: 24576)

Path: c:\program files\pc-doctor 5 for windows\singlefileofresourcebundlecreator.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\program files\quicken\bagent.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\program files\quicken\olbackup.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\program files\quicken\qw.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\program files\quicken\billmind.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\program files\quicken\bindcontent.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\program files\quicken\printenv.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\program files\quicken\qhi.exe
Status: Allocation size mismatch (API: 815104, Raw: 794624)

Path: c:\program files\quicken\restartexe.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\program files\quicken\start.exe
Status: Allocation size mismatch (API: 839680, Raw: 823296)

Path: c:\program files\quicken\techhelp.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\program files\hp rhapsody\rhaphlpr.exe
Status: Allocation size mismatch (API: 188416, Raw: 167936)

Path: c:\program files\microsoft works\wkdstore.exe
Status: Allocation size mismatch (API: 110592, Raw: 90112)

Path: c:\program files\microsoft works\wkgdcach.exe
Status: Allocation size mismatch (API: 90112, Raw: 69632)

Path: c:\program files\microsoft works\msworks.exe
Status: Allocation size mismatch (API: 552960, Raw: 532480)

Path: c:\program files\microsoft works\wkplmstp.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\program files\microsoft works\wksab.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\program files\microsoft works\wksdb.exe
Status: Allocation size mismatch (API: 2260992, Raw: 2240512)

Path: c:\program files\microsoft works\wksdict.exe
Status: Allocation size mismatch (API: 315392, Raw: 294912)

Path: c:\program files\microsoft works\wkssb.exe
Status: Allocation size mismatch (API: 749568, Raw: 729088)

Path: c:\program files\microsoft works\wksss.exe
Status: Allocation size mismatch (API: 1912832, Raw: 1892352)

Path: c:\program files\microsoft works\wkswp.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\program files\microsoft works\wkwcestp.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\program files\windows media player\migrate.exe
Status: Allocation size mismatch (API: 1011712, Raw: 991232)

Path: c:\program files\windows media player\setup_wm.exe
Status: Allocation size mismatch (API: 839680, Raw: 819200)

Path: c:\program files\windows media player\wmlaunch.exe
Status: Allocation size mismatch (API: 143360, Raw: 122880)

Path: c:\program files\windows media player\wmpenc.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\program files\windows media player\wmsetsdk.exe
Status: Allocation size mismatch (API: 839680, Raw: 819200)

Path: c:\program files\windows nt\dialer.exe
Status: Allocation size mismatch (API: 561152, Raw: 540672)

Path: c:\seosoft\php\debugclient-0.9.0.exe
Status: Allocation size mismatch (API: 180224, Raw: 163840)

Path: c:\seosoft\php\php-cgi.exe
Status: Allocation size mismatch (API: 65536, Raw: 49152)

Path: c:\seosoft\php\php-win.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\seosoft\php\php.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\windows\hpcpcuninstall-5577497\hpbwsetup.exe
Status: Allocation size mismatch (API: 94208, Raw: 73728)

Path: c:\windows\i386\expand.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\i386\faxpatch.exe
Status: Allocation size mismatch (API: 40960, Raw: 24576)

Path: c:\windows\i386\netsetup.exe
Status: Allocation size mismatch (API: 352256, Raw: 331776)

Path: c:\windows\i386\ntsd.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\i386\regedit.exe
Status: Allocation size mismatch (API: 167936, Raw: 147456)

Path: c:\windows\i386\spnpinst.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\i386\sysparse.exe
Status: Allocation size mismatch (API: 266240, Raw: 245760)

Path: c:\windows\i386\telnet.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Status: Locked to the Windows API!

Path: c:\windows\system\hpsysdrv.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\system32\actmovie.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\system32\mplay32.exe
Status: Allocation size mismatch (API: 143360, Raw: 126976)

Path: c:\windows\system32\mpnotify.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\mrinfo.exe
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: c:\windows\system32\netsetup.exe
Status: Allocation size mismatch (API: 352256, Raw: 331776)

Path: c:\windows\system32\netsh.exe
Status: Allocation size mismatch (API: 106496, Raw: 86016)

Path: c:\windows\system32\netstat.exe
Status: Allocation size mismatch (API: 57344, Raw: 36864)

Path: c:\windows\system32\rdpclip.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\windows\system32\rdsaddin.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\rdshost.exe
Status: Allocation size mismatch (API: 90112, Raw: 69632)

Path: c:\windows\system32\recover.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\regedt32.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\system32\regini.exe
Status: Allocation size mismatch (API: 57344, Raw: 36864)

Path: c:\windows\system32\regwiz.exe
Status: Allocation size mismatch (API: 24576, Raw: 8192)

Path: c:\windows\system32\cmdl32.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\ahui.exe
Status: Allocation size mismatch (API: 118784, Raw: 98304)

Path: c:\windows\system32\arp.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\at.exe
Status: Allocation size mismatch (API: 45056, Raw: 28672)

Path: c:\windows\system32\atmadm.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\auditusr.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\blastcln.exe
Status: Allocation size mismatch (API: 94208, Raw: 73728)

Path: c:\windows\system32\bootok.exe
Status: Allocation size mismatch (API: 24576, Raw: 8192)

Path: c:\windows\system32\bootvrfy.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\cacls.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\chkdsk.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\chkntfs.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\cidaemon.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\ckcnv.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\cliconfg.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\clipbrd.exe
Status: Allocation size mismatch (API: 122880, Raw: 106496)

Path: c:\windows\system32\cmmon32.exe
Status: Allocation size mismatch (API: 61440, Raw: 40960)

Path: c:\windows\system32\cmstp.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\windows\system32\comp.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\compact.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\conime.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\system32\convert.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\dcomcnfg.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\ddeshare.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\dfrgfat.exe
Status: Allocation size mismatch (API: 102400, Raw: 86016)

Path: c:\windows\system32\diantz.exe
Status: Allocation size mismatch (API: 106496, Raw: 86016)

Path: c:\windows\system32\diskpart.exe
Status: Allocation size mismatch (API: 184320, Raw: 163840)

Path: c:\windows\system32\diskperf.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\dmremote.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\doskey.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\dplaysvr.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\dpnsvr.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\dpvsetup.exe
Status: Allocation size mismatch (API: 106496, Raw: 86016)

Path: c:\windows\system32\dvdplay.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\windows\system32\dvdupgrd.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\esentutl.exe
Status: Allocation size mismatch (API: 61440, Raw: 40960)

Path: c:\windows\system32\eudcedit.exe
Status: Allocation size mismatch (API: 212992, Raw: 196608)

Path: c:\windows\system32\eventvwr.exe
Status: Allocation size mismatch (API: 28672, Raw: 12288)

Path: c:\windows\system32\expand.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\extrac32.exe
Status: Allocation size mismatch (API: 65536, Raw: 49152)

Path: c:\windows\system32\fc.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\finger.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\fltmc.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\fontview.exe
Status: Allocation size mismatch (API: 40960, Raw: 24576)

Path: c:\windows\system32\fsquirt.exe
Status: Allocation size mismatch (API: 212992, Raw: 196608)

Path: c:\windows\system32\fsutil.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\windows\system32\fxsclnt.exe
Status: Allocation size mismatch (API: 163840, Raw: 143360)

Path: c:\windows\system32\hdashcut.exe
Status: Allocation size mismatch (API: 81920, Raw: 65536)

Path: c:\windows\system32\help.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\hostname.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\iexpress.exe
Status: Allocation size mismatch (API: 135168, Raw: 114688)

Path: c:\windows\system32\ipsec6.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\windows\system32\ipv6.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\system32\ipxroute.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\java.exe
Status: Allocation size mismatch (API: 69632, Raw: 53248)

Path: c:\windows\system32\javaw.exe
Status: Allocation size mismatch (API: 69632, Raw: 53248)

Path: c:\windows\system32\javaws.exe
Status: Allocation size mismatch (API: 147456, Raw: 131072)

Path: c:\windows\system32\keystone.exe
Status: Allocation size mismatch (API: 446464, Raw: 425984)

Path: c:\windows\system32\label.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\lights.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\lnkstub.exe
Status: Allocation size mismatch (API: 45056, Raw: 28672)

Path: c:\windows\system32\lodctr.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\logagent.exe
Status: Allocation size mismatch (API: 118784, Raw: 98304)

Path: c:\windows\system32\logman.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\windows\system32\logoff.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\lpq.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\lpr.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\makecab.exe
Status: Allocation size mismatch (API: 106496, Raw: 86016)

Path: c:\windows\system32\migpwd.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\system32\mountvol.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\msg.exe
Status: Allocation size mismatch (API: 40960, Raw: 24576)

Path: c:\windows\system32\mshta.exe
Status: Allocation size mismatch (API: 49152, Raw: 32768)

Path: c:\windows\system32\msswchx.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\mstinit.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\nbtstat.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\nddeapir.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: C:\WINDOWS\system32\notepad.dll
Status: Invisible to the Windows API!

Path: c:\windows\system32\nslookup.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\system32\odbcconf.exe
Status: Allocation size mismatch (API: 90112, Raw: 69632)

Path: c:\windows\system32\ntsd.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\nvappbar.exe
Status: Allocation size mismatch (API: 462848, Raw: 442368)

Path: c:\windows\system32\nvcolor.exe
Status: Allocation size mismatch (API: 167936, Raw: 147456)

Path: c:\windows\system32\nvdspsch.exe
Status: Allocation size mismatch (API: 1359872, Raw: 1339392)

Path: c:\windows\system32\nvudisp.exe
Status: Allocation size mismatch (API: 200704, Raw: 180224)

Path: c:\windows\system32\nvunrm.exe
Status: Allocation size mismatch (API: 200704, Raw: 180224)

Path: c:\windows\system32\osuninst.exe
Status: Allocation size mismatch (API: 61440, Raw: 40960)

Path: c:\windows\system32\packager.exe
Status: Allocation size mismatch (API: 81920, Raw: 61440)

Path: c:\windows\system32\pathping.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\perfmon.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\ping.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\ping6.exe
Status: Allocation size mismatch (API: 53248, Raw: 36864)

Path: c:\windows\system32\powercfg.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\print.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\progman.exe
Status: Allocation size mismatch (API: 131072, Raw: 110592)

Path: c:\windows\system32\proquota.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\system32\proxycfg.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\qappsrv.exe
Status: Allocation size mismatch (API: 36864, Raw: 20480)

Path: c:\windows\system32\qprocess.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\qwinsta.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\rasautou.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\rasdial.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\rasphone.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\windows\system32\rcp.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\replace.exe
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: c:\windows\system32\reset.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\rexec.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\route.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\routemon.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\system32\rsh.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\rsm.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\rsmsink.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\rsmui.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\rtcshare.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\system32\runas.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\rwinsta.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\savedump.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\scrnsave.scr
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\sdbinst.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\system32\sethc.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\setup.exe
Status: Allocation size mismatch (API: 45056, Raw: 24576)

Path: c:\windows\system32\sfc.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\shadow.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\shrpubw.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\system32\shutdown.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\sigverif.exe
Status: Allocation size mismatch (API: 90112, Raw: 73728)

Path: c:\windows\system32\skeys.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\windows\system32\spnpinst.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\ss3dfo.scr
Status: Allocation size mismatch (API: 724992, Raw: 704512)

Path: c:\windows\system32\ssbezier.scr
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\ssflwbox.scr
Status: Allocation size mismatch (API: 413696, Raw: 393216)

Path: c:\windows\system32\stimon.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\subst.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\syncapp.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\windows\system32\syskey.exe
Status: Allocation size mismatch (API: 57344, Raw: 36864)

Path: c:\windows\system32\sysocmgr.exe
Status: Allocation size mismatch (API: 126976, Raw: 106496)

Path: c:\windows\system32\systray.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\system32\taskman.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\tcmsetup.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\tcpsvcs.exe
Status: Allocation size mismatch (API: 40960, Raw: 20480)

Path: c:\windows\system32\telnet.exe
Status: Allocation size mismatch (API: 98304, Raw: 77824)

Path: c:\windows\system32\tftp.exe
Status: Allocation size mismatch (API: 36864, Raw: 20480)

Path: c:\windows\system32\tracert.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\tracert6.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\tscon.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\tscupgrd.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\windows\system32\tsdiscon.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\tskill.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\tsshutdn.exe
Status: Allocation size mismatch (API: 36864, Raw: 20480)

Path: c:\windows\system32\unlodctr.exe
Status: Allocation size mismatch (API: 24576, Raw: 4096)

Path: c:\windows\system32\upnpcont.exe
Status: Allocation size mismatch (API: 36864, Raw: 20480)

Path: c:\windows\system32\usrmlnka.exe
Status: Allocation size mismatch (API: 98304, Raw: 81920)

Path: c:\windows\system32\usrprbda.exe
Status: Allocation size mismatch (API: 81920, Raw: 65536)

Path: c:\windows\system32\usrshuta.exe
Status: Allocation size mismatch (API: 90112, Raw: 73728)

Path: c:\windows\system32\uwdf.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\smbinst.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\wscntfy.exe
Status: Allocation size mismatch (API: 36864, Raw: 16384)

Path: c:\windows\system32\verifier.exe
Status: Allocation size mismatch (API: 118784, Raw: 98304)

Path: c:\windows\system32\vssadmin.exe
Status: Allocation size mismatch (API: 57344, Raw: 36864)

Path: c:\windows\system32\w32tm.exe
Status: Allocation size mismatch (API: 69632, Raw: 53248)

Path: c:\windows\system32\wextract.exe
Status: Allocation size mismatch (API: 86016, Raw: 65536)

Path: c:\windows\system32\winhlp32.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\winmsd.exe
Status: Allocation size mismatch (API: 32768, Raw: 12288)

Path: c:\windows\system32\winver.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\wpabaln.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\wpnpinst.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\windows\system32\write.exe
Status: Allocation size mismatch (API: 28672, Raw: 8192)

Path: c:\windows\system32\wuauclt1.exe
Status: Allocation size mismatch (API: 188416, Raw: 167936)

Path: C:\WINDOWS\temp\ntload.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: c:\windows\creator\rmc_ar32.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\windows\downloaded program files\dwusplay.exe
Status: Allocation size mismatch (API: 217088, Raw: 196608)

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: c:\windows\sminst\start.exe
Status: Allocation size mismatch (API: 282624, Raw: 262144)

Path: C:\WINDOWS\ftpcache\ftpcache
Status: Locked to the Windows API!

Path: C:\WINDOWS\setup.pss\setup.pss
Status: Locked to the Windows API!

Path: c:\windows.old\windows\hpcpcuninstaller-6.3.2.116-5577497.exe
Status: Allocation size mismatch (API: 139264, Raw: 122880)

Path: c:\hp\bin\adddevicepath.exe
Status: Allocation size mismatch (API: 196608, Raw: 176128)

Path: c:\hp\bin\ask.exe
Status: Allocation size mismatch (API: 241664, Raw: 221184)

Path: c:\hp\bin\automod32.exe
Status: Allocation size mismatch (API: 245760, Raw: 225280)

Path: c:\hp\bin\eject.exe
Status: Allocation size mismatch (API: 65536, Raw: 45056)

Path: c:\hp\bin\findwindow.exe
Status: Allocation size mismatch (API: 53248, Raw: 28672)

Path: c:\hp\bin\finis.exe
Status: Allocation size mismatch (API: 204800, Raw: 188416)

Path: c:\hp\bin\inimerge.exe
Status: Allocation size mismatch (API: 155648, Raw: 135168)

Path: c:\hp\bin\is64os.exe
Status: Allocation size mismatch (API: 126976, Raw: 106496)

Path: c:\hp\bin\isrunning.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\hp\bin\killit.exe
Status: Allocation size mismatch (API: 77824, Raw: 57344)

Path: c:\hp\bin\killwind.exe
Status: Allocation size mismatch (API: 53248, Raw: 32768)

Path: c:\hp\bin\locale.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\hp\bin\ostype.exe
Status: Allocation size mismatch (API: 176128, Raw: 155648)

Path: c:\hp\bin\processlogger.exe
Status: Allocation size mismatch (API: 471040, Raw: 450560)

Path: c:\hp\bin\progress.exe
Status: Allocation size mismatch (API: 458752, Raw: 434176)

Path: c:\hp\bin\refcount.exe
Status: Allocation size mismatch (API: 151552, Raw: 131072)

Path: c:\hp\bin\rpcopy.exe
Status: Allocation size mismatch (API: 151552, Raw: 131072)

Path: c:\hp\bin\sendkey.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\hp\bin\setini.exe
Status: Allocation size mismatch (API: 65536, Raw: 36864)

Path: c:\hp\bin\autorun.exe
Status: Allocation size mismatch (API: 258048, Raw: 237568)

Path: c:\hp\bin\dm.exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\hp\bin\hpbi.exe
Status: Allocation size mismatch (API: 110592, Raw: 90112)

Path: c:\hp\bin\htmlmsg.exe
Status: Allocation size mismatch (API: 73728, Raw: 53248)

Path: c:\hp\bin\msgaction.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\hp\bin\sleep.exe
Status: Allocation size mismatch (API: 49152, Raw: 28672)

Path: c:\hp\bin\transientmessage.exe
Status: Allocation size mismatch (API: 372736, Raw: 352256)

Path: c:\hp\vinetlink\autorun.exe
Status: Allocation size mismatch (API: 258048, Raw: 237568)

Path: c:\hp\vinetlink\vinetlink.exe
Status: Allocation size m==EOF==

#7 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 21 December 2009 - 03:07 PM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 User is offline   abckid24 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 26
  • Joined: 29-December 05

Posted 22 December 2009 - 02:30 AM

I got an error when trying to run Combofix. I downloaded Combofix from both locations at the URL you specified and got the same error for both.

It reads:

!! ALERT !! It is NOT SAFE to continue!

The contents of the ComboFix package have been compromised.
Please download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'

#9 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 22 December 2009 - 10:50 AM

Thanks for reporting that. It seems you have a file-infector on board from the CF warning but also from what I saw in the RootRepeal logs with several files mis-match.

--

I want you to scan a few files...

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
    • C:\Windows\Explorer.exe
      C:\Windows\system32\userinit.exe
      C:\Windows\system32\winlogon.exe
      C:\Windows\system32\services.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 User is offline   abckid24 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 26
  • Joined: 29-December 05

Posted 22 December 2009 - 08:41 PM

Using VirusTotal:

=============================================

File explorer.exe received on 2009.12.23 01:17:32 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.22 Virus.Win32.Virut.q!IK
AhnLab-V3 5.0.0.2 2009.12.22 -
AntiVir 7.9.1.122 2009.12.22 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.12.22 -
Authentium 5.2.0.5 2009.12.22 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.12.22 Win32:Vitro
AVG 8.5.0.430 2009.12.22 Win32/Virut
BitDefender 7.2 2009.12.23 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.12.22 W32.Virut.G
ClamAV 0.94.1 2009.12.22 -
Comodo 3336 2009.12.23 -
DrWeb 5.0.1.12222 2009.12.23 Win32.Virut.56
eSafe 7.0.17.0 2009.12.22 -
eTrust-Vet 35.1.7192 2009.12.22 Win32/Virut.17408
F-Prot 4.5.1.85 2009.12.22 W32/Virut.AI!Generic
F-Secure 9.0.15370.0 2009.12.22 Win32.Virtob.Gen.12
Fortinet 4.0.14.0 2009.12.22 -
GData 19 2009.12.22 Win32.Virtob.Gen.12
Ikarus T3.1.1.79.0 2009.12.22 Virus.Win32.Virut.q
K7AntiVirus 7.10.926 2009.12.22 -
Kaspersky 7.0.0.125 2009.12.23 Virus.Win32.Virut.ce
McAfee 5840 2009.12.22 W32/Virut.n.gen
McAfee+Artemis 5840 2009.12.22 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.12.23 Win32.Virut.Gen
Microsoft 1.5302 2009.12.22 Virus:Win32/Virut.gen!O
NOD32 4710 2009.12.22 Win32/Virut.NBP
Norman 6.04.03 2009.12.22 -
nProtect 2009.1.8.0 2009.12.22 -
Panda 10.0.2.2 2009.12.15 W32/Sality.AO
PCTools 7.0.3.5 2009.12.23 Malware.Virut
Prevx 3.0 2009.12.23 -
Rising 22.27.01.04 2009.12.22 Win32.Virut.cl
Sophos 4.49.0 2009.12.23 W32/Scribble-B
Sunbelt 3.2.1858.2 2009.12.23 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.12.23 W32.Virut.CF
TheHacker 6.5.0.3.106 2009.12.23 W32/Virut.gen4
TrendMicro 9.120.0.1004 2009.12.22 PE_VIRUX.GEN-3
VBA32 3.12.12.0 2009.12.22 Virus.Win32.Virut.X7
ViRobot 2009.12.22.2102 2009.12.22 Win32.Virut.AM
VirusBuster 5.0.21.0 2009.12.22 -
Additional information
File size: 1052160 bytes
MD5...: 66e0d220b8a7767eb3fb8616bd7e5167
SHA1..: 7a98286d1a238e6d0da81493384e0c8f3f20ca56
SHA256: e76a8564b929229f2104b198b046e7d16946195126e42372e06032af161d7719
ssdeep: 12288:SzEut4RuAwGgc7fNuIEGpOoHWr2Rkf8I+skzan1/g/J/v5nne8c:SzEuAw<br>j2fNuIQakf8I+sk81/g/J/Jn9<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x456f6<br>timedatestamp.....: 0x262dc027 (Thu Apr 19 13:41:59 1990)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x44800 0x44800 6.39 aae1e098b4f91b757139a2af4720f668<br>.data 0x46000 0x1d90 0x1800 1.29 d0b87d8ce5a34731be197efb73b5d7bf<br>.rsrc 0x48000 0xb2278 0xb2400 6.63 abf6dc1befe1a4a4c7f6ef51d1a6f907<br>.reloc 0xfb000 0x8800 0x8600 7.68 685f3afb9df32e2e835bfcef213cfac1<br><br>( 13 imports ) <br>&gt; msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<br>&gt; ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<br>&gt; KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount<br>&gt; GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<br>&gt; USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<br>&gt; ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<br>&gt; SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, -<br>&gt; SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<br>&gt; ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<br>&gt; OLEAUT32.dll: -, -<br>&gt; BROWSEUI.dll: -, -, -, -<br>&gt; SHDOCVW.dll: -, -, -<br>&gt; UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Windows Explorer<br>original name: EXPLORER.EXE<br>internal name: explorer<br>file version.: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

=============================================

File userinit.exe received on 2009.12.23 01:20:38 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.22 Trojan.Agent2!IK
AhnLab-V3 5.0.0.2 2009.12.22 Win32/Virut.F
AntiVir 7.9.1.122 2009.12.22 W32/Virut.Gen
Antiy-AVL 2.0.3.7 2009.12.22 -
Authentium 5.2.0.5 2009.12.22 W32/Virut.AI!Generic
Avast 4.8.1351.0 2009.12.22 Win32:Vitro
AVG 8.5.0.430 2009.12.22 Win32/Virut
BitDefender 7.2 2009.12.23 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.12.22 W32.Virut.G
ClamAV 0.94.1 2009.12.22 -
Comodo 3336 2009.12.23 Virus.Win32.Virut.Ce
DrWeb 5.0.1.12222 2009.12.23 Win32.Virut.56
eSafe 7.0.17.0 2009.12.22 -
eTrust-Vet 35.1.7192 2009.12.22 Win32/Virut.17408
F-Prot 4.5.1.85 2009.12.22 W32/Virut.AI!Generic
F-Secure 9.0.15370.0 2009.12.22 Win32.Virtob.Gen.12
Fortinet 4.0.14.0 2009.12.22 -
GData 19 2009.12.22 Win32.Virtob.Gen.12
Ikarus T3.1.1.79.0 2009.12.22 Trojan.Agent2
Jiangmin 13.0.900 2009.12.22 -
Kaspersky 7.0.0.125 2009.12.23 Virus.Win32.Virut.ce
McAfee 5840 2009.12.22 W32/Virut.n.gen
McAfee+Artemis 5840 2009.12.22 W32/Virut.n.gen
McAfee-GW-Edition 6.8.5 2009.12.23 Heuristic.LooksLike.Win32.Suspicious.H
Microsoft 1.5302 2009.12.22 Virus:Win32/Virut.gen!O
NOD32 4710 2009.12.22 Win32/Virut.NBP
Norman 6.04.03 2009.12.22 W32/Virut.DY
nProtect 2009.1.8.0 2009.12.22 -
Panda 10.0.2.2 2009.12.15 W32/Sality.AO
PCTools 7.0.3.5 2009.12.23 Malware.Virut
Prevx 3.0 2009.12.23 -
Rising 22.27.01.04 2009.12.22 Win32.Virut.cs
Sophos 4.49.0 2009.12.23 W32/Scribble-B
Sunbelt 3.2.1858.2 2009.12.23 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.12.23 W32.Virut.CF
TheHacker 6.5.0.3.106 2009.12.23 W32/Virut.gen4
TrendMicro 9.120.0.1004 2009.12.22 PE_VIRUX.J
VBA32 3.12.12.0 2009.12.22 Virus.Win32.Virut.X7
ViRobot 2009.12.22.2102 2009.12.22 Win32.Virut.AM
VirusBuster 5.0.21.0 2009.12.22 Win32.Virut.AB.Gen
Additional information
File&nbsp;size: 44544 bytes
MD5&nbsp;&nbsp;&nbsp;: cb7dd4ca47686aa405fc5bab320a5aac
SHA1&nbsp;&nbsp;: e03aa793f66338a9ad8d8958e5444dd04c41f965
SHA256: f2325f51e111ba3d53150b5187c9bc838d10161ba19ea5c337837c8a0c6add08
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0xC6F3<br> timedatestamp.....: 0x262DC027 (Thu Apr 19 15:41:59 1990)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x4DB8 0x4E00 6.01 16aee663ed180007a0bf5bf24b845096<br>.data 0x6000 0x14C 0x200 1.86 cbb599f9267bf53209039d14a3574eb1<br>.rsrc 0x7000 0x5C00 0x5A00 7.63 a13e49604c2b068bf4d0ebae3a314610<br> <br> ( 7 imports )<br> <br>&gt; advapi32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA<br>&gt; crypt32.dll: CryptProtectData<br>&gt; kernel32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW<br>&gt; msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv<br>&gt; ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString<br>&gt; user32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW<br>&gt; winspool.drv: SpoolerInit<br> <br> ( 0 exports )<br>
TrID&nbsp;&nbsp;: File type identification<br>Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
ssdeep: 768:RJDUaxgu5YEVBxkjuv7wbaLa4PU4b7st4MFc6zfzMKou32TaOcQ8b:RJHxIEVBvT2aLa4PUO7smALzJm9cr
PEiD&nbsp;&nbsp;: -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<br>-


=============================================


File winlogon.exe received on 2009.12.21 10:10:17 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.21 -
AhnLab-V3 5.0.0.2 2009.12.21 -
AntiVir 7.9.1.114 2009.12.21 -
Antiy-AVL 2.0.3.7 2009.12.18 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.20 -
AVG 8.5.0.427 2009.12.20 -
BitDefender 7.2 2009.12.21 -
CAT-QuickHeal 10.00 2009.12.21 -
ClamAV 0.94.1 2009.12.21 -
Comodo 3317 2009.12.21 -
DrWeb 5.0.0.12182 2009.12.21 -
eSafe 7.0.17.0 2009.12.20 -
eTrust-Vet 35.1.7187 2009.12.21 -
F-Prot 4.5.1.85 2009.12.20 -
F-Secure 9.0.15370.0 2009.12.21 -
Fortinet 4.0.14.0 2009.12.20 -
GData 19 2009.12.21 -
Ikarus T3.1.1.79.0 2009.12.21 -
Jiangmin 13.0.900 2009.12.21 -
K7AntiVirus 7.10.923 2009.12.17 -
Kaspersky 7.0.0.125 2009.12.21 -
McAfee 5838 2009.12.20 -
McAfee+Artemis 5838 2009.12.20 -
McAfee-GW-Edition 6.8.5 2009.12.21 -
Microsoft 1.5302 2009.12.21 -
NOD32 4704 2009.12.20 -
Norman 6.04.03 2009.12.21 -
nProtect 2009.1.8.0 2009.12.21 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.21 -
Prevx 3.0 2009.12.21 -
Rising 22.27.00.04 2009.12.21 -
Sophos 4.49.0 2009.12.21 -
Sunbelt 3.2.1858.2 2009.12.20 -
Symantec 1.4.4.12 2009.12.21 -
TheHacker 6.5.0.3.101 2009.12.21 -
TrendMicro 9.120.0.1004 2009.12.21 -
VBA32 3.12.12.0 2009.12.19 -
ViRobot 2009.12.21.2098 2009.12.21 -
VirusBuster 5.0.21.0 2009.12.20 -
Additional information
File&nbsp;size: 502272 bytes
MD5&nbsp;&nbsp;&nbsp;: 01c3346c241652f43aed8e2149881bfe
SHA1&nbsp;&nbsp;: a5396141cab8b22d9d88b28a814089537dce366a
SHA256: affd0973cd3128083417d407f62bc4a635fc25b65dbf52e91d3ab4ae2f9c1b4a
PEInfo: PE Structure information<br> <br> ( base data )<br> entrypointaddress.: 0x3D353<br> timedatestamp.....: 0x41107EDC (Wed Aug 4 08:14:52 2004)<br> machinetype.......: 0x14C (Intel I386)<br> <br> ( 3 sections )<br> name viradd virsiz rawdsiz ntrpy md5<br> .text 0x1000 0x6F288 0x6F400 6.82 5a133ab60f38b5d739d86c8290fa5a3c<br>.data 0x71000 0x4D90 0x2000 6.20 baa64d00a5f8a540a38a60d2aff66f30<br>.rsrc 0x76000 0x9030 0x9200 3.62 b93cbbc049130e1bad3ea13d7512c074<br> <br> ( 0 imports )<br> <br> <br> ( 0 exports )<br>
TrID&nbsp;&nbsp;: File type identification<br>Win64 Executable Generic (80.9%)<br>Win32 Executable Generic (8.0%)<br>Win32 Dynamic Link Library (generic) (7.1%)<br>Generic Win/DOS Executable (1.8%)<br>DOS Executable Generic (1.8%)
ThreatExpert: <a href="http://www.threatexpert.com/report.aspx?md5=01c3346c241652f43aed8e2149881bfe" target="_blank">http://www.threatexpert.com/report.aspx?md5=01c3346c241652f43aed8e2149881bfe</a>
ssdeep: 6144:2YuZlm8LRlBw662R1pqrc7FmxSqVw/T+SN1TrSnmhPnpdcrFIzdFz/N5WjyfTNQG:2VLBhic7Qy1vSneJFDNhp8
PEiD&nbsp;&nbsp;: -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<br><br>( Gateway )<br><br>Gateway Operating System Windows XP Pro Edition SP2: WINLOGON.EXE, winlogon.exe<br>( Microsoft )<br><br>MSDN Disc 2428.4: winlogon.exeMSDN Disc 2428.5: winlogon.exeMSDN Disc 2428.8: winlogon.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: winlogon.exeVirtual PC for Mac Windows XP Home Edition: winlogon.exeVirtual PC for Mac Windows XP Professional Edition: winlogon.exe


=============================================

File services.exe received on 2009.12.23 01:37:39 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.22 -
AhnLab-V3 5.0.0.2 2009.12.22 -
AntiVir 7.9.1.122 2009.12.22 -
Antiy-AVL 2.0.3.7 2009.12.22 -
Authentium 5.2.0.5 2009.12.22 -
Avast 4.8.1351.0 2009.12.22 -
AVG 8.5.0.430 2009.12.22 -
BitDefender 7.2 2009.12.23 -
CAT-QuickHeal 10.00 2009.12.22 -
ClamAV 0.94.1 2009.12.22 -
Comodo 3336 2009.12.23 -
DrWeb 5.0.1.12181 2009.12.23 -
eSafe 7.0.17.0 2009.12.22 -
eTrust-Vet 35.1.7192 2009.12.22 -
F-Prot 4.5.1.85 2009.12.22 -
F-Secure 9.0.15370.0 2009.12.22 -
Fortinet 4.0.14.0 2009.12.22 -
GData 19 2009.12.22 -
Ikarus T3.1.1.79.0 2009.12.22 -
Jiangmin 13.0.900 2009.12.22 -
K7AntiVirus 7.10.926 2009.12.22 -
Kaspersky 7.0.0.125 2009.12.23 -
McAfee 5840 2009.12.22 -
McAfee+Artemis 5840 2009.12.22 -
McAfee-GW-Edition 6.8.5 2009.12.23 -
Microsoft 1.5302 2009.12.22 -
NOD32 4710 2009.12.22 -
Norman 6.04.03 2009.12.22 -
nProtect 2009.1.8.0 2009.12.22 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.23 -
Prevx 3.0 2009.12.23 -
Rising 22.27.01.04 2009.12.22 -
Sophos 4.49.0 2009.12.23 -
Sunbelt 3.2.1858.2 2009.12.23 -
Symantec 1.4.4.12 2009.12.23 -
TheHacker 6.5.0.3.106 2009.12.23 -
TrendMicro 9.120.0.1004 2009.12.22 -
VBA32 3.12.12.0 2009.12.22 -
ViRobot 2009.12.22.2102 2009.12.22 -
VirusBuster 5.0.21.0 2009.12.22 -
Additional information
File size: 108032 bytes
MD5...: c6ce6eec82f187615d1002bb3bb50ed4
SHA1..: b958912d139cb8dbfeeacdd38ba048c4f452174e
SHA256: cea9c880328205ae3376eb8b005412cb0f8fce52a71c6f0651ef5f9c193f6e3f
ssdeep: 1536:tTEFQwemxUxDQOYxKO9IYpRbyMkP+roEacrcdISq/Oj/iyxqOxwq:tq/xUx<br>DQOYxKCIEoSoEUISq/OEOxwq<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0xb5cc<br>timedatestamp.....: 0x41107eb3 (Wed Aug 04 06:14:11 2004)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x18f55 0x19000 6.26 b20d7426baadb5d61b21b7f45648ecfa<br>.data 0x1a000 0xa14 0xa00 2.05 fd6fc84823efda2858a97fe8e6dd8f76<br>.rsrc 0x1b000 0x7b0 0x800 3.15 d9f56ab9f5d44407cd57280022b2dd18<br><br>( 10 imports ) <br>&gt; msvcrt.dll: wcsrchr, time, _except_handler3, memmove, wcschr, _c_exit, _exit, _XcptFilter, _cexit, _wcsicmp, exit, __initenv, __getmainargs, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, wcslen, wcsncmp, _wtol, wcscpy, _itow, _wcsnicmp, wcscat, _initterm, wcsncpy, wcscspn, _ultow<br>&gt; ADVAPI32.dll: RegOpenKeyW, ConvertSidToStringSidW, LogonUserExW, LsaStorePrivateData, LsaLookupNames, LsaQueryInformationPolicy, OpenThreadToken, RegNotifyChangeKeyValue, InitializeSecurityDescriptor, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus, SystemFunction029, SystemFunction005, CheckTokenMembership, FreeSid, AllocateAndInitializeSid, SetSecurityDescriptorOwner, GetSecurityDescriptorDacl, GetLengthSid, CopySid, InitializeAcl, AddAce, SetSecurityDescriptorDacl, LsaOpenPolicy, LsaLookupSids, LsaFreeMemory, LsaClose, ImpersonateLoggedOnUser, CreateProcessAsUserW, GetTokenInformation, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, InitiateSystemShutdownW, RevertToSelf<br>&gt; KERNEL32.dll: TerminateProcess, SetProcessShutdownParameters, lstrcmpiW, FormatMessageW, ExitThread, ReleaseMutex, DelayLoadFailureHook, RaiseException, GetExitCodeThread, SetErrorMode, SetUnhandledExceptionFilter, LoadLibraryA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcess, UnhandledExceptionFilter, GetModuleHandleA, CreateMutexW, LocalAlloc, LocalFree, Sleep, LeaveCriticalSection, EnterCriticalSection, SetLastError, CloseHandle, CreateThread, GetLastError, CreateProcessW, ExpandEnvironmentStringsW, InitializeCriticalSection, HeapAlloc, HeapFree, SetConsoleCtrlHandler, WaitForSingleObject, HeapCreate, FreeLibrary, GetProcAddress, GetModuleHandleExW, InterlockedCompareExchange, CreateNamedPipeW, ReadFile, CancelIo, GetOverlappedResult, WaitForMultipleObjects, ConnectNamedPipe, TransactNamedPipe, WriteFile, GetTickCount, GetSystemTimeAsFileTime, GetModuleHandleW, GetComputerNameW, CreateEventW, SetEvent, ResetEvent, DeviceIoControl, CreateFileW, ResumeThread, GetCurrentProcessId, LoadLibraryW, GetDriveTypeW, OpenEventW, GetCurrentThread<br>&gt; USER32.dll: wsprintfW, BroadcastSystemMessageW, MessageBoxW, LoadStringW, RegisterServicesProcess<br>&gt; RPCRT4.dll: RpcServerRegisterAuthInfoW, RpcBindingFree, RpcEpResolveBinding, RpcBindingFromStringBindingW, RpcStringBindingComposeW, NdrClientCall2, RpcAsyncCompleteCall, RpcAsyncInitializeHandle, NdrAsyncServerCall, NdrAsyncClientCall, RpcMgmtStopServerListening, RpcMgmtWaitServerListen, NdrServerCall2, I_RpcBindingIsClientLocal, RpcRevertToSelf, I_RpcMapWin32Status, RpcImpersonateClient, RpcStringBindingParseW, RpcStringFreeW, RpcBindingToStringBindingW, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcServerRegisterIf, RpcServerListen, RpcServerUnregisterIf<br>&gt; ntdll.dll: RtlCreateAcl, NtCreateKey, NtQueryValueKey, NtSetValueKey, NtDeleteValueKey, NtEnumerateKey, NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, NtDeleteKey, RtlSetControlSecurityDescriptor, RtlValidSecurityDescriptor, RtlLengthSecurityDescriptor, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenThreadToken, NtAccessCheckAndAuditAlarm, NtSetInformationThread, NtAdjustPrivilegesToken, NtDuplicateToken, NtOpenProcessToken, NtQueryInformationToken, RtlQuerySecurityObject, RtlAddAccessAllowedAce, RtlValidRelativeSecurityDescriptor, RtlMapGenericMask, RtlCopyUnicodeString, NtSetInformationFile, NtQueryInformationFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, NtWaitForSingleObject, NtQueryDirectoryFile, NtDeleteFile, NtSetInformationProcess, RtlUnhandledExceptionFilter, NtSetEvent, RtlGetAce, RtlQueryInformationAcl, RtlGetDaclSecurityDescriptor, RtlAllocateHeap, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, RtlUnicodeStringToAnsiString, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlNewSecurityObject, RtlAddAce, RtlSetOwnerSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetSaclSecurityDescriptor, RtlSubAuthorityCountSid, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlCompareUnicodeString, NtLoadDriver, NtUnloadDriver, RtlExpandEnvironmentStrings_U, RtlAdjustPrivilege, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, RtlAreAllAccessesGranted, NtDeleteObjectAuditAlarm, NtCloseObjectAuditAlarm, RtlQueueWorkItem, RtlCopyLuid, RtlDeregisterWait, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, RtlDeleteSecurityObject, RtlLockBootStatusData, RtlGetSetBootStatusData, RtlUnlockBootStatusData, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosError, NtShutdownSystem, RtlSetSecurityObject, RtlMakeSelfRelativeSD, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtSetSecurityObject<br>&gt; USERENV.dll: UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock<br>&gt; SCESRV.dll: ScesrvInitializeServer, ScesrvTerminateServer<br>&gt; umpnpmgr.dll: RegisterScmCallback, PNP_SetActiveService, PNP_GetDeviceRegProp, PNP_GetDeviceListSize, PNP_GetDeviceList, PNP_HwProfFlags, RegisterServiceNotification, DeleteServicePlugPlayRegKeys<br>&gt; NCObjAPI.DLL: WmiSetAndCommitObject, WmiEventSourceConnect, WmiCreateObjectWithFormat<br><br>( 0 exports ) <br>
RDS...: NSRL Reference Data Set<br>-
trid..: Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
pdfid.: -
sigcheck:<br>publisher....: Microsoft Corporation<br>copyright....: © Microsoft Corporation. All rights reserved.<br>product......: Microsoft_ Windows_ Operating System<br>description..: Services and Controller app<br>original name: services.exe<br>internal name: services.exe<br>file version.: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

#11 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 22 December 2009 - 09:04 PM

Posted ImageVirut File Infector Warning

Your system is infected with a polymorphic file infector called Virut and also has IRC bot functionality. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.

For these reasons, you really can't truly fix Virut. You will need to reinstall and format the operating system on this machine. As of now, security experts suggest that a clean Reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, pictures etc..) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

More information on Virut can be found over here and here

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 User is offline   abckid24 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 26
  • Joined: 29-December 05

Posted 23 December 2009 - 07:08 PM

OK..this might take a couple of days.. I have a lot of files to back up + of course the holidays. Can we resume this in a couple of days?

#13 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 23 December 2009 - 07:13 PM

Hello.

After doing a complete, format you will be completely clean so there would be no point in to continue would there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 29 December 2009 - 09:51 AM

Are you still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 User is offline   extremeboy 

  • Da Bleepin' Instructor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 12,924
  • Joined: 21-March 08
  • Gender:Male

Posted 02 January 2010 - 02:38 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users