Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 Trojan Downloaders, Virtumonde, And Possibly More


  • This topic is locked This topic is locked
16 replies to this topic

#1 justme-

justme-

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 21 July 2008 - 03:45 PM

This is a business computer on a network- so far it's the only client infected. Several hours of work have apparently removed many infections, only to have some reappear from these infections which I can't seem to lick.
I have run Adaware (from Lavasoft), Spybot Search and destroy, Trendmicro's free online scanner, and have since installed AVG anti-virus.
Hijack this fails to run generating an error, many websites (including this one) are blocked on the affected client- I have to correspond from another client.
Here are my Kaspersky log, followed by my DSS logs.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, July 21, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, July 21, 2008 18:17:33
Records in database: 981279
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Program Files
C:\WINNT

Scan statistics:
Files scanned: 11383
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:36:31


File name / Threat name / Threats count
C:\Program Files\xloadnet\xloadnet.exe Infected: Trojan-Downloader.Win32.VB.fuu 1
C:\WINNT\system32\aumsDK01\aumsDK011065.exe Infected: Trojan-Downloader.Win32.VB.fao 1
C:\WINNT\system32\igqxklws.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aawg 1

The selected area was scanned.
---------------------------------------------------------------------------------------------------------------------------------------------

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-21 16:18:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-21 16:19:21
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\services.exe
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\SPOOLSV.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\svchost.exe
C:\MSSQL7\Binn\SQLSERVR.EXE
C:\MSSQL7\Binn\SQLSERVR.DLL
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\mstask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\wbem\winmgmt.exe
C:\WINNT\explorer.exe
C:\Program Files\Vital\POS2000\BIN\vAppCon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\jkos-Administrator\binaries\ScanningProcess.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {92d7e7d7-bd04-b288-86f4-76b72465ba31} - {13ab5642-7b67-4f68-882b-40db7d7e7d29} - C:\WINNT\system32\wbjzar.dll
O2 - BHO: gooochi browser optimizer - {36bfe620-5f71-7d8a-ff0d-fa00bbe7be4d} - C:\WINNT\system32\garkknzmpqc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program Files\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {E4E34997-4F97-47EC-BC23-2E177D921DFD} - C:\Documents and Settings\Evan\Local Settings\Temp\ljJAPIya.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AppCon] "C:\Program Files\Vital\POS2000\BIN\vAppCon.exe"
O4 - HKLM\..\Run: [{4e7751c2-121a-ed33-50ff-252d6addcfc6}] C:\WINNT\System32\Rundll32.exe "C:\WINNT\system32\garkknzmpqc.dll" DllStart
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [BM47767480] Rundll32.exe "C:\WINNT\system32\sxtwaqwb.dll",s
O4 - HKLM\..\Run: [4445471c] rundll32.exe "C:\WINNT\system32\lgccuyvc.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program Files\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {31564D57-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmvax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216243485675
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_07) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...8156.7284490741
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://tcgonline.thecomputerguys.com/cryst...tiveXViewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\Binn\SQLSERVR.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


--
End of file - 7726 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 nlemsql - c:\winnt\system32\drivers\nlemsql.sys
R1 cmosa - c:\winnt\system32\drivers\cmosa.sys <Not Verified; Dell Computer Corporation.; Dell® OpenManage Client Instrumentation>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 MSSQLServer - c:\mssql7\binn\sqlservr.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-17 14:57:05 378 --a------ C:\WINNT\Tasks\XoftSpySE.job
2008-07-17 14:57:05 464 --a------ C:\WINNT\Tasks\XoftSpySE 2.job
2008-07-16 04:00:00 326 --a------ C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-06-21 and 2008-07-21 -----------------------------

2008-07-21 14:25:00 0 d-------- C:\WINNT\Sun
2008-07-21 14:24:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-07-21 14:23:49 0 d-------- C:\Program Files\Java
2008-07-21 14:23:35 0 d-------- C:\Program Files\Common Files\Java
2008-07-21 13:58:07 105280 --a------ C:\WINNT\system32\wbjzar.dll
2008-07-21 13:58:06 105280 --a------ C:\WINNT\system32\nckrqqef.dll
2008-07-21 13:58:03 81184 --a------ C:\WINNT\system32\lgccuyvc.dll
2008-07-21 13:55:54 91440 --a------ C:\WINNT\system32\sxtwaqwb.dll
2008-07-21 13:55:24 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_438.dat
2008-07-21 13:41:43 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_24c.dat
2008-07-17 17:15:00 81216 -----n--- C:\WINNT\system32\ihvfdfww.dll
2008-07-17 17:11:59 105200 --a------ C:\WINNT\system32\isbnsu.dll
2008-07-17 17:11:58 105200 --a------ C:\WINNT\system32\wtpgbksk.dll
2008-07-17 17:08:58 91440 --a------ C:\WINNT\system32\prbkdwof.dll
2008-07-17 15:06:48 0 d-------- C:\Program Files\xloadnet
2008-07-17 14:57:02 0 d-------- C:\Program Files\XoftSpySE
2008-07-17 13:31:28 0 d-------- C:\Program Files\Alwil Software
2008-07-17 11:21:30 0 d-------- C:\Program Files\InetGet2
2008-07-17 11:17:42 0 d-------- C:\Program Files\Network Monitor
2008-07-17 11:17:33 0 d-------- C:\WINNT\system32\vdll
2008-07-17 11:17:33 0 d-------- C:\WINNT\system32\dv32
2008-07-17 11:17:33 0 d-------- C:\WINNT\system32\bin1
2008-07-17 11:17:33 0 d-------- C:\WINNT\system32\BDE
2008-07-17 11:17:23 0 d-------- C:\WINNT\system32\aumsDK01
2008-07-17 10:54:22 64332 --a------ C:\WINNT\system32\wkzykjswav.exe
2008-07-17 10:47:32 830542 ---h----- C:\WINNT\ShellIconCache
2008-07-16 18:36:55 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-16 17:54:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_1f4.dat
2008-07-16 17:27:32 0 d-------- C:\WINNT\system32\BITS
2008-07-16 17:25:01 0 d-------- C:\WINNT\SoftwareDistribution
2008-07-16 17:07:13 105264 --a------ C:\WINNT\system32\ejwvcl.dll
2008-07-16 17:07:12 105264 --a------ C:\WINNT\system32\cetgkdsu.dll
2008-07-16 17:07:04 81328 --a------ C:\WINNT\system32\jjbojwnm.dll
2008-07-16 17:06:49 91440 --a------ C:\WINNT\system32\igqxklws.dll
2008-07-15 17:07:24 81184 -----n--- C:\WINNT\system32\ramhqwwd.dll
2008-07-15 17:07:14 110080 --a------ C:\WINNT\system32\diwbmsdr.exe
2008-07-15 17:06:38 105232 --a------ C:\WINNT\system32\rccxtr.dll
2008-07-15 17:06:37 105232 --a------ C:\WINNT\system32\qduninsu.dll
2008-07-15 17:06:16 91440 --a------ C:\WINNT\system32\swqcmqnt.dll
2008-07-15 13:36:16 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_2d8.dat
2008-07-15 13:32:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-15 11:57:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 11:54:15 0 d-------- C:\Documents and Settings\Evan\.housecall6.6
2008-07-15 11:35:35 0 d-------- C:\WINNT\wfrm
2008-07-15 11:35:35 0 d-------- C:\Program Files\Common Files\wfrm
2008-07-15 11:10:11 0 d-------- C:\Program Files\Webtools
2008-07-15 11:10:11 0 d-------- C:\Program Files\CPV8
2008-07-15 11:10:10 0 d-------- C:\Program Files\Temporary
2008-07-14 17:05:47 81168 -----n--- C:\WINNT\system32\dwaseuwr.dll
2008-07-14 17:05:41 105264 --a------ C:\WINNT\system32\nmibtx.dll
2008-07-14 17:05:38 105264 --a------ C:\WINNT\system32\ddcdotbk.dll
2008-07-14 17:04:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_380.dat
2008-07-14 11:58:28 152197 --a------ C:\WINNT\system32\g72.exe
2008-07-14 11:04:58 81152 -----n--- C:\WINNT\system32\msbyktry.dll
2008-07-14 10:58:54 0 d-------- C:\Program Files\AntiMalwareGuard8
2008-07-14 10:58:21 0 d--hs---- C:\WINNT\Qm9iIEpvaG5zb24
2008-07-14 10:58:18 0 d-------- C:\WINNT\system32\sfig
2008-07-14 10:58:18 0 d-------- C:\WINNT\system32\provdll
2008-07-14 10:58:18 0 d-------- C:\WINNT\system32\OBDE
2008-07-14 10:58:18 0 d-------- C:\WINNT\system32\imp32
2008-07-14 10:58:17 0 d-------- C:\WINNT\?ppPatch
2008-07-14 10:58:12 0 d-------- C:\WINNT\system32\olixds01
2008-07-07 10:27:12 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-03 13:12:00 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_133c.dat
2008-07-02 09:33:40 158208 --a------ C:\WINNT\system32\garkknzmpqc.dll
2008-07-02 06:32:16 74752 --a------ C:\WINNT\b155.exe


-- Find3M Report ---------------------------------------------------------------

2008-07-21 14:23:35 0 d-a------ C:\Program Files\Common Files
2008-07-17 12:28:18 0 d-------- C:\Program Files\Autopaper
2008-07-16 17:25:39 0 d-ah----- C:\Program Files\WindowsUpdate
2008-07-15 13:48:28 0 d-------- C:\Program Files\SpywareBlaster
2008-07-15 13:33:44 0 d-------- C:\Program Files\Lavasoft
2008-07-15 11:43:35 0 d-a------ C:\Program Files\Spyware Doctor


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13ab5642-7b67-4f68-882b-40db7d7e7d29}]
07/21/08 01:58p 105280 --a------ C:\WINNT\system32\wbjzar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36bfe620-5f71-7d8a-ff0d-fa00bbe7be4d}]
07/02/08 09:33a 158208 --a------ C:\WINNT\system32\garkknzmpqc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4E34997-4F97-47EC-BC23-2E177D921DFD}]
07/14/08 11:03a 314752 --a------ C:\DOCUME~1\Evan\LOCALS~1\Temp\ljJAPIya.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [07/14/03 08:00a C:\WINNT\system32\mobsync.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [07/06/05 09:36a]
"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" []
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"AppCon"="C:\Program Files\Vital\POS2000\BIN\vAppCon.exe" [07/30/06 03:56p]
"{4e7751c2-121a-ed33-50ff-252d6addcfc6}"="C:\WINNT\system32\garkknzmpqc.dll" [07/02/08 09:33a]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/08 07:19p]
"xloadnet"="C:\Program Files\xloadnet\xloadnet.exe" [07/17/08 03:06p]
"BM47767480"="C:\WINNT\system32\sxtwaqwb.dll" [07/21/08 01:55p]
"4445471c"="C:\WINNT\system32\lgccuyvc.dll" [07/21/08 01:58p]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/08 04:27a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xloadnet"="C:\Program Files\xloadnet\xloadnet.exe" [07/17/08 03:06p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\MSSQL7\Binn\sqlmangr.exe [2/7/2007 1:34:37 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\DOCUME~1\Evan\LOCALS~1\Temp\ljJAPIya

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-07-21 16:20:30 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 509.58 MiB / 180.92 MiB
Pagefile Memory (total/avail): 775.68 MiB / 269.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.35 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 33.67 GiB free.
D: is CDROM (No Media)
F: is Network (NTFS)
G: is Network (NTFS)
H: is Network (NTFS)
I: is Network (NTFS)

\\.\PHYSICALDRIVE0 - WDC WD40 0BB-00FJA0 SCSI Disk Device - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PACKARD
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\BANTAM
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\MSSQL7\BINN
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0806
ProgramFiles=C:\Program Files
PROMPT=$P$G
STATION=PACKARD
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=BJAL
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

evan.PACKARD (new local, admin)
Administrator.PACKARD (admin)
Evan
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AnswerWorks Runtime --> C:\WINNT\IsUninst.exe -f"C:\Program Files\WexTech\AnswerWorks\Uninst.isu"
Atomic Clock Sync --> C:\PROGRA~1\ATOMIC~1\UNWISE.EXE C:\PROGRA~1\ATOMIC~1\INSTALL.LOG
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Command --> wscript "C:\WINNT\Qm9iIEpvaG5zb24\kA62KHDSu3cWvZb.vbs"
Corel Applications --> C:\WINNT\Corel\Uninst32.exe
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
Enhancement Browser Tools Gooochi --> C:\WINNT\system32\wkzykjswav.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4P2VC9AZ\HijackThis.exe" /uninstall
Intel Ultra ATA Storage Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\setup.exe" -INTELUNINST
Internet Explorer Q831167 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q831167.inf
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LaserJet 1020 series --> C:\Program Files\Zenographics\{2D0E282E-E2CB-441F-A670-5350319C9989}\Setup.exe -u "HPLJInstaller.dll=Hplj1020.inf"
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINNT\INF\swflash.inf,DefaultUninstall,5
Microsoft Data Access Components KB870669 --> C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office Access 2003 --> MsiExec.exe /I{90150409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
MSDE --> C:\WINNT\IsUninst.exe -fC:\MSSQL7\Uninst.isu -c"C:\MSSQL7\sqlsun.dll" -msql70.mif
Network Monitor --> wscript "C:\WINNT\uninstall_nmon.vbs"
NVIDIA Windows 2000 Display Drivers --> rundll32.exe C:\WINNT\system32\nvinstnt.dll,NvUninstallNT4 nvde.inf
OrderReminder HP LaserJet 1020 --> "C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1020
Outerinfo --> "C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
Outlook Express Q823353 --> C:\WINNT\oeuninst.exe C:\WINNT\INF\Q823353.inf
POS-partner 2000 Upgrade Ver 6.2.4 --> C:\PROGRA~1\Vital\POS2000\UNUPGRADE.exe C:\PROGRA~1\Vital\POS2000\Upgrade.LOG
POS-partner 6.1.4 W/Database Encryption --> C:\PROGRA~1\Vital\POS2000\UNWISE.EXE C:\PROGRA~1\Vital\POS2000\INSTALL.LOG
SoundMAXWDM --> C:\WINNT\IsUninst.exe -fC:\WINNT\system32\ADuninst.isu
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 4.0 --> "C:\Program Files\Spyware Doctor\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
WinZip Self-Extractor --> "C:\Program Files\WinZip Self-Extractor\setup.exe" /uninstall
XoftSpySE --> C:\Program Files\XoftSpySE\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type15083 / Warning
Event Submitted/Written: 07/21/2008 01:42:23 PM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type15075 / Error
Event Submitted/Written: 07/21/2008 01:41:33 PM
Event ID/Source: 1001 / SQLCTR70
Event Description:
Cannot open the Registry Key.

Event Record #/Type15072 / Error
Event Submitted/Written: 07/18/2008 03:26:07 PM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).

Event Record #/Type15069 / Warning
Event Submitted/Written: 07/18/2008 10:41:07 AM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type15061 / Error
Event Submitted/Written: 07/18/2008 10:40:17 AM
Event ID/Source: 1001 / SQLCTR70
Event Description:
Cannot open the Registry Key.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5139 / Error
Event Submitted/Written: 07/18/2008 03:24:15 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Event Record #/Type5134 / Error
Event Submitted/Written: 07/17/2008 03:58:18 PM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\Nbf_{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}.
The backup browser is stopping.

Event Record #/Type5133 / Warning
Event Submitted/Written: 07/17/2008 03:56:18 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\BANTAM on the network \Device\Nbf_{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}.
The data is the error code.

Event Record #/Type5121 / Error
Event Submitted/Written: 07/17/2008 01:27:39 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type5120 / Error
Event Submitted/Written: 07/17/2008 01:27:38 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}



-- End of Deckard's System Scanner: finished at 2008-07-21 16:20:30 ------------

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 AM

Posted 23 July 2008 - 04:34 AM

Hello Justme- and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Restart your computer.

4. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 justme-

justme-
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 23 July 2008 - 12:03 PM

Thanks Thunder!

Just wanted to update: Yesterday (prior to any replies) I downloaded and ran ATF-Cleaner and Malwarebytes, which cleared several infections, after a reboot, but 4 remained. I set the machine to running Windows updates which periodically freezes, but has done many of them.

Kaspersky told me I still had a couple infections, so I am following your directions above (currently running malwarebytes) but found an issue- the machine affected is Win 2000. You specify to install the repair console, which seems to be an XP thing....
So how does that relate to the Combo-fix install (before I do it)?
Thanks


_Edit_
Ok, We're making progress- I am online with the affected computer!
Malwarebytes came up with no infections (log posted below) but Kaspersky still lists 3 infections (log also below) FYI - xloadnet deleted easily now (It was locked originally) and I renamed the other dll's KAspersky listed- hoping to trigger an error on load if they are still being called- so far no errors.

I used to be pretty good at this....

------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.22
Database version: 979
Windows 5.0.2195 Service Pack 4

1:19:53 PM 7/23/2008
mbam-log-7-23-2008 (13-19-53).txt

Scan type: Quick Scan
Objects scanned: 59029
Time elapsed: 10 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--------------------------------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 23, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 23, 2008 17:53:13
Records in database: 998522
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Program Files
C:\WINNT

Scan statistics:
Files scanned: 13746
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 00:32:54


File name / Threat name / Threats count
C:\Program Files\xloadnet\xloadnet.exe Infected: Trojan-Downloader.Win32.VB.fuu 1
C:\WINNT\system32\aumsDK01\aumsDK011065.exe Infected: Trojan-Downloader.Win32.VB.fao 1
C:\WINNT\system32\igqxklws.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aawg 1

The selected area was scanned.

Edited by justme-, 23 July 2008 - 01:23 PM.


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 AM

Posted 23 July 2008 - 04:04 PM

Hello Justme-,

To install the Recovery Console, perform the following steps:

1. Insert the Windows 2000 CD into the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type :d:\i386\winnt32.exe /cmdcons
where d is the drive letter for the CD-ROM drive.
4. A Windows Setup Dialog Box appears, which describes the Recovery Console option.
5. The system prompts you to confirm installation. Click Yes to start the installation procedure.
6. Restart the computer. The next time you start your computer, you will see a "Microsoft Windows Recovery Console" entry on the boot menu.

When done, you can run ComboFix. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 justme-

justme-
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 24 July 2008 - 09:48 AM

Thunder,
There is the combofix log. I had a thought yesterday- I am running these tools mostly as the administrator, not the normal users, (since they have no program install permissions). I decided to run the malwarebytes again under the user evan, and it found 1 infection it cannot clear (nor can I clear manually- the folder does not exist) c:/winnt/system32/dllcache/beep.sys is claims is a false beep. Just wanted to mention it since I am now unsure if running these as admin will catch all infections under the other user.

Anyway- repair console installed, here is combofix log as admin.

--------------------------------------------------------------------------------------------------
ComboFix 08-07-22.4 - Administrator 07/24/2008 10:32:50.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.331 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CPV.stt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINNT\megavid.cdt
C:\WINNT\muotr.so
C:\WINNT\pppatc~1
C:\WINNT\pppatc~1\?ppPatch\
C:\WINNT\pskt.ini
C:\WINNT\system32\cetgkdsu.dll
C:\WINNT\system32\igqxklwsrr08.dll
C:\WINNT\system32\isbnsu.dll
C:\WINNT\system32\MSINET.oca
C:\WINNT\system32\nmibtx.dll
C:\WINNT\system32\prbkdwof.dll
C:\WINNT\system32\qduninsu.dll
C:\WINNT\system32\rccxtr.dll
C:\WINNT\system32\swqcmqnt.dll
C:\WINNT\system32\sxtwaqwb.dll
C:\WINNT\system32\vesitwkl.ini
C:\WINNT\system32\wtpgbksk.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 10:40 . 08-07-24 10:40 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_238.dat
2008-07-24 10:30 . 08-07-24 10:30 375,948 ---h----- C:\WINNT\ShellIconCache
2008-07-23 14:35 . 08-07-23 14:35 <DIR> d-------- C:\Documents and Settings\Evan\Application Data\Malwarebytes
2008-07-23 10:59 . 08-07-23 10:59 <DIR> d-------- C:\WINNT\system32\Windows Media
2008-07-23 10:58 . 08-07-23 10:58 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-07-23 10:58 . 08-07-23 10:58 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-07-22 16:14 . 08-07-22 16:14 957 --a------ C:\WINNT\setup.inf
2008-07-22 16:14 . 08-07-22 16:14 283 --a------ C:\WINNT\setup.rpt
2008-07-22 15:52 . 02-08-29 07:14 44,032 -----c--- C:\WINNT\system32\dllcache\msxml3r.dll
2008-07-22 13:40 . 08-07-22 13:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 13:40 . 08-07-22 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 13:40 . 08-07-22 13:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-22 13:40 . 08-07-20 20:21 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-07-22 13:40 . 08-07-20 20:21 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-22 13:39 . 08-07-22 13:39 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-21 16:24 . 08-07-21 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 16:17 . 08-07-21 16:17 <DIR> d-------- C:\Deckard
2008-07-21 14:25 . 08-07-21 14:25 <DIR> d-------- C:\WINNT\Sun
2008-07-21 14:24 . 08-06-10 02:32 73,728 --a------ C:\WINNT\system32\javacpl.cpl
2008-07-21 14:23 . 08-07-21 14:24 <DIR> d-------- C:\Program Files\Java
2008-07-21 14:23 . 08-07-21 14:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-17 14:57 . 08-07-23 17:30 <DIR> d-------- C:\Program Files\XoftSpySE
2008-07-17 13:31 . 08-07-17 13:31 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-17 11:17 . 08-07-17 11:17 <DIR> d-------- C:\TEMP\zpv201
2008-07-17 10:54 . 08-07-17 10:54 64,332 --a------ C:\WINNT\system32\wkzykjswav.exe
2008-07-16 18:36 . 08-07-16 19:08 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-16 17:27 . 08-07-16 17:27 <DIR> d-------- C:\WINNT\system32\BITS
2008-07-16 17:25 . 07-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2008-07-16 17:25 . 07-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2008-07-16 17:25 . 07-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2008-07-16 17:25 . 07-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-07-16 17:25 . 07-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll
2008-07-16 17:25 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-07-16 17:25 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-07-16 17:25 . 07-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-07-15 13:32 . 08-07-15 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-15 11:57 . 08-07-15 11:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 11:54 . 08-07-15 12:25 <DIR> d-------- C:\Documents and Settings\Evan\.housecall6.6
2008-07-15 11:35 . 08-07-15 11:35 <DIR> d-------- C:\WINNT\wfrm
2008-07-15 11:35 . 08-07-15 12:29 <DIR> d-------- C:\Program Files\Common Files\wfrm
2008-07-15 11:10 . 08-07-15 11:10 <DIR> d-------- C:\Program Files\CPV8
2008-07-15 10:56 . 08-07-15 10:56 13,942 --a------ C:\WINNT\system32\iphone-011.ico
2008-07-14 11:58 . 08-07-14 11:58 152,197 --a------ C:\WINNT\system32\g72.exe
2008-07-14 10:58 . 08-07-15 13:45 <DIR> d-------- C:\WINNT\system32\sfig
2008-07-14 10:58 . 08-07-15 13:45 <DIR> d-------- C:\WINNT\system32\provdll
2008-07-14 10:58 . 08-07-15 13:45 <DIR> d-------- C:\WINNT\system32\olixds01
2008-07-14 10:58 . 08-07-15 12:30 <DIR> d-------- C:\WINNT\system32\OBDE
2008-07-14 10:58 . 08-07-15 13:45 <DIR> d-------- C:\WINNT\system32\imp32
2008-07-14 10:58 . 08-07-17 14:46 <DIR> d--hs---- C:\WINNT\Qm9iIEpvaG5zb24
2008-07-14 10:58 . 08-07-15 11:35 <DIR> d-------- C:\Program Files\AntiMalwareGuard8
2008-07-07 10:27 . 08-07-24 10:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 16:28 --------- d-----w C:\Program Files\Autopaper
2008-07-15 20:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 17:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-15 17:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-15 17:33 --------- d-----w C:\Program Files\Lavasoft
2008-07-15 17:33 --------- d-----w C:\Documents and Settings\Evan\Application Data\Lavasoft
2008-07-15 15:43 --------- d---a-w C:\Program Files\Spyware Doctor
2008-05-16 15:58 12,632 ----a-w C:\WINNT\system32\lsdelete.exe
2007-05-22 19:16 36,292,130 ----a-w C:\Documents and Settings\Administrator.PACKARD\Upgrade.EXE
2004-06-18 23:30 271 ---h--w C:\Program Files\desktop.ini
2004-06-18 23:30 21,952 ---h--w C:\Program Files\folder.htt
2003-07-14 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05-07-06 09:36 100056]
"AppCon"="C:\Program Files\Vital\POS2000\BIN\vAppCon.exe" [06-07-30 15:56 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Synchronization Manager"="mobsync.exe" [03-07-14 08:00 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [08-07-07 10:27 2115728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-14 08:00 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\MSSQL7\Binn\sqlmangr.exe [2007-02-07 13:34:37 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 idebd;idebd;C:\WINNT\system32\DRIVERS\idebd.sys [00-05-30 00:00 ]
R0 IntelATA;IntelATA;C:\WINNT\system32\DRIVERS\intelata.sys [00-05-30 00:00 ]
R0 nlemsql;NLEMSQL;C:\WINNT\system32\drivers\nlemsql.sys [05-09-23 13:14 ]
R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-07-19 10:35 ]
R1 cmosa;cmosa;C:\WINNT\system32\drivers\cmosa.sys [00-05-08 20:50 ]
R2 aswFsBlk;aswFsBlk;C:\WINNT\system32\DRIVERS\aswFsBlk.sys [08-07-19 10:37 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 12:34 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 08:22 ]

*Newly Created Service* - ASWFSBLK
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 08:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NAV CfgWiz - C:\Program Files\Norton AntiVirus\CfgWiz.exe
HKLM-Run-SSC_UserPrompt - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
HKLM-Run-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = about:blank
O17 -: HKLM\CCS\Interface\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9

O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxps://tcgonline.thecomputerguys.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
C:\WINNT\Downloaded Program Files\crviewer.inf
C:\WINNT\system32\atl.dll
C:\WINNT\system32\mfc42.dll
C:\WINNT\system32\msvcrt.dll
C:\WINNT\system32\olepro32.dll
C:\WINNT\Downloaded Program Files\mfc42u.dll
C:\WINNT\Downloaded Program Files\cselexpt.ocx
C:\WINNT\Downloaded Program Files\reportparameterdialog.dll
C:\WINNT\Downloaded Program Files\CRViewer.dll
C:\WINNT\Downloaded Program Files\sviewhlp.dll
C:\WINNT\Downloaded Program Files\swebrs.dll
C:\WINNT\Downloaded Program Files\gdiplus.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 10:41:33
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINNT\TEMP\mc21.tmp"
.
Completion time: 2008-07-24 10:44:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 14:44:24

Pre-Run: 35,813,941,248 bytes free
Post-Run: 36,148,453,376 bytes free

171

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 AM

Posted 25 July 2008 - 04:16 AM

Hello Justme-,

Could you upload some files please ?
Can you zip all .dll.vir files in the folder C:\Qoobox using WinZip (or a similar program) to Qoobox.zip and upload the zipped file to :

http://www.bleepingcomputer.com/submit-malware.php?channel=9

How ? : 1. In the first window (Link to topic where this file was requested:) copy and past this link :http://www.bleepingcomputer.com/forums/t/158935/2-trojan-downloaders-virtumonde-and-possibly-more/
2. In the second window (Browse to the file you want to submit: ) browse to the Qoobox.zip file

3. Click the Send file button :thumbsup:
[/list]Then, let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/158935/2-trojan-downloaders-virtumonde-and-possibly-more/
Collect::[9]
C:\WINNT\system32\wkzykjswav.exe
C:\WINNT\system32\g72.exe
Folder::
C:\TEMP\zpv201
C:\WINNT\system32\sfig
C:\WINNT\system32\provdll
C:\WINNT\system32\olixds01
C:\WINNT\system32\OBDE
C:\WINNT\system32\imp32
C:\WINNT\Qm9iIEpvaG5zb24
C:\Program Files\AntiMalwareGuard8

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

When CF finishes running, the ComboFix log will open along with a message box, --do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open.
Simply follow the instructions to copy/paste/send the requested file [9]-Submit_Date_Time.zip.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 justme-

justme-
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 25 July 2008 - 04:08 PM

Thank you Thunder,
I could not find any .dll.vir files in the C:\Qoobox directory, so to be sure, I zipped the entire directory.
The Script in combofix did indeed upload the zip file.

I will attempt to run the computer and look for the issues over the weekend. Below are the requested Hijackthis and Combofix logs.


-----------------------------------------------------------------------
ComboFix 08-07-22.4 - Administrator 2008-07-25 16:58:57.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.288 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiMalwareGuard8
C:\Program Files\AntiMalwareGuard8\BL.dat
C:\Program Files\AntiMalwareGuard8\WL.dat
C:\TEMP\zpv201
C:\TEMP\zpv201\chckNB2.log
C:\WINNT\Qm9iIEpvaG5zb24
C:\WINNT\system32\g72.exe
C:\WINNT\system32\imp32
C:\WINNT\system32\OBDE
C:\WINNT\system32\olixds01
C:\WINNT\system32\provdll
C:\WINNT\system32\sfig
C:\WINNT\system32\wkzykjswav.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-25 16:58 . 08-07-25 16:58 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_424.dat
2008-07-25 16:55 . 08-07-25 16:55 1,220,246 --a------ C:\QooBox.zip
2008-07-25 16:54 . 08-07-25 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-07-24 17:56 . 08-07-24 17:56 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_23c.dat
2008-07-24 10:40 . 08-07-24 10:40 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_238.dat
2008-07-24 10:30 . 08-07-24 10:54 376,888 ---h----- C:\WINNT\ShellIconCache
2008-07-23 14:35 . 08-07-23 14:35 <DIR> d-------- C:\Documents and Settings\Evan\Application Data\Malwarebytes
2008-07-23 10:59 . 08-07-23 10:59 <DIR> d-------- C:\WINNT\system32\Windows Media
2008-07-23 10:58 . 08-07-23 10:58 <DIR> d-------- C:\WINNT\msiinst.tmp
2008-07-23 10:58 . 08-07-23 10:58 <DIR> d--h-c--- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-07-22 16:14 . 08-07-22 16:14 957 --a------ C:\WINNT\setup.inf
2008-07-22 16:14 . 08-07-22 16:14 283 --a------ C:\WINNT\setup.rpt
2008-07-22 15:52 . 02-08-29 07:14 44,032 -----c--- C:\WINNT\system32\dllcache\msxml3r.dll
2008-07-22 13:40 . 08-07-22 13:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-22 13:40 . 08-07-22 13:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-22 13:40 . 08-07-22 13:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-07-22 13:40 . 08-07-20 20:21 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-07-22 13:40 . 08-07-20 20:21 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-22 13:39 . 08-07-22 13:39 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-21 16:24 . 08-07-21 16:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-21 16:17 . 08-07-21 16:17 <DIR> d-------- C:\Deckard
2008-07-21 14:25 . 08-07-21 14:25 <DIR> d-------- C:\WINNT\Sun
2008-07-21 14:24 . 08-06-10 02:32 73,728 --a------ C:\WINNT\system32\javacpl.cpl
2008-07-21 14:23 . 08-07-21 14:24 <DIR> d-------- C:\Program Files\Java
2008-07-21 14:23 . 08-07-21 14:23 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-17 14:57 . 08-07-23 17:30 <DIR> d-------- C:\Program Files\XoftSpySE
2008-07-17 13:31 . 08-07-17 13:31 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-16 18:36 . 08-07-16 19:08 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-16 17:27 . 08-07-16 17:27 <DIR> d-------- C:\WINNT\system32\BITS
2008-07-16 17:25 . 07-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2008-07-16 17:25 . 07-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2008-07-16 17:25 . 07-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2008-07-16 17:25 . 07-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-07-16 17:25 . 07-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll
2008-07-16 17:25 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-07-16 17:25 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-07-16 17:25 . 07-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-07-15 13:32 . 08-07-15 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-15 11:57 . 08-07-15 11:57 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-15 11:54 . 08-07-15 12:25 <DIR> d-------- C:\Documents and Settings\Evan\.housecall6.6
2008-07-15 11:35 . 08-07-15 11:35 <DIR> d-------- C:\WINNT\wfrm
2008-07-15 11:35 . 08-07-15 12:29 <DIR> d-------- C:\Program Files\Common Files\wfrm
2008-07-15 11:10 . 08-07-15 11:10 <DIR> d-------- C:\Program Files\CPV8
2008-07-15 10:56 . 08-07-15 10:56 13,942 --a------ C:\WINNT\system32\iphone-011.ico
2008-07-07 10:27 . 08-07-24 10:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 05:41 . 08-06-25 05:41 137,488 --a--c--- C:\WINNT\system32\dllcache\dnsapi.dll
2008-06-25 05:41 . 08-06-25 05:41 105,744 --a------ C:\WINNT\system32\msafd.dll
2008-06-25 05:41 . 08-06-25 05:41 105,744 --a--c--- C:\WINNT\system32\dllcache\msafd.dll
2008-06-25 05:41 . 08-06-25 05:41 64,784 --a------ C:\WINNT\system32\mswsock.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 16:28 --------- d-----w C:\Program Files\Autopaper
2008-07-15 20:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-15 17:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-15 17:48 --------- d-----w C:\Program Files\SpywareBlaster
2008-07-15 17:33 --------- d-----w C:\Program Files\Lavasoft
2008-07-15 17:33 --------- d-----w C:\Documents and Settings\Evan\Application Data\Lavasoft
2008-07-15 15:43 --------- d---a-w C:\Program Files\Spyware Doctor
2008-06-18 10:05 320,528 ----a-w C:\WINNT\system32\drivers\tcpip.sys
2008-05-16 15:58 12,632 ----a-w C:\WINNT\system32\lsdelete.exe
2008-04-30 07:03 791,824 ----a-w C:\WINNT\system32\quartz.dll
2007-05-22 19:16 36,292,130 ----a-w C:\Documents and Settings\Administrator.PACKARD\Upgrade.EXE
2004-06-18 23:30 271 ---h--w C:\Program Files\desktop.ini
2004-06-18 23:30 21,952 ---h--w C:\Program Files\folder.htt
2003-07-14 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Thu 2008-07-24_10.43.14.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-24 23:33:02 1,527,056 ----a-w C:\WINNT\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
- 2007-03-06 06:12:21 1,641,936 ------w C:\WINNT\Driver Cache\i386\win32k.sys
+ 2008-03-19 09:26:34 1,644,080 ------w C:\WINNT\Driver Cache\i386\win32k.sys
+ 2008-07-25 20:54:26 632,320 ----a-r C:\WINNT\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}\IconCD95F66110.exe
+ 2008-07-25 20:54:26 29,184 ----a-r C:\WINNT\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}\IconCD95F6617.exe
- 2004-01-21 20:21:08 1,026,048 ----a-w C:\WINNT\system32\BROWSEUI.DLL
+ 2008-04-18 13:00:22 1,018,368 ----a-w C:\WINNT\system32\BROWSEUI.DLL
- 2002-08-29 11:14:40 142,336 ----a-w C:\WINNT\system32\cdfview.dll
+ 2008-04-18 13:00:26 143,360 ----a-w C:\WINNT\system32\CDFVIEW.DLL
- 2003-07-14 12:00:00 1,133,840 ----a-w C:\WINNT\system32\danim.dll
+ 2008-02-16 05:59:36 1,054,208 ----a-w C:\WINNT\system32\DANIM.DLL
- 2005-04-21 08:03:08 127,568 -c--a-w C:\WINNT\system32\dllcache\afd.sys
+ 2008-05-08 08:38:06 119,152 -c--a-w C:\WINNT\system32\dllcache\afd.sys
- 2004-01-21 20:21:08 1,026,048 -c--a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
+ 2008-04-18 13:00:22 1,018,368 -c--a-w C:\WINNT\system32\dllcache\BROWSEUI.DLL
- 2002-08-29 11:14:40 142,336 -c--a-w C:\WINNT\system32\dllcache\cdfview.dll
+ 2008-04-18 13:00:26 143,360 -c--a-w C:\WINNT\system32\dllcache\CDFVIEW.DLL
- 2003-07-14 12:00:00 1,133,840 -c--a-w C:\WINNT\system32\dllcache\danim.dll
+ 2008-02-16 05:59:36 1,054,208 -c--a-w C:\WINNT\system32\dllcache\DANIM.DLL
- 2004-03-01 19:58:18 561,424 -c--a-w C:\WINNT\system32\dllcache\dao360.dll
+ 2008-03-27 07:00:14 554,008 -c--a-w C:\WINNT\system32\dllcache\dao360.dll
- 2003-03-03 20:57:20 75,776 -c--a-w C:\WINNT\system32\dllcache\directdb.dll
+ 2007-08-19 21:55:12 75,776 -c--a-w C:\WINNT\system32\dllcache\DIRECTDB.DLL
- 2006-07-06 11:45:32 96,528 -c--a-w C:\WINNT\system32\dllcache\dnsrslvr.dll
+ 2008-02-15 13:24:10 96,528 -c--a-w C:\WINNT\system32\dllcache\dnsrslvr.dll
- 2002-08-29 11:14:40 351,232 -c--a-w C:\WINNT\system32\dllcache\dxtmsft.dll
+ 2008-04-18 12:54:54 351,744 -c--a-w C:\WINNT\system32\dllcache\DXTMSFT.DLL
- 2002-08-29 11:14:40 187,392 -c--a-w C:\WINNT\system32\dllcache\dxtrans.dll
+ 2008-04-18 12:54:52 192,512 -c--a-w C:\WINNT\system32\dllcache\DXTRANS.DLL
- 2005-04-14 06:59:02 136,880 -c----w C:\WINNT\system32\dllcache\fltmgr.sys
+ 2006-08-22 16:48:40 136,912 -c----w C:\WINNT\system32\dllcache\fltmgr.sys
- 2007-03-06 11:17:46 235,280 -c--a-w C:\WINNT\system32\dllcache\GDI32.DLL
+ 2008-02-19 17:08:58 236,304 -c--a-w C:\WINNT\system32\dllcache\GDI32.DLL
- 2002-08-29 11:14:40 231,424 -c--a-w C:\WINNT\system32\dllcache\iepeers.dll
+ 2008-04-18 12:55:04 236,032 -c--a-w C:\WINNT\system32\dllcache\IEPEERS.DLL
- 2004-06-07 18:19:46 596,480 -c--a-w C:\WINNT\system32\dllcache\inetcomm.dll
+ 2007-08-19 21:55:32 596,992 -c--a-w C:\WINNT\system32\dllcache\INETCOMM.DLL
- 2002-10-11 19:08:36 47,616 -c--a-w C:\WINNT\system32\dllcache\inetres.dll
+ 2007-08-19 21:55:26 47,616 -c--a-w C:\WINNT\system32\dllcache\INETRES.DLL
- 2002-08-29 11:14:40 69,632 -c--a-w C:\WINNT\system32\dllcache\inseng.dll
+ 2008-04-18 12:55:08 69,632 -c--a-w C:\WINNT\system32\dllcache\INSENG.DLL
+ 2007-08-17 06:48:22 39,184 -c----w C:\WINNT\system32\dllcache\jpeg2x32.dll
- 2003-01-13 18:57:58 589,881 -c--a-w C:\WINNT\system32\dllcache\jscript.dll
+ 2008-01-05 07:05:56 458,752 -c--a-w C:\WINNT\system32\dllcache\jscript.dll
- 2002-08-29 11:14:40 12,288 -c--a-w C:\WINNT\system32\dllcache\jsproxy.dll
+ 2008-04-18 12:55:22 12,288 -c--a-w C:\WINNT\system32\dllcache\JSPROXY.DLL
+ 2007-05-11 07:41:54 524,560 -c----w C:\WINNT\system32\dllcache\kodakimg.exe
+ 2007-05-11 07:42:16 73,488 -c----w C:\WINNT\system32\dllcache\kodakprv.exe
- 2006-08-16 14:28:16 513,808 -c--a-w C:\WINNT\system32\dllcache\LSASRV.DLL
+ 2007-10-16 11:34:39 513,808 -c--a-w C:\WINNT\system32\dllcache\LSASRV.DLL
- 2005-01-12 19:39:52 291,088 -c--a-w C:\WINNT\system32\dllcache\mq1repl.dll
+ 2007-10-17 07:22:06 292,112 -c--a-w C:\WINNT\system32\dllcache\mq1repl.dll
- 2003-12-22 07:56:24 14,096 -c--a-w C:\WINNT\system32\dllcache\mq1sync.exe
+ 2007-10-16 13:51:24 14,096 -c--a-w C:\WINNT\system32\dllcache\mq1sync.exe
- 2004-10-24 13:10:20 77,680 -c--a-w C:\WINNT\system32\dllcache\mqac.sys
+ 2007-10-16 13:51:26 77,712 -c--a-w C:\WINNT\system32\dllcache\mqac.sys
- 2005-01-12 19:39:52 217,360 -c--a-w C:\WINNT\system32\dllcache\mqads.dll
+ 2007-10-17 07:22:06 218,384 -c--a-w C:\WINNT\system32\dllcache\mqads.dll
- 2003-07-14 12:00:00 25,360 -c--a-w C:\WINNT\system32\dllcache\mqbkup.exe
+ 2007-10-16 13:51:26 25,360 -c--a-w C:\WINNT\system32\dllcache\mqbkup.exe
- 2003-07-14 12:00:00 29,456 -c--a-w C:\WINNT\system32\dllcache\mqcertui.dll
+ 2007-10-17 07:22:06 29,456 -c--a-w C:\WINNT\system32\dllcache\mqcertui.dll
- 2005-01-12 19:39:54 50,448 -c----w C:\WINNT\system32\dllcache\mqclus.dll
+ 2007-10-17 07:22:06 50,448 -c--a-w C:\WINNT\system32\dllcache\mqclus.dll
- 2003-07-14 12:00:00 29,968 -c--a-w C:\WINNT\system32\dllcache\mqdbodbc.dll
+ 2007-10-17 07:22:06 29,968 -c--a-w C:\WINNT\system32\dllcache\mqdbodbc.dll
- 2005-01-12 19:39:54 76,560 -c--a-w C:\WINNT\system32\dllcache\mqdscli.dll
+ 2007-10-17 07:22:06 77,072 -c--a-w C:\WINNT\system32\dllcache\mqdscli.dll
- 2005-01-12 19:39:54 42,256 -c--a-w C:\WINNT\system32\dllcache\mqdssrv.dll
+ 2007-10-17 07:22:06 42,256 -c--a-w C:\WINNT\system32\dllcache\mqdssrv.dll
- 2003-07-14 12:00:00 87,312 -c--a-w C:\WINNT\system32\dllcache\mqlogmgr.dll
+ 2007-10-17 07:22:06 96,016 -c--a-w C:\WINNT\system32\dllcache\mqlogmgr.dll
- 2003-12-22 07:56:26 98,064 -c--a-w C:\WINNT\system32\dllcache\mqmig.exe
+ 2007-10-16 13:51:28 98,064 -c--a-w C:\WINNT\system32\dllcache\mqmig.exe
- 2005-01-12 19:39:54 266,512 -c--a-w C:\WINNT\system32\dllcache\mqmigrat.dll
+ 2007-10-17 07:22:06 267,536 -c--a-w C:\WINNT\system32\dllcache\mqmigrat.dll
- 2005-01-12 19:39:54 222,480 -c--a-w C:\WINNT\system32\dllcache\mqoa.dll
+ 2007-10-17 07:22:06 222,480 -c--a-w C:\WINNT\system32\dllcache\mqoa.dll
- 2005-01-12 19:39:54 10,000 -c--a-w C:\WINNT\system32\dllcache\mqperf.dll
+ 2007-10-17 07:22:06 10,000 -c--a-w C:\WINNT\system32\dllcache\mqperf.dll
- 2005-01-12 19:39:54 438,544 -c--a-w C:\WINNT\system32\dllcache\mqqm.dll
+ 2007-10-17 07:22:06 440,592 -c--a-w C:\WINNT\system32\dllcache\mqqm.dll
+ 2007-10-17 07:22:06 8,464 -c----w C:\WINNT\system32\dllcache\mqrperf.dll
- 2005-04-08 10:34:42 102,672 -c--a-w C:\WINNT\system32\dllcache\mqrt.dll
+ 2007-10-17 07:22:06 102,672 -c--a-w C:\WINNT\system32\dllcache\mqrt.dll
- 2005-01-12 19:39:54 70,928 -c--a-w C:\WINNT\system32\dllcache\mqsec.dll
+ 2007-10-17 07:22:06 70,928 -c--a-w C:\WINNT\system32\dllcache\mqsec.dll
- 2005-01-12 19:39:54 400,656 -c--a-w C:\WINNT\system32\dllcache\mqsnap.dll
+ 2007-10-17 07:22:06 400,656 -c--a-w C:\WINNT\system32\dllcache\mqsnap.dll
- 2003-07-14 12:00:00 14,096 -c--a-w C:\WINNT\system32\dllcache\mqsvc.exe
+ 2007-10-16 13:51:34 14,096 -c--a-w C:\WINNT\system32\dllcache\mqsvc.exe
- 2005-01-12 19:39:54 23,824 -c--a-w C:\WINNT\system32\dllcache\mqupgrd.dll
+ 2007-10-17 07:22:06 23,824 -c--a-w C:\WINNT\system32\dllcache\mqupgrd.dll
- 2005-01-12 19:39:54 110,864 -c--a-w C:\WINNT\system32\dllcache\mqutil.dll
+ 2007-10-17 07:22:06 111,888 -c--a-w C:\WINNT\system32\dllcache\mqutil.dll
- 2003-09-27 01:12:47 512,272 -c--a-w C:\WINNT\system32\dllcache\msexch40.dll
+ 2008-03-27 07:00:47 518,944 -c--a-w C:\WINNT\system32\dllcache\msexch40.dll
- 2004-07-20 02:56:40 319,760 -c--a-w C:\WINNT\system32\dllcache\msexcl40.dll
+ 2008-03-27 07:00:52 326,432 -c--a-w C:\WINNT\system32\dllcache\msexcl40.dll
- 2004-01-21 20:19:24 2,795,520 -c--a-w C:\WINNT\system32\dllcache\MSHTML.DLL
+ 2008-04-18 12:54:58 2,705,408 -c--a-w C:\WINNT\system32\dllcache\MSHTML.DLL
- 2003-03-03 20:57:20 44,032 -c--a-w C:\WINNT\system32\dllcache\msident.dll
+ 2007-08-19 21:52:36 44,032 -c--a-w C:\WINNT\system32\dllcache\MSIDENT.DLL
- 2003-03-03 20:57:18 56,832 -c--a-w C:\WINNT\system32\dllcache\msimn.exe
+ 2007-08-19 21:55:44 56,832 -c--a-w C:\WINNT\system32\dllcache\MSIMN.EXE
- 2004-07-20 02:56:44 1,507,600 -c--a-w C:\WINNT\system32\dllcache\msjet40.dll
+ 2008-03-27 07:01:34 1,516,568 -c--a-w C:\WINNT\system32\dllcache\msjet40.dll
- 2004-02-18 00:26:43 352,528 -c--a-w C:\WINNT\system32\dllcache\msjetol1.dll
+ 2008-03-27 07:02:34 355,112 -c--a-w C:\WINNT\system32\dllcache\msjetol1.dll
- 2003-09-27 01:12:53 151,824 -c--a-w C:\WINNT\system32\dllcache\msjint40.dll
+ 2008-03-27 07:13:31 151,583 -c--a-w C:\WINNT\system32\dllcache\msjint40.dll
- 2003-09-27 01:12:53 53,520 -c--a-w C:\WINNT\system32\dllcache\msjter40.dll
+ 2008-03-27 07:02:57 60,192 -c--a-w C:\WINNT\system32\dllcache\msjter40.dll
- 2004-07-20 02:56:46 241,936 -c--a-w C:\WINNT\system32\dllcache\msjtes40.dll
+ 2008-03-27 07:03:05 248,608 -c--a-w C:\WINNT\system32\dllcache\msjtes40.dll
- 2003-09-27 01:12:54 213,264 -c--a-w C:\WINNT\system32\dllcache\msltus40.dll
+ 2008-03-27 07:03:25 219,936 -c--a-w C:\WINNT\system32\dllcache\msltus40.dll
- 2003-07-14 12:00:00 159,504 -c--a-w C:\WINNT\system32\dllcache\msmqocm.dll
+ 2007-10-17 07:22:06 159,504 -c--a-w C:\WINNT\system32\dllcache\msmqocm.dll
- 2004-05-26 18:26:42 1,175,040 -c--a-w C:\WINNT\system32\dllcache\msoe.dll
+ 2007-08-19 21:55:38 1,176,064 -c--a-w C:\WINNT\system32\dllcache\MSOE.DLL
- 2003-03-03 20:57:20 228,864 -c--a-w C:\WINNT\system32\dllcache\msoeacct.dll
+ 2007-08-19 21:55:14 229,376 -c--a-w C:\WINNT\system32\dllcache\MSOEACCT.DLL
- 2002-10-11 19:09:02 2,479,616 -c--a-w C:\WINNT\system32\dllcache\msoeres.dll
+ 2007-08-19 21:55:48 2,479,616 -c--a-w C:\WINNT\system32\dllcache\MSOERES.DLL
- 2003-03-03 20:57:18 91,136 -c--a-w C:\WINNT\system32\dllcache\msoert2.dll
+ 2007-08-19 21:55:10 91,136 -c--a-w C:\WINNT\system32\dllcache\MSOERT2.DLL
- 2004-07-20 02:56:46 348,432 -c--a-w C:\WINNT\system32\dllcache\mspbde40.dll
+ 2008-03-27 07:03:43 355,104 -c--a-w C:\WINNT\system32\dllcache\mspbde40.dll
- 2002-08-29 11:14:40 132,096 -c--a-w C:\WINNT\system32\dllcache\msrating.dll
+ 2008-04-18 13:00:44 132,096 -c--a-w C:\WINNT\system32\dllcache\MSRATING.DLL
- 2003-09-27 01:12:56 422,160 -c--a-w C:\WINNT\system32\dllcache\msrd2x40.dll
+ 2008-03-27 07:04:07 432,928 -c--a-w C:\WINNT\system32\dllcache\msrd2x40.dll
- 2003-09-27 01:12:57 315,664 -c--a-w C:\WINNT\system32\dllcache\msrd3x40.dll
+ 2008-03-27 07:04:27 322,336 -c--a-w C:\WINNT\system32\dllcache\msrd3x40.dll
- 2004-07-20 02:56:48 553,232 -c--a-w C:\WINNT\system32\dllcache\msrepl40.dll
+ 2008-03-27 07:04:57 559,904 -c--a-w C:\WINNT\system32\dllcache\msrepl40.dll
- 2004-10-26 14:52:16 258,320 -c--a-w C:\WINNT\system32\dllcache\mstext40.dll
+ 2008-03-27 07:05:21 264,992 -c--a-w C:\WINNT\system32\dllcache\mstext40.dll
- 2002-08-29 11:14:40 496,128 -c--a-w C:\WINNT\system32\dllcache\mstime.dll
+ 2008-04-18 12:54:48 498,176 -c--a-w C:\WINNT\system32\dllcache\MSTIME.DLL
- 2003-09-27 01:13:00 831,760 -c--a-w C:\WINNT\system32\dllcache\mswdat10.dll
+ 2008-03-27 07:05:38 838,432 -c--a-w C:\WINNT\system32\dllcache\mswdat10.dll
- 2003-07-14 12:00:00 64,272 -c--a-w C:\WINNT\system32\dllcache\mswsock.dll
+ 2008-06-25 09:41:54 64,784 -c--a-w C:\WINNT\system32\dllcache\mswsock.dll
- 2003-09-27 01:13:01 614,672 -c--a-w C:\WINNT\system32\dllcache\mswstr10.dll
+ 2008-03-27 07:05:51 621,344 -c--a-w C:\WINNT\system32\dllcache\mswstr10.dll
- 2004-07-20 02:56:28 348,432 -c--a-w C:\WINNT\system32\dllcache\msxbde40.dll
+ 2008-03-27 07:06:00 355,104 -c--a-w C:\WINNT\system32\dllcache\msxbde40.dll
- 2003-03-03 20:57:20 93,184 -c--a-w C:\WINNT\system32\dllcache\oeimport.dll
+ 2007-08-19 21:55:36 93,184 -c--a-w C:\WINNT\system32\dllcache\OEIMPORT.DLL
- 2003-03-03 20:57:18 55,808 -c--a-w C:\WINNT\system32\dllcache\oemig50.exe
+ 2007-08-19 21:55:50 55,808 -c--a-w C:\WINNT\system32\dllcache\OEMIG50.EXE
- 2003-03-03 20:57:16 31,744 -c--a-w C:\WINNT\system32\dllcache\oemiglib.dll
+ 2007-08-19 21:55:50 31,744 -c--a-w C:\WINNT\system32\dllcache\OEMIGLIB.DLL
+ 2007-08-17 06:48:22 448,272 -c----w C:\WINNT\system32\dllcache\oieng400.dll
- 2003-07-14 12:00:00 626,960 -c--a-w C:\WINNT\system32\dllcache\oleaut32.dll
+ 2007-12-05 10:40:00 631,056 -c--a-w C:\WINNT\system32\dllcache\oleaut32.dll
- 2002-08-29 11:14:40 34,816 -c--a-w C:\WINNT\system32\dllcache\pngfilt.dll
+ 2008-04-18 12:55:02 34,816 -c--a-w C:\WINNT\system32\dllcache\PNGFILT.DLL
- 2005-04-08 11:54:36 825,104 -c--a-w C:\WINNT\system32\dllcache\quartz.dll
+ 2008-04-30 07:03:14 791,824 -c--a-w C:\WINNT\system32\dllcache\quartz.dll
- 2005-04-08 11:54:30 477,968 -c--a-w C:\WINNT\system32\dllcache\rpcrt4.dll
+ 2007-07-17 06:42:52 439,056 -c--a-w C:\WINNT\system32\dllcache\rpcrt4.dll
- 2004-01-21 20:15:50 1,339,904 -c--a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
+ 2008-04-18 13:00:12 1,340,416 -c--a-w C:\WINNT\system32\dllcache\SHDOCVW.DLL
- 2005-09-12 04:00:34 409,088 -c--a-w C:\WINNT\system32\dllcache\shlwapi.dll
+ 2008-04-18 13:00:00 402,944 -c--a-w C:\WINNT\system32\dllcache\SHLWAPI.DLL
- 2005-05-12 10:25:02 320,176 -c--a-w C:\WINNT\system32\dllcache\tcpip.sys
+ 2008-06-18 10:05:06 320,528 -c--a-w C:\WINNT\system32\dllcache\tcpip.sys
- 2003-07-14 12:00:00 33,552 -c--a-w C:\WINNT\system32\dllcache\tifflt.dll
+ 2007-08-17 06:48:22 33,552 -c--a-w C:\WINNT\system32\dllcache\tifflt.dll
- 2004-01-21 20:20:40 484,352 -c--a-w C:\WINNT\system32\dllcache\URLMON.DLL
+ 2008-04-18 12:55:22 462,848 -c--a-w C:\WINNT\system32\dllcache\URLMON.DLL
- 2002-02-26 19:58:06 462,906 -c--a-w C:\WINNT\system32\dllcache\vbscript.dll
+ 2008-01-05 07:05:56 401,408 -c--a-w C:\WINNT\system32\dllcache\vbscript.dll
- 2003-03-03 20:57:20 42,496 -c--a-w C:\WINNT\system32\dllcache\wab.exe
+ 2007-08-19 21:55:20 42,496 -c--a-w C:\WINNT\system32\dllcache\WAB.EXE
- 2004-06-24 19:54:44 463,360 -c--a-w C:\WINNT\system32\dllcache\wab32.dll
+ 2007-08-19 21:55:20 465,920 -c--a-w C:\WINNT\system32\dllcache\WAB32.DLL
- 2003-03-03 20:57:18 30,208 -c--a-w C:\WINNT\system32\dllcache\wabfind.dll
+ 2007-08-19 21:55:22 30,208 -c--a-w C:\WINNT\system32\dllcache\WABFIND.DLL
- 2003-03-03 20:57:20 77,824 -c--a-w C:\WINNT\system32\dllcache\wabimp.dll
+ 2007-08-19 21:55:18 77,824 -c--a-w C:\WINNT\system32\dllcache\WABIMP.DLL
- 2003-03-03 20:57:18 27,648 -c--a-w C:\WINNT\system32\dllcache\wabmig.exe
+ 2007-08-19 21:55:16 27,648 -c--a-w C:\WINNT\system32\dllcache\WABMIG.EXE
- 2007-03-06 06:12:21 1,641,936 -c----w C:\WINNT\system32\dllcache\win32k.sys
+ 2008-03-19 09:26:34 1,644,080 -c----w C:\WINNT\system32\dllcache\win32k.sys
- 2004-02-06 22:05:06 588,288 -c--a-w C:\WINNT\system32\dllcache\WININET.DLL
+ 2008-04-18 12:55:26 575,488 -c--a-w C:\WINNT\system32\dllcache\WININET.DLL
- 2006-07-06 11:45:32 137,488 ----a-w C:\WINNT\system32\dnsapi.dll
+ 2008-06-25 09:41:54 137,488 ----a-w C:\WINNT\system32\dnsapi.dll
- 2006-07-06 11:45:32 96,528 ----a-w C:\WINNT\system32\dnsrslvr.dll
+ 2008-02-15 13:24:10 96,528 ----a-w C:\WINNT\system32\dnsrslvr.dll
- 2005-04-21 08:03:08 127,568 ----a-w C:\WINNT\system32\drivers\AFD.SYS
+ 2008-05-08 08:38:06 119,152 ----a-w C:\WINNT\system32\drivers\AFD.SYS
- 2005-04-14 06:59:02 136,880 ------w C:\WINNT\system32\drivers\fltmgr.sys
+ 2006-08-22 16:48:40 136,912 ------w C:\WINNT\system32\drivers\fltmgr.sys
- 2002-08-29 11:14:40 351,232 ----a-w C:\WINNT\system32\dxtmsft.dll
+ 2008-04-18 12:54:54 351,744 ----a-w C:\WINNT\system32\DXTMSFT.DLL
- 2002-08-29 11:14:40 187,392 ----a-w C:\WINNT\system32\dxtrans.dll
+ 2008-04-18 12:54:52 192,512 ----a-w C:\WINNT\system32\DXTRANS.DLL
- 2008-07-23 14:54:49 151,584 ----a-w C:\WINNT\system32\FNTCACHE.DAT
+ 2008-07-24 21:55:52 151,584 ----a-w C:\WINNT\system32\FNTCACHE.DAT
- 2007-03-06 11:17:46 235,280 ----a-w C:\WINNT\system32\GDI32.DLL
+ 2008-02-19 17:08:58 236,304 ----a-w C:\WINNT\system32\GDI32.DLL
- 2002-08-29 11:14:40 231,424 ----a-w C:\WINNT\system32\iepeers.dll
+ 2008-04-18 12:55:04 236,032 ----a-w C:\WINNT\system32\IEPEERS.DLL
- 2004-06-07 18:19:46 596,480 ----a-w C:\WINNT\system32\INETCOMM.DLL
+ 2007-08-19 21:55:32 596,992 ----a-w C:\WINNT\system32\INETCOMM.DLL
- 2002-10-11 19:08:36 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
+ 2007-08-19 21:55:26 47,616 ----a-w C:\WINNT\system32\INETRES.DLL
- 2002-08-29 11:14:40 69,632 ----a-w C:\WINNT\system32\inseng.dll
+ 2008-04-18 12:55:08 69,632 ----a-w C:\WINNT\system32\INSENG.DLL
- 2003-07-14 12:00:00 38,160 ----a-w C:\WINNT\system32\jpeg2x32.dll
+ 2007-08-17 06:48:22 39,184 ----a-w C:\WINNT\system32\jpeg2x32.dll
- 2003-01-13 18:57:58 589,881 ----a-w C:\WINNT\system32\jscript.dll
+ 2008-01-05 07:05:56 458,752 ----a-w C:\WINNT\system32\jscript.dll
- 2002-08-29 11:14:40 12,288 ----a-w C:\WINNT\system32\jsproxy.dll
+ 2008-04-18 12:55:22 12,288 ----a-w C:\WINNT\system32\JSPROXY.DLL
- 2006-08-16 14:28:16 513,808 ----a-w C:\WINNT\system32\LSASRV.DLL
+ 2007-10-16 11:34:39 513,808 ----a-w C:\WINNT\system32\LSASRV.DLL
+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINNT\system32\Macromed\Flash\FlashUtil9f.exe
- 2008-02-01 20:11:47 74,649 ----a-w C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-07-25 20:52:00 74,649 ----a-w C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-06-25 13:15:48 17,972,344 ----a-w C:\WINNT\system32\MRT.exe
- 2003-09-27 01:12:47 512,272 ----a-w C:\WINNT\system32\msexch40.dll
+ 2008-03-27 07:00:47 518,944 ----a-w C:\WINNT\system32\msexch40.dll
- 2004-07-20 02:56:40 319,760 ----a-w C:\WINNT\system32\msexcl40.dll
+ 2008-03-27 07:00:52 326,432 ----a-w C:\WINNT\system32\msexcl40.dll
- 2004-01-21 20:19:24 2,795,520 ----a-w C:\WINNT\system32\MSHTML.DLL
+ 2008-04-18 12:54:58 2,705,408 ----a-w C:\WINNT\system32\MSHTML.DLL
- 2003-03-03 20:57:20 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
+ 2007-08-19 21:52:36 44,032 ----a-w C:\WINNT\system32\MSIDENT.DLL
- 2004-07-20 02:56:44 1,507,600 ----a-w C:\WINNT\system32\msjet40.dll
+ 2008-03-27 07:01:34 1,516,568 ----a-w C:\WINNT\system32\msjet40.dll
- 2004-02-18 00:26:43 352,528 ----a-w C:\WINNT\system32\msjetoledb40.dll
+ 2008-03-27 07:02:34 355,112 ----a-w C:\WINNT\system32\msjetoledb40.dll
- 2003-09-27 01:12:53 151,824 ----a-w C:\WINNT\system32\msjint40.dll
+ 2008-03-27 07:13:31 151,583 ----a-w C:\WINNT\system32\msjint40.dll
- 2003-09-27 01:12:53 53,520 ----a-w C:\WINNT\system32\msjter40.dll
+ 2008-03-27 07:02:57 60,192 ----a-w C:\WINNT\system32\msjter40.dll
- 2004-07-20 02:56:46 241,936 ----a-w C:\WINNT\system32\msjtes40.dll
+ 2008-03-27 07:03:05 248,608 ----a-w C:\WINNT\system32\msjtes40.dll
- 2003-09-27 01:12:54 213,264 ----a-w C:\WINNT\system32\msltus40.dll
+ 2008-03-27 07:03:25 219,936 ----a-w C:\WINNT\system32\msltus40.dll
- 2003-03-03 20:57:20 228,864 ----a-w C:\WINNT\system32\MSOEACCT.DLL
+ 2007-08-19 21:55:14 229,376 ----a-w C:\WINNT\system32\MSOEACCT.DLL
- 2003-03-03 20:57:18 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
+ 2007-08-19 21:55:10 91,136 ----a-w C:\WINNT\system32\MSOERT2.DLL
- 2004-07-20 02:56:46 348,432 ----a-w C:\WINNT\system32\mspbde40.dll
+ 2008-03-27 07:03:43 355,104 ----a-w C:\WINNT\system32\mspbde40.dll
- 2002-08-29 11:14:40 132,096 ----a-w C:\WINNT\system32\msrating.dll
+ 2008-04-18 13:00:44 132,096 ----a-w C:\WINNT\system32\MSRATING.DLL
- 2003-09-27 01:12:56 422,160 ----a-w C:\WINNT\system32\msrd2x40.dll
+ 2008-03-27 07:04:07 432,928 ----a-w C:\WINNT\system32\msrd2x40.dll
- 2003-09-27 01:12:57 315,664 ----a-w C:\WINNT\system32\msrd3x40.dll
+ 2008-03-27 07:04:27 322,336 ----a-w C:\WINNT\system32\msrd3x40.dll
- 2004-07-20 02:56:48 553,232 ----a-w C:\WINNT\system32\msrepl40.dll
+ 2008-03-27 07:04:57 559,904 ----a-w C:\WINNT\system32\msrepl40.dll
- 2004-10-26 14:52:16 258,320 ----a-w C:\WINNT\system32\mstext40.dll
+ 2008-03-27 07:05:21 264,992 ----a-w C:\WINNT\system32\mstext40.dll
- 2002-08-29 11:14:40 496,128 ----a-w C:\WINNT\system32\mstime.dll
+ 2008-04-18 12:54:48 498,176 ----a-w C:\WINNT\system32\MSTIME.DLL
- 2003-09-27 01:13:00 831,760 ----a-w C:\WINNT\system32\mswdat10.dll
+ 2008-03-27 07:05:38 838,432 ----a-w C:\WINNT\system32\mswdat10.dll
- 2003-09-27 01:13:01 614,672 ----a-w C:\WINNT\system32\mswstr10.dll
+ 2008-03-27 07:05:51 621,344 ----a-w C:\WINNT\system32\mswstr10.dll
- 2004-07-20 02:56:28 348,432 ----a-w C:\WINNT\system32\msxbde40.dll
+ 2008-03-27 07:06:00 355,104 ----a-w C:\WINNT\system32\msxbde40.dll
- 2003-07-14 12:00:00 444,176 ----a-w C:\WINNT\system32\oieng400.dll
+ 2007-08-17 06:48:22 448,272 ----a-w C:\WINNT\system32\oieng400.dll
- 2003-07-14 12:00:00 626,960 ------w C:\WINNT\system32\oleaut32.dll
+ 2007-12-05 10:40:00 631,056 ------w C:\WINNT\system32\OLEAUT32.DLL
- 2002-08-29 11:14:40 34,816 ----a-w C:\WINNT\system32\pngfilt.dll
+ 2008-04-18 12:55:02 34,816 ----a-w C:\WINNT\system32\PNGFILT.DLL
- 2005-04-08 11:54:30 477,968 ----a-w C:\WINNT\system32\rpcrt4.dll
+ 2007-07-17 06:42:52 439,056 ----a-w C:\WINNT\system32\rpcrt4.dll
- 2003-07-14 12:00:00 159,504 ----a-w C:\WINNT\system32\Setup\msmqocm.dll
+ 2007-10-17 07:22:06 159,504 ----a-w C:\WINNT\system32\Setup\msmqocm.dll
- 2004-01-21 20:15:50 1,339,904 ----a-w C:\WINNT\system32\SHDOCVW.DLL
+ 2008-04-18 13:00:12 1,340,416 ----a-w C:\WINNT\system32\SHDOCVW.DLL
- 2005-09-12 04:00:34 409,088 ----a-w C:\WINNT\system32\shlwapi.dll
+ 2008-04-18 13:00:00 402,944 ----a-w C:\WINNT\system32\SHLWAPI.DLL
- 2007-06-25 16:28:20 13,536 ------w C:\WINNT\system32\spmsg.dll
+ 2008-06-25 20:01:52 13,536 ------w C:\WINNT\system32\spmsg.dll
- 2003-07-14 12:00:00 33,552 ----a-w C:\WINNT\system32\tifflt.dll
+ 2007-08-17 06:48:22 33,552 ----a-w C:\WINNT\system32\tifflt.dll
- 2004-01-21 20:20:40 484,352 ----a-w C:\WINNT\system32\URLMON.DLL
+ 2008-04-18 12:55:22 462,848 ----a-w C:\WINNT\system32\URLMON.DLL
- 2002-02-26 19:58:06 462,906 ------w C:\WINNT\system32\vbscript.dll
+ 2008-01-05 07:05:56 401,408 ------w C:\WINNT\system32\vbscript.dll
- 2007-03-06 06:12:21 1,641,936 ----a-w C:\WINNT\system32\WIN32K.SYS
+ 2008-03-19 09:26:34 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
- 2004-02-06 22:05:06 588,288 ----a-w C:\WINNT\system32\WININET.DLL
+ 2008-04-18 12:55:26 575,488 ----a-w C:\WINNT\system32\WININET.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [05-07-06 09:36 100056]
"AppCon"="C:\Program Files\Vital\POS2000\BIN\vAppCon.exe" [06-07-30 15:56 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [08-06-10 04:27 144784]
"Synchronization Manager"="mobsync.exe" [03-07-14 08:00 111376 C:\WINNT\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [08-07-07 10:27 2115728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-07-14 08:00 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\MSSQL7\Binn\sqlmangr.exe [2007-02-07 13:34:37 110592]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2008-04-28 11:20:00 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R0 idebd;idebd;C:\WINNT\system32\DRIVERS\idebd.sys [00-05-30 00:00 ]
R0 IntelATA;IntelATA;C:\WINNT\system32\DRIVERS\intelata.sys [00-05-30 00:00 ]
R0 nlemsql;NLEMSQL;C:\WINNT\system32\drivers\nlemsql.sys [05-09-23 13:14 ]
R1 aswSP;avast! Self Protection;C:\WINNT\system32\drivers\aswSP.sys [08-07-19 10:35 ]
R1 cmosa;cmosa;C:\WINNT\system32\drivers\cmosa.sys [00-05-08 20:50 ]
R2 aswFsBlk;aswFsBlk;C:\WINNT\system32\DRIVERS\aswFsBlk.sys [08-07-19 10:37 ]
R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [08-01-17 12:34 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 08:22 ]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 08:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 17:03:10
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINNT\TEMP\mc21.tmp"
.
Completion time: 2008-07-25 17:05:06
ComboFix-quarantined-files.txt 2008-07-25 21:04:59
ComboFix2.txt 2008-07-24 14:44:39

Pre-Run: 36,096,208,896 bytes free
Post-Run: 36,090,310,656 bytes free

441
--------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:06, on 2008-07-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\svchost.exe
C:\MSSQL7\binn\sqlservr.exe
C:\MSSQL7\Binn\sqlservr.dll
C:\WINNT\system32\regsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Vital\POS2000\BIN\vAppCon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\CF6638.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AppCon] "C:\Program Files\Vital\POS2000\BIN\vAppCon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216243485675
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://tcgonline.thecomputerguys.com/cryst...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5895 bytes

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 AM

Posted 25 July 2008 - 04:16 PM

Hello Justme-,

Your logs look fine now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Just let me know if you're still having problems.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 justme-

justme-
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 25 July 2008 - 09:06 PM

Thunder, one more thing- as I mentioned, when I log in as the user "evan" and not the admin, a malwarebytes scan still comes up with one infection that it tried to remove on reboot and cannot - this infection is not reported when logged in the machine as admin. Also, I get the "Windows is low on virtual memory" popup during the scan only as Evan, which was an initial symptom the user had reported to me when I discovered the infections.
I tried running hijackthis as Evan as well and it did run but said the hosts file was locked.
I have full remote access to the machine and will check back with you over the weekend.
Here is the malwarebytes log as logged as Evan
-----------------------------------------------------------------
Malwarebytes' Anti-Malware 1.22
Database version: 979
Windows 5.0.2195 Service Pack 4

9:07:57 PM 7/25/2008
mbam-log-7-25-2008 (21-07-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 40382
Time elapsed: 7 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 AM

Posted 26 July 2008 - 02:30 AM

Hello Justme-,

Can you run both HijackThis and MBAM in safe mode from the "Evan" account ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 justme-

justme-
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 28 July 2008 - 12:12 AM

Just rebooted in safe mode, logged in as Evan, here are the logs- same issues- host lovked for Hijack this and fake beep in the MALM
------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:33 AM, on 7/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AppCon] "C:\Program Files\Vital\POS2000\BIN\vAppCon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Aarr] "C:\WINNT\PPPATC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [wfrm] C:\PROGRA~1\COMMON~1\wfrm\wfrmm.exe
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216243485675
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://tcgonline.thecomputerguys.com/cryst...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5450 bytes
-------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.22
Database version: 979
Windows 5.0.2195 Service Pack 4

1:10:00 AM 7/28/2008
mbam-log-7-28-2008 (01-09-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 40098
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 AM

Posted 28 July 2008 - 04:25 AM

Hello Justme-,

Can you upload C:\Program Files\Common Files\wfrm\wfrm.exe to :

http://www.bleepingcomputer.com/submit-malware.php?channel=9

How ? : 1. In the first window (Link to topic where this file was requested:) copy and past this link :http://www.bleepingcomputer.com/forums/t/158935/2-trojan-downloaders-virtumonde-and-possibly-more/
2. In the second window (Browse to the file you want to submit: ) browse to C:\Program Files\Common Files\wfrm\wfrm.exe

3. Click the Send file button :thumbsup:
[/list]Then, start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O4 - HKCU\..\Run: [Aarr] "C:\WINNT\PPPATC~1\arpa.exe" -vt yazb
O4 - HKCU\..\Run: [wfrm] C:\PROGRA~1\COMMON~1\wfrm\wfrmm.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please go to VirusTotal,
copy and paste :C:\WINNT\system32\dllcache\beep.sys
in the input window and submit the file for a scan.
Post the results in your next reply please.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 justme-

justme-
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 28 July 2008 - 11:38 AM

There is no wfrm.exe file in that directory, infact there are no executables in that directory.
I ran HJT and fixed those two.
There is no directory called "dllcache" on the computer in the C:\WINNT\system32 folder- following through the explorer windows down the tree, there is no directory titled that and show hidden files is selected. Pasting the full path anyway returns a 0 bytes uploaded message from Virus total.

I have reboot the machine and rerun MALM and HJT. MALM still shows it, nothing changed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:21 PM, on 7/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Vital\POS2000\BIN\vAppCon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AppCon] "C:\Program Files\Vital\POS2000\BIN\vAppCon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216243485675
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - https://tcgonline.thecomputerguys.com/cryst...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O17 - HKLM\System\CS2\Services\Tcpip\..\{16A92550-0A14-41AC-9D17-E10AF0C7FE2D}: NameServer = 207.172.3.8,207.172.3.9
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5443 bytes
-------------------------------------------------------------------------------------------------------

#14 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 AM

Posted 01 August 2008 - 04:10 AM

Hello Justme-,

There is no directory called "dllcache" on the computer in the C:\WINNT\system32 folder- following through the explorer windows down the tree, there is no directory titled that and show hidden files is selected.

Yes there is, but in order to make it visible, you have to enable "show system files" as well. :thumbsup:
It is possible however MBAM deleted the C:\WINNT\system32\dllcache\beep.sys file by now.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#15 justme-

justme-
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 01 August 2008 - 10:46 AM

Thunder,
There is no "show system files" setting in Win 2000- but I found it ( called superhidden)
Just relogged in as Admin- have access to dllcache folder-
MABM is unable to remove this- it keeps saying it needs to restart to delete the file and the file keep coming up.

I've been thinking about rerunning combofix as the user instead of admin to see if it picks up the same thing. I really don't want to, but at this rate a low level format and OS reinstall seem to be in the future.

Virus total report-

File beep.sys received on 08.01.2008 17:40:29 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/35 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.08.01 -
BitDefender 7.2 2008.08.01 -
CAT-QuickHeal 9.50 2008.08.01 -
ClamAV 0.93.1 2008.08.01 -
DrWeb 4.44.0.09170 2008.08.01 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.6001 2008.08.01 -
Ewido 4.0 2008.08.01 -
F-Prot 4.4.4.56 2008.07.31 -
Fortinet 3.14.0.0 2008.08.01 -
GData 2.0.7306.1023 2008.08.01 -
Ikarus T3.1.1.34.0 2008.08.01 -
K7AntiVirus 7.10.399 2008.07.31 -
Kaspersky 7.0.0.125 2008.08.01 -
McAfee 5351 2008.07.31 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3317 2008.08.01 -
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.01 -
PCTools 4.4.2.0 2008.08.01 -
Prevx1 V2 2008.08.01 -
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.01 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.01 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.01 -
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.08.01 -
Webwasher-Gateway 6.6.2 2008.08.01 -
Additional information
File size: 4080 bytes
MD5...: df012c2853281ce2bf536e8de871c8c1
SHA1..: 74b8f55e1d6063ebdb12e80e0eed16592954d5cf
SHA256: cb9e7eae3e4a14c49eb9fd2aaf44daa990be994ccc1562a8320b69e71e8ebf10
SHA512: 0bf2c7ccbdda9afe0a3b3752f7f1c2b98ae0bbeb130e7263969aca3c757e3242
a7e00be84646a28a08359e0c601c817e1b33d59d70441be09e1c765efdece98b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1029a
timedatestamp.....: 0x380e3fd3 (Wed Oct 20 22:18:59 1999)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x280 0x438 0x440 5.86 782fb9bd7f2349fedcee4a9271ad940d
.rdata 0x6c0 0xe0 0xe0 2.85 54a9a8a75fbd0ce80b73c50c02504631
INIT 0x7a0 0x2d6 0x2e0 4.89 69f58d1b16b71cba64e386cdc2901eb8
.rsrc 0xa80 0x3a0 0x3a0 3.37 1693b976a4d65a442d8c3dfd8b186762
.reloc 0xe20 0xae 0xc0 3.95 80872c842e81072958476f9a34067482

( 2 imports )
> ntoskrnl.exe: RtlInitUnicodeString, KeRemoveEntryDeviceQueue, InterlockedExchange, KeRemoveDeviceQueue, IoAcquireCancelSpinLock, IoStartPacket, MmLockPagableDataSection, IofCompleteRequest, IoReleaseCancelSpinLock, MmUnlockPagableImageSection, IoStartNextPacket, KeSetTimer, InterlockedIncrement, _allmul, IoDeleteDevice, IoCreateDevice, KeInitializeDpc, KeInitializeTimer, KeInitializeEvent, InterlockedDecrement, KeCancelTimer
> HAL.dll: ExAcquireFastMutex, ExReleaseFastMutex, KfRaiseIrql, KfLowerIrql, HalMakeBeep

( 0 exports )



ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users