Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Start > Run > cmd = nothing...


  • This topic is locked This topic is locked
18 replies to this topic

#1 Knight488

Knight488

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 06 May 2009 - 02:51 PM

A few days ago I noticed when I'd search on google, the links I'd click would redirect me to ad sites. So I started with the AV scanning and Spybot etc etc. And it seems to be okay, but theres other problems I didn't notice before. Many programs that load things from the internet are no longer working. Like my MSN client no longer can connect, World of Warcraft loading screen no longer loads / shows content ("Unable to contact server") Then I noticed I can no longer bring up the DOS box... :thumbup2: AV and spyware detectors are out of things to find and I'm at a loss. So for a start heres the HJT log. Thanks in advance



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:24:20, on 06/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Propriétaire\Bureau\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: VirtualCamera IEMenu Class - {0246A1A7-820A-469A-85A7-7B7F01EB808C} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-21-368770998-2887171289-4059212430-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'boinc_master')
O4 - S-1-5-21-368770998-2887171289-4059212430-1009 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'boinc_master')
O4 - S-1-5-21-368770998-2887171289-4059212430-1009 User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'boinc_master')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C013924D-509A-4739-87CF-59B76746FCDC}: NameServer = 212.27.40.240,212.27.40.241
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9597 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 PM

Posted 06 May 2009 - 04:13 PM

Hi Knight488,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • We need to go to the registry tell me if you are not comfortable with it then we download a tool to do this.
    • Go to C:\Windows folder and find regedit.exe then rename it to copy.exe (to do that right-click regedit32.exe and select rename).
    • Double-click copy.exe to run it. The registry editor opens.
    • In the left pane navigate to the following sub-key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    • Highlight Drivers32 sub-key and under File menu select Export...
    • Give a name like drivers32 and save the file to the desktop. You get driver32.reg on the desktop.
    • Right-click driver32.reg and select Edit to open it and post the content to your reply. Delete driver32.reg from you computer.
  • Please make a program list with Hijackthis:
    • Open HijackThis and click Open the Misc Tools section.
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.


#3 Knight488

Knight488
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 07 May 2009 - 07:28 AM

Hello Farbar, thanks for your reply. Heres the info you requested.

----------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="C:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="C:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.FPS1"="frapsvid.dll"
"msacm.lhacm"="lhacm.acm"
"VIDC.MSUD"="msulvc06.dll"
"VIDC.SCLS"="SCLS.dll"
"msacm.siren"="sirenacm.dll"
"msacm.voxacm160"="vct3216.acm"
"msacm.scg726"="scg726.acm"
"msacm.alf2cd"="alf2cd.acm"
"msacm.ac3acm"="AC3ACM.acm"
"vidc.dvsd"="mcdvd_32.dll"
"vidc.DIVX"="DivX.dll"
"vidc.mpg4"="mpg4c32.dll"
"vidc.mp42"="mpg4c32.dll"
"vidc.mp43"="mpg4c32.dll"
"VIDC.AP41"="APmpg4v1.dll"
"vidc.ffds"="C:\\PROGRA~1\\COMBIN~1\\Filters\\FFDShow\\ff_vfw.dll"
"vidc.XVID"="xvidvfw.dll"
"msacm.l3codecp"=""
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"aux"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"wave"="wdmaud.drv"
"aux1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"wave1"="wdmaud.drv"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"mixer"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

----------------------------------------------------------

Uninstall list from HJT:

7-Zip 4.61 beta
ACID Pro 7.0
Ad-Aware
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop 7.0
Adobe Reader 7.0.5 - Français
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced System Optimizer
Amélioration de nos services
AnalogX MaxMem
Apple Software Update
ATITool Overclocking Utility
avast! Antivirus
AVS DVD Player version 2.4
AVS4YOU Software Navigator 1.2
BitRule v1
BOINC
Call of Duty® - World at War™
CCleaner (remove only)
Choice Guard
Combined Community Codec Pack 2008-09-21 16:18
Correctif pour Windows XP (KB942288-v3)
Correctif pour Windows XP (KB952287)
Correctif pour Windows XP (KB961118)
Counter-Strike: Source
CPUFSB (remove only)
Creative PC-CAM Center
Creative WebCam Monitor
Curse Client
Day of Defeat
DebugMode Wax 2.0
Diskeeper 2008 Pro Premier
DVD43 v4.4.0
Enhanced Multimedia Keyboard Solution
ffdshow [rev 1028] [2007-03-13]
FileZilla Client 3.2.2.1
FLV Player 2.0 (build 25)
Fraps (remove only)
GameSpy 3D
GameSpy Arcade
Golem Screen Saver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Gretech Video Decoder
GRL RealHidden 1.0
Half-Life 2
Heretic II
High Definition Audio - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Windows Media Format 11 SDK (KB929399)
HP Boot Optimizer
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
IceChat 7.63 (Build 20080417)
J2SE Runtime Environment 5.0 Update 5
Java™ 6 Update 11
Java™ 6 Update 4
Java™ 6 Update 7
Languages of the World V4 Disk 1
Lecteur Windows Media 10
Logitech ImageStudio
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
MICRO 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 French Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft SQL Server 2008
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Management Objects
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files (English)
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Works
Miranda IM 0.7.17
Mise à jour de sécurité pour Lecteur Windows Media (KB952069)
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB911565)
Mise à jour de sécurité pour Lecteur Windows Media 10 (KB936782)
Mise à jour de sécurité pour Step by Step Interactive Training (KB923723)
Mise à jour de sécurité pour Windows XP (KB923561)
Mise à jour de sécurité pour Windows XP (KB923689)
Mise à jour de sécurité pour Windows XP (KB938464)
Mise à jour de sécurité pour Windows XP (KB941569)
Mise à jour de sécurité pour Windows XP (KB946648)
Mise à jour de sécurité pour Windows XP (KB950760)
Mise à jour de sécurité pour Windows XP (KB950762)
Mise à jour de sécurité pour Windows XP (KB950974)
Mise à jour de sécurité pour Windows XP (KB951376-v2)
Mise à jour de sécurité pour Windows XP (KB951698)
Mise à jour de sécurité pour Windows XP (KB951748)
Mise à jour de sécurité pour Windows XP (KB952004)
Mise à jour de sécurité pour Windows XP (KB952954)
Mise à jour de sécurité pour Windows XP (KB953838)
Mise à jour de sécurité pour Windows XP (KB953839)
Mise à jour de sécurité pour Windows XP (KB954211)
Mise à jour de sécurité pour Windows XP (KB954459)
Mise à jour de sécurité pour Windows XP (KB954600)
Mise à jour de sécurité pour Windows XP (KB955069)
Mise à jour de sécurité pour Windows XP (KB956390)
Mise à jour de sécurité pour Windows XP (KB956391)
Mise à jour de sécurité pour Windows XP (KB956572)
Mise à jour de sécurité pour Windows XP (KB956802)
Mise à jour de sécurité pour Windows XP (KB956803)
Mise à jour de sécurité pour Windows XP (KB956841)
Mise à jour de sécurité pour Windows XP (KB957095)
Mise à jour de sécurité pour Windows XP (KB957097)
Mise à jour de sécurité pour Windows XP (KB958215)
Mise à jour de sécurité pour Windows XP (KB958644)
Mise à jour de sécurité pour Windows XP (KB958687)
Mise à jour de sécurité pour Windows XP (KB958690)
Mise à jour de sécurité pour Windows XP (KB959426)
Mise à jour de sécurité pour Windows XP (KB960225)
Mise à jour de sécurité pour Windows XP (KB960714)
Mise à jour de sécurité pour Windows XP (KB960715)
Mise à jour de sécurité pour Windows XP (KB960803)
Mise à jour de sécurité pour Windows XP (KB961373)
Mise à jour de sécurité pour Windows XP (KB963027)
Mise à jour pour Windows XP (KB898461)
Mise à jour pour Windows XP (KB942763)
Mise à jour pour Windows XP (KB951072-v2)
Mise à jour pour Windows XP (KB951978)
Mise à jour pour Windows XP (KB955839)
Mise à jour pour Windows XP (KB967715)
MobMap 3.03
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.21)
MSN
MSU Screen Capture Lossless Codec v1.2 (Remove Only)
MSUlvc06 Lossless Video Codec 0.6.0 (Remove Only)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Neebly
NVIDIA Drivers
NVIDIA PhysX
OpenOffice.org 3.0
Orbit Downloader
particleIllusion 3.0
PC Inspector File Recovery
PC-Doctor 5 for Windows
PDF Settings
PowerCinema
PowerISO
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
Realtek High Definition Audio Driver
Requiem
Revo Uninstaller 1.80
RivaTuner v2.20
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Save Flash 4.1
ScreenCamera
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Segoe UI
SETI@home-MapView v6.54
Skype™ 3.8
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Vegas Pro 8.0
Spybot - Search & Destroy
SpywareBlaster 4.2
Sql Server Customer Experience Improvement Program
SQL Server System CLR Types
Steam
Team Fortress Classic
TeamSpeak 2 RC2
Ventrilo Client
VideoLAN VLC media player 0.8.6i
VL Transitions and Effects Presets
Winamp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Presentation Foundation
Windows XP Service Pack 3
WinHTTrack Website Copier 3.43-2
WinRAR archiver
World of Warcraft
Xvid 1.2.1 final uninstall

----------------------------------------------------------

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 PM

Posted 07 May 2009 - 05:34 PM

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


#5 Knight488

Knight488
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 07 May 2009 - 07:58 PM

Thanks again for your reply and help. Combo fix seems to have fixed all the major issues, like with the programs not being able to connect to the internet, and CMD not working. Also I haven't seen the Google link redirect thing happening again. Here is the log file from Combofix (sorry it's French version of windows :thumbup2: )

--------------------------------------------------

ComboFix 09-05-06.02 - Compaq_Propriétaire 06/05/2009 23:11.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.353.1036.18.2047.1207 [GMT 2:00]
Lancé depuis: c:\documents and settings\Compaq_Propriétaire\Bureau\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090506-0] *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-04-06 au 2009-05-06 ))))))))))))))))))))))))))))))))))))
.

2009-05-06 14:58 . 2009-05-06 14:58 -------- d-----w c:\program files\CCleaner
2009-05-06 14:25 . 2009-05-06 14:25 -------- d-----w c:\documents and settings\LocalService\Bureau
2009-05-06 14:15 . 2009-05-06 14:15 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-06 14:14 . 2009-05-06 14:14 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-06 14:13 . 2009-05-06 14:13 -------- d-----w c:\program files\Lavasoft
2009-05-06 14:13 . 2009-05-06 14:15 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-06 14:02 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-06 14:02 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 14:02 . 2009-05-06 14:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 14:02 . 2009-05-06 14:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 16:20 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-27 16:20 . 2009-02-09 10:53 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-27 16:20 . 2009-02-09 11:23 111104 ------w c:\windows\system32\dllcache\services.exe
2009-04-27 16:20 . 2009-02-09 10:53 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-27 16:20 . 2009-03-06 14:20 286720 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-27 16:20 . 2009-02-09 10:53 739840 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-27 16:20 . 2009-02-09 10:53 735744 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-27 16:20 . 2009-02-09 10:53 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-27 16:20 . 2009-02-09 10:53 685568 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-27 16:09 . 2009-04-27 16:09 -------- d-----w c:\windows\system32\AGEIA
2009-04-27 16:09 . 2009-04-27 16:09 -------- d-----w c:\program files\AGEIA Technologies
2009-04-26 23:05 . 2008-12-16 12:31 354304 ------w c:\windows\system32\dllcache\winhttp.dll
2009-04-26 23:05 . 2008-04-21 21:15 219136 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-20 05:08 . 2009-04-21 22:47 -------- d-----w C:\downloads
2009-04-20 05:08 . 2009-05-06 17:21 -------- d-----w c:\program files\Orbitdownloader
2009-04-14 08:45 . 2009-04-14 08:45 -------- d-----w c:\program files\Save Flash
2009-04-11 16:06 . 2009-03-09 13:27 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-04-11 16:06 . 2009-03-09 13:27 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-04-11 16:06 . 2009-03-09 13:27 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-04-11 16:06 . 2009-03-16 12:18 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-04-11 16:06 . 2009-03-16 12:18 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-04-11 16:06 . 2009-03-16 12:18 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-04-11 16:05 . 2009-03-16 12:18 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-04-09 10:08 . 2009-04-09 10:08 -------- d-----w c:\program files\MICRO
2009-04-09 10:08 . 2009-04-09 10:08 286720 ------w c:\windows\Setup1.exe
2009-04-09 10:08 . 2009-04-09 10:08 73216 ----a-w c:\windows\ST6UNST.EXE

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 01:31 . 2008-08-02 22:36 -------- d-----w c:\program files\World of Warcraft
2009-05-04 17:58 . 2009-02-25 07:27 -------- d-----w c:\program files\Mozilla Thunderbird
2009-05-04 14:50 . 2004-11-23 14:26 577186 ----a-w c:\windows\system32\perfh00C.dat
2009-05-04 14:50 . 2004-11-23 14:26 109798 ----a-w c:\windows\system32\perfc00C.dat
2009-05-03 12:37 . 2008-08-03 06:42 -------- d-----w c:\program files\SpywareBlaster
2009-05-03 12:07 . 2008-08-03 05:37 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-01 17:39 . 2008-08-05 10:55 -------- d-----w c:\program files\Steam
2009-04-27 16:08 . 2008-11-21 10:28 -------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard
2009-04-11 12:41 . 2009-04-03 23:51 96 ---ha-w c:\windows\system32\HsInfo.dat
2009-04-06 14:26 . 2009-04-06 14:25 -------- d-----w c:\program files\BitRule
2009-04-03 23:51 . 2009-04-03 23:51 -------- d-----w c:\program files\Fichiers communs\DirectX
2009-04-03 21:49 . 2009-04-03 21:49 -------- d-----w c:\program files\Gravity
2009-04-03 21:49 . 2006-01-02 23:58 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-01 08:27 . 2008-11-27 01:22 2432 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-31 23:23 . 2009-03-31 23:23 -------- d-----w c:\program files\IceChat7
2009-03-31 17:38 . 2009-03-31 17:38 -------- d-----w c:\program files\Neebly
2009-03-31 17:38 . 2009-03-31 17:38 -------- d-----w c:\program files\Fichiers communs\Neebly
2009-03-30 14:04 . 2006-01-03 00:14 -------- d-----w c:\program files\Google
2009-03-27 06:14 . 2008-08-03 06:07 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-03-18 16:49 . 2009-03-18 16:49 70738 ----a-w C:\crlog_.tot.tmp
2009-03-06 14:20 . 2004-08-05 11:00 286720 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-05 11:00 670208 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-05 11:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:05 . 2004-08-05 11:00 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2004-08-05 11:00 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:23 . 2004-08-05 11:00 2147328 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2004-08-05 11:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-08-05 11:00 735744 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-05 11:00 739840 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2004-08-05 11:00 685568 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-05 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2004-08-05 04:00 35328 ----a-w c:\windows\system32\sc.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 172544]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]

c:\documents and settings\boinc_master\Menu D‚marrer\Programmes\D‚marrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^BOINC Manager.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\BOINC Manager.lnk
backup=c:\windows\pss\BOINC Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Orbit.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Propriétaire^Menu Démarrer^Programmes^Démarrage^MagicDisc.lnk]
path=c:\documents and settings\Compaq_Propriétaire\Menu Démarrer\Programmes\Démarrage\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Propriétaire^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Compaq_Propriétaire\Menu Démarrer\Programmes\Démarrage\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.2-enGB-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\Steam\\steamapps\\knight488\\day of defeat\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\knight488\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [06/05/2009 16:15 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/08/2008 07:43 114768]
R1 ntiowp;ntiowp;c:\windows\system32\drivers\ntiowp.sys [20/10/2006 12:57 12352]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/08/2008 07:43 20560]
R2 BOINC;BOINC;c:\program files\BOINC\boinc.exe [19/09/2008 13:44 721664]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 21:06 953168]
R2 SCRCAMDRV;ScreenCamera IM Device;c:\windows\system32\drivers\SCRCAMDRV.sys [20/01/2009 13:48 225536]
S3 RTCore32;RTCore32;c:\program files\RMClock\RTCore32.sys [03/08/2008 07:33 4608]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [01/10/2006 20:37 26624]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11/07/2008 02:28 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 03:49 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11/07/2008 02:28 369688]
.
Contenu du dossier 'Tâches planifiées'

2009-05-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 14:15]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
TCP: {C013924D-509A-4739-87CF-59B76746FCDC} = 212.27.40.240,212.27.40.241
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Compaq_Propriétaire\Application Data\Mozilla\Firefox\Profiles\7m7ufk0n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- PARAMETRES FIREFOX ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 23:14
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-368770998-2887171289-4059212430-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9c,de,fd,14,45,39,f6,fb,23,95,88,de,23,44,b5,fa,92,1e,b0,37,a8,45,28,
76,50,4e,d1,23,52,6e,d6,13,f8,7b,fc,94,b9,96,d0,5f,bf,ed,f6,9a,4f,c6,28,d3,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
Heure de fin: 2009-05-06 23:17
ComboFix-quarantined-files.txt 2009-05-06 21:17

Avant-CF: 1,195,421,696 octets libres
Après-CF: 1,389,428,736 octets libres

197 --- E O F --- 2009-05-01 06:20


--------------------------------------------------

Opps, forgot to add in the log file from Anti-Malware, here it is.

--------------------------------------------------


Malwarebytes' Anti-Malware 1.36
Database version: 2090
Windows 5.1.2600 Service Pack 3

08/05/2009 03:05:57
mbam-log-2009-05-08 (03-05-57).txt

Scan type: Quick Scan
Objects scanned: 83133
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Knight488, 07 May 2009 - 08:11 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 PM

Posted 07 May 2009 - 08:01 PM

Well done :thumbup2:

I would like to see the MBAM log too.

#7 Knight488

Knight488
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 07 May 2009 - 08:24 PM

er, MBAM? I edited it in the bottom of the last post after I noticed I forgot.

Edited by Knight488, 07 May 2009 - 08:25 PM.


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 PM

Posted 07 May 2009 - 08:35 PM

Okey, thanks.

Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

#9 Knight488

Knight488
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 07 May 2009 - 08:44 PM

Here it is as requested:



GooredFix v1.92 by jpshortstuff
Log created at 03:43 on 08/05/2009 running Option #2 (Compaq_Propriétaire)
Firefox version 3.0.10 (en-GB)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 PM

Posted 07 May 2009 - 08:53 PM

Good. That one is taken care of.

Click on this link--> virustotal

Click the browse button. Copy and paste the lines in bold one by one in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

c:\windows\system32\wininet.dll
c:\windows\Setup1.exe
c:\windows\ST6UNST.EXE


If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

BTW: It is too late here and I need some sleep. I see the log tomorrow.

#11 Knight488

Knight488
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 07 May 2009 - 09:17 PM

I didn't know how much you wanted to see, so here it all is starting with "c:\windows\system32\wininet.dll"


------------------------------------------------------------------------------------------------------

a-squared 4.0.0.101 2009.05.08 -
AhnLab-V3 5.0.0.2 2009.05.07 -
AntiVir 7.9.0.160 2009.05.07 -
Antiy-AVL 2.0.3.1 2009.05.07 -
Authentium 5.1.2.4 2009.05.07 -
Avast 4.8.1335.0 2009.05.07 -
AVG 8.5.0.327 2009.05.07 -
BitDefender 7.2 2009.05.08 -
CAT-QuickHeal 10.00 2009.05.06 -
ClamAV 0.94.1 2009.05.08 -
Comodo 1154 2009.05.06 -
DrWeb 5.0.0.12182 2009.05.08 -
eSafe 7.0.17.0 2009.05.07 -
eTrust-Vet 31.6.6495 2009.05.08 -
F-Prot 4.4.4.56 2009.05.07 -
F-Secure 8.0.14470.0 2009.05.08 -
Fortinet 3.117.0.0 2009.05.07 -
GData 19 2009.05.08 -
Ikarus T3.1.1.49.0 2009.05.08 -
K7AntiVirus 7.10.728 2009.05.07 -
Kaspersky 7.0.0.125 2009.05.08 -
McAfee 5608 2009.05.07 -
McAfee+Artemis 5608 2009.05.07 -
McAfee-GW-Edition 6.7.6 2009.05.08 -
Microsoft 1.4602 2009.05.07 -
NOD32 4061 2009.05.07 -
Norman 6.01.05 2009.05.07 -
nProtect 2009.1.8.0 2009.05.08 -
Panda 10.0.0.14 2009.05.07 -
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.08 -
Rising 21.28.32.00 2009.05.07 -
Sophos 4.41.0 2009.05.08 -
Sunbelt 3.2.1858.2 2009.05.08 -
Symantec 1.4.4.12 2009.05.08 -
TheHacker 6.3.4.1.321 2009.05.07 -
TrendMicro 8.950.0.1092 2009.05.07 -
VBA32 3.12.10.4 2009.05.07 -
ViRobot 2009.5.7.1723 2009.05.07 -
VirusBuster 4.6.5.0 2009.05.07 -
Additional information
File size: 670208 bytes
MD5...: 273b84c3c339341f917d7ddad0722f51
SHA1..: e1fdabd31f46a5c1f246e4abd3118a3b2e6a7d24
SHA256: 53cd65ecb66c27b6a1046be66f65e67d73720e2dbb451fd1b05138677ba4188c
SHA512: 5621f8793ac597c9bc4397d33bcc4bb78eca52116fe2e4fa067f65a36b9b31fe
d93129c3ba186d2e9e06e995e645113898dd8be97cb89f24e919c70d4c735a43
ssdeep: 12288:878t4WuTgHc/jreVxsAbFxdMgmp23FffNx0owWl8Yr49c51UtXj6wBOqB:
878tTu28jreVxrAp23FffN78YrLvwXj9
PEiD..: -
TrID..: File type identification
InstallShield setup (42.6%)
Win32 Executable MS Visual C++ (generic) (37.3%)
Win32 Executable Generic (8.4%)
Win32 Dynamic Link Library (generic) (7.5%)
Generic Win/DOS Executable (1.9%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1555
timedatestamp.....: 0x499e6590 (Fri Feb 20 08:10:56 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x895fc 0x89600 6.61 ddbf3533ae5c93461184664c5cbd105a
.data 0x8b000 0x6200 0x2400 2.39 1284d165f5d3b3eacba3178c6fc05c39
.rsrc 0x92000 0x128f0 0x12a00 4.78 a3ef3b8c42b1c7132763736a434e1a97
.reloc 0xa5000 0x50dc 0x5200 6.78 f6fd3fafb2d8d1cc00aa5a3905cf50c4

( 7 imports )
> ADVAPI32.dll: RegDeleteValueW, RegSetValueExW, RegQueryValueExW, RegCreateKeyA, RegOpenKeyA, RegEnumKeyA, CryptGetProvParam, CryptSetProvParam, CryptAcquireContextA, CryptReleaseContext, RegDeleteValueA, OpenThreadToken, OpenProcessToken, GetTokenInformation, RegOpenKeyExW, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, GetUserNameA, OpenSCManagerA, EnumServicesStatusA, CloseServiceHandle, RegCreateKeyExW
> CRYPT32.dll: CertGetNameStringW, CryptDecodeObject, CertFindRDNAttr, CertRDNValueToStrA, CertControlStore, CertNameToStrA, CertCreateCertificateContext, CertGetCertificateContextProperty, CertFindCertificateInStore, CertSetCertificateContextProperty, CertOpenSystemStoreA, CertCloseStore, CertFindExtension, CertGetIntendedKeyUsage, CertDuplicateCertificateContext, CertFreeCertificateContext, CryptUnprotectData
> KERNEL32.dll: ExitThread, ExpandEnvironmentStringsA, SuspendThread, TerminateThread, GetACP, RtlMoveMemory, ResetEvent, CreateThread, Sleep, SetErrorMode, FormatMessageA, lstrcatA, SystemTimeToFileTime, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, TlsGetValue, TlsAlloc, GetCurrentThreadId, TlsFree, TlsSetValue, GetDateFormatA, WaitForMultipleObjects, lstrcpyA, InterlockedCompareExchange, GetCurrentThread, GetCurrentProcess, IsDBCSLeadByte, IsBadReadPtr, GlobalAlloc, GlobalFree, IsBadStringPtrW, DeleteFileA, IsBadCodePtr, IsBadWritePtr, SleepEx, GetModuleFileNameA, GetSystemTime, WritePrivateProfileStringA, WriteFile, SetFilePointer, ReadFile, FileTimeToSystemTime, LocalReAlloc, DeleteCriticalSection, InitializeCriticalSection, InterlockedDecrement, InterlockedIncrement, LocalAlloc, IsBadStringPtrA, GetFileTime, ReleaseSemaphore, CreateSemaphoreA, LocalFileTimeToFileTime, MoveFileA, MoveFileExA, GetVersion, CompareStringA, GetFileAttributesA, GetEnvironmentVariableA, GetWindowsDirectoryA, RemoveDirectoryA, GetShortPathNameA, FileTimeToDosDateTime, SetFileAttributesA, GetPrivateProfileStringA, SetFileTime, CreateDirectoryA, CopyFileA, DeviceIoControl, GetDiskFreeSpaceA, FindClose, FindNextFileA, FindFirstFileA, DosDateTimeToFileTime, FlushViewOfFile, UnmapViewOfFile, MapViewOfFileEx, CreateFileMappingA, OpenFileMappingA, SetEndOfFile, LoadLibraryExA, GetUserDefaultLCID, HeapFree, HeapAlloc, GetProcessHeap, GetComputerNameA, LoadLibraryW, GlobalUnlock, GlobalLock, GlobalSize, lstrcpynW, InitializeCriticalSectionAndSpinCount, GetTimeFormatA, WaitForSingleObject, GetProcAddress, LoadLibraryA, lstrcmpiA, GetLastError, FreeLibrary, lstrcpynA, lstrlenA, WideCharToMultiByte, InterlockedExchange, CloseHandle, OpenEventA, LeaveCriticalSection, EnterCriticalSection, SetLastError, LocalFree, GetVersionExA, GetFileSize, CreateFileA, GetSystemDirectoryA, lstrlenW, MultiByteToWideChar, GetModuleHandleA, OpenMutexA, CreateMutexA, ReleaseMutex, RaiseException, lstrcmpA, SetEvent, CreateEventA
> msvcrt.dll: isdigit, strpbrk, isspace, isalnum, time, strtoul, _vsnprintf, _ftol, ispunct, iscntrl, isalpha, _purecall, _CxxThrowException, wcsncpy, sprintf, wcsstr, strncmp, srand, rand, wcslen, _wtoi, wcscpy, _wcsnicmp, wcstok, _wcsicmp, wcscmp, malloc, free, realloc, _initterm, _adjust_fdiv, __dllonexit, _onexit, __1type_info@@UAE@XZ, _terminate@@YAXXZ, wcscat, memchr, isxdigit, _except_handler3
> OLEAUT32.dll: -, -, -, -, -
> SHLWAPI.dll: PathRemoveFileSpecW, PathRemoveBackslashA, PathRemoveFileSpecA, StrNCatA, -, PathRenameExtensionA, -, SHDeleteKeyA, StrCmpNIW, -, wvnsprintfA, -, -, -, -, StrCmpNIA, StrStrA, -, StrChrW, StrChrA, -, -, UrlCombineW, UrlCanonicalizeW, -, UrlCombineA, UrlCanonicalizeA, -, PathCreateFromUrlA, UrlUnescapeA, StrNCatW, StrToIntW, StrCpyW, -, -, -, StrStrIA, StrCmpW, SHRegGetUSValueA, StrCmpNA, StrToIntA, StrCatBuffA, StrRChrA, StrCmpIW, -, -, SHSetValueW, -, -, -, StrStrIW, SHGetValueW, SHSetValueA, SHGetValueA, wnsprintfA, wnsprintfW, StrCpyNW, PathFindFileNameW, -, -, SHRegGetValueW, -, -, -, -, StrCatBuffW, -, -, -, -
> USER32.dll: IsCharAlphaNumericA, IntersectRect, EqualRect, wsprintfW, LoadIconA, LoadImageA, DestroyIcon, SetForegroundWindow, EnumChildWindows, SetWindowTextA, GetParent, GetWindowRect, ScreenToClient, SetWindowPos, SendMessageA, PostMessageA, FindWindowA, LoadStringA, ShowWindow, GetDesktopWindow, wsprintfA, CharLowerA, DestroyWindow, IsDlgButtonChecked, EnableWindow, SetFocus, GetDlgItem, EndDialog, CheckDlgButton, CreateWindowExA, RegisterWindowMessageA, KillTimer, SetTimer, DefWindowProcA, SetWindowLongA, GetWindowLongA, RegisterClassA, CharNextA, CharToOemA, CharUpperA, CharLowerW, SendDlgItemMessageA, IsWindow, CharNextExA, WinHelpA

( 225 exports )
CommitUrlCacheEntryA, CommitUrlCacheEntryW, CreateMD5SSOHash, CreateUrlCacheContainerA, CreateUrlCacheContainerW, CreateUrlCacheEntryA, CreateUrlCacheEntryW, CreateUrlCacheGroup, DeleteIE3Cache, DeleteUrlCacheContainerA, DeleteUrlCacheContainerW, DeleteUrlCacheEntry, DeleteUrlCacheEntryA, DeleteUrlCacheEntryW, DeleteUrlCacheGroup, DetectAutoProxyUrl, DllInstall, FindCloseUrlCache, FindFirstUrlCacheContainerA, FindFirstUrlCacheContainerW, FindFirstUrlCacheEntryA, FindFirstUrlCacheEntryExA, FindFirstUrlCacheEntryExW, FindFirstUrlCacheEntryW, FindFirstUrlCacheGroup, FindNextUrlCacheContainerA, FindNextUrlCacheContainerW, FindNextUrlCacheEntryA, FindNextUrlCacheEntryExA, FindNextUrlCacheEntryExW, FindNextUrlCacheEntryW, FindNextUrlCacheGroup, ForceNexusLookup, ForceNexusLookupExW, FreeUrlCacheSpaceA, FreeUrlCacheSpaceW, FtpCommandA, FtpCommandW, FtpCreateDirectoryA, FtpCreateDirectoryW, FtpDeleteFileA, FtpDeleteFileW, FtpFindFirstFileA, FtpFindFirstFileW, FtpGetCurrentDirectoryA, FtpGetCurrentDirectoryW, FtpGetFileA, FtpGetFileEx, FtpGetFileSize, FtpGetFileW, FtpOpenFileA, FtpOpenFileW, FtpPutFileA, FtpPutFileEx, FtpPutFileW, FtpRemoveDirectoryA, FtpRemoveDirectoryW, FtpRenameFileA, FtpRenameFileW, FtpSetCurrentDirectoryA, FtpSetCurrentDirectoryW, GetUrlCacheConfigInfoA, GetUrlCacheConfigInfoW, GetUrlCacheEntryInfoA, GetUrlCacheEntryInfoExA, GetUrlCacheEntryInfoExW, GetUrlCacheEntryInfoW, GetUrlCacheGroupAttributeA, GetUrlCacheGroupAttributeW, GetUrlCacheHeaderData, GopherCreateLocatorA, GopherCreateLocatorW, GopherFindFirstFileA, GopherFindFirstFileW, GopherGetAttributeA, GopherGetAttributeW, GopherGetLocatorTypeA, GopherGetLocatorTypeW, GopherOpenFileA, GopherOpenFileW, HttpAddRequestHeadersA, HttpAddRequestHeadersW, HttpCheckDavCompliance, HttpEndRequestA, HttpEndRequestW, HttpOpenRequestA, HttpOpenRequestW, HttpQueryInfoA, HttpQueryInfoW, HttpSendRequestA, HttpSendRequestExA, HttpSendRequestExW, HttpSendRequestW, IncrementUrlCacheHeaderData, InternetAlgIdToStringA, InternetAlgIdToStringW, InternetAttemptConnect, InternetAutodial, InternetAutodialCallback, InternetAutodialHangup, InternetCanonicalizeUrlA, InternetCanonicalizeUrlW, InternetCheckConnectionA, InternetCheckConnectionW, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetCombineUrlA, InternetCombineUrlW, InternetConfirmZoneCrossing, InternetConfirmZoneCrossingA, InternetConfirmZoneCrossingW, InternetConnectA, InternetConnectW, InternetCrackUrlA, InternetCrackUrlW, InternetCreateUrlA, InternetCreateUrlW, InternetDial, InternetDialA, InternetDialW, InternetEnumPerSiteCookieDecisionA, InternetEnumPerSiteCookieDecisionW, InternetErrorDlg, InternetFindNextFileA, InternetFindNextFileW, InternetFortezzaCommand, InternetGetCertByURL, InternetGetCertByURLA, InternetGetConnectedState, InternetGetConnectedStateEx, InternetGetConnectedStateExA, InternetGetConnectedStateExW, InternetGetCookieA, InternetGetCookieExA, InternetGetCookieExW, InternetGetCookieW, InternetGetLastResponseInfoA, InternetGetLastResponseInfoW, InternetGetPerSiteCookieDecisionA, InternetGetPerSiteCookieDecisionW, InternetGoOnline, InternetGoOnlineA, InternetGoOnlineW, InternetHangUp, InternetInitializeAutoProxyDll, InternetLockRequestFile, InternetOpenA, InternetOpenUrlA, InternetOpenUrlW, InternetOpenW, InternetQueryDataAvailable, InternetQueryFortezzaStatus, InternetQueryOptionA, InternetQueryOptionW, InternetReadFile, InternetReadFileExA, InternetReadFileExW, InternetSecurityProtocolToStringA, InternetSecurityProtocolToStringW, InternetSetCookieA, InternetSetCookieExA, InternetSetCookieExW, InternetSetCookieW, InternetSetDialState, InternetSetDialStateA, InternetSetDialStateW, InternetSetFilePointer, InternetSetOptionA, InternetSetOptionExA, InternetSetOptionExW, InternetSetOptionW, InternetSetPerSiteCookieDecisionA, InternetSetPerSiteCookieDecisionW, InternetSetStatusCallback, InternetSetStatusCallbackA, InternetSetStatusCallbackW, InternetShowSecurityInfoByURL, InternetShowSecurityInfoByURLA, InternetShowSecurityInfoByURLW, InternetTimeFromSystemTime, InternetTimeFromSystemTimeA, InternetTimeFromSystemTimeW, InternetTimeToSystemTime, InternetTimeToSystemTimeA, InternetTimeToSystemTimeW, InternetUnlockRequestFile, InternetWriteFile, InternetWriteFileExA, InternetWriteFileExW, IsHostInProxyBypassList, IsUrlCacheEntryExpiredA, IsUrlCacheEntryExpiredW, LoadUrlCacheContent, ParseX509EncodedCertificateForListBoxEntry, PrivacyGetZonePreferenceW, PrivacySetZonePreferenceW, ReadUrlCacheEntryStream, RegisterUrlCacheNotification, ResumeSuspendedDownload, RetrieveUrlCacheEntryFileA, RetrieveUrlCacheEntryFileW, RetrieveUrlCacheEntryStreamA, RetrieveUrlCacheEntryStreamW, RunOnceUrlCache, SetUrlCacheConfigInfoA, SetUrlCacheConfigInfoW, SetUrlCacheEntryGroup, SetUrlCacheEntryGroupA, SetUrlCacheEntryGroupW, SetUrlCacheEntryInfoA, SetUrlCacheEntryInfoW, SetUrlCacheGroupAttributeA, SetUrlCacheGroupAttributeW, SetUrlCacheHeaderData, ShowCertificate, ShowClientAuthCerts, ShowSecurityInfo, ShowX509EncodedCertificate, UnlockUrlCacheEntryFile, UnlockUrlCacheEntryFileA, UnlockUrlCacheEntryFileW, UnlockUrlCacheEntryStream, UpdateUrlCacheContentPath, UrlZonesDetach, _GetFileExtensionFromUrl
PDFiD.: -
RDS...: NSRL Reference Data Set

------------------------------------------------------------------------------------------------------

And now "c:\windows\Setup1.exe"

------------------------------------------------------------------------------------------------------

a-squared 4.0.0.101 2009.05.08 -
AhnLab-V3 5.0.0.2 2009.05.07 -
AntiVir 7.9.0.160 2009.05.07 -
Antiy-AVL 2.0.3.1 2009.05.07 -
Authentium 5.1.2.4 2009.05.07 -
Avast 4.8.1335.0 2009.05.07 -
AVG 8.5.0.327 2009.05.07 -
BitDefender 7.2 2009.05.08 -
CAT-QuickHeal 10.00 2009.05.06 -
ClamAV 0.94.1 2009.05.08 -
Comodo 1154 2009.05.06 -
DrWeb 5.0.0.12182 2009.05.08 -
eSafe 7.0.17.0 2009.05.07 -
eTrust-Vet 31.6.6495 2009.05.08 -
F-Prot 4.4.4.56 2009.05.07 -
F-Secure 8.0.14470.0 2009.05.08 -
Fortinet 3.117.0.0 2009.05.07 -
GData 19 2009.05.08 -
Ikarus T3.1.1.49.0 2009.05.08 -
K7AntiVirus 7.10.728 2009.05.07 -
Kaspersky 7.0.0.125 2009.05.08 -
McAfee 5608 2009.05.07 -
McAfee+Artemis 5608 2009.05.07 -
McAfee-GW-Edition 6.7.6 2009.05.08 -
Microsoft 1.4602 2009.05.07 -
NOD32 4061 2009.05.07 -
Norman 6.01.05 2009.05.07 -
nProtect 2009.1.8.0 2009.05.08 -
Panda 10.0.0.14 2009.05.07 -
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.08 -
Rising 21.28.32.00 2009.05.07 -
Sophos 4.41.0 2009.05.08 -
Sunbelt 3.2.1858.2 2009.05.08 -
Symantec 1.4.4.12 2009.05.08 -
TheHacker 6.3.4.1.321 2009.05.07 -
TrendMicro 8.950.0.1092 2009.05.07 -
VBA32 3.12.10.4 2009.05.07 -
ViRobot 2009.5.7.1723 2009.05.07 -
VirusBuster 4.6.5.0 2009.05.07 -
Additional information
File size: 286720 bytes
MD5...: e40041e0ca436c712332edaa9db7df08
SHA1..: deb8ead922f4f1acbadebf0db998f6ba2dc53db0
SHA256: 6a15b76e1526e1fd6ebaecacc59c3e954d0feb0b566c81538ea6dad2edcffe16
SHA512: 1111be364c3d81dc919d1e7ba7bd141cda6555844d889f00a2b2cb0ee5c19bd0
b122ae4b574a3cdfa268668eebec43fa265b44e1b8fa28faaa335824647b8bc2
ssdeep: 6144:0uOQemROOMqMA8K3eEGOCUgtLD2J9dh4bYTJ6QKq:3O2OmMQGp2J9+
PEiD..: -
TrID..: File type identification
Win32 Executable Microsoft Visual Basic 6 (68.5%)
Win32 Executable MS Visual C++ (generic) (20.5%)
Win32 Executable Generic (4.6%)
Win32 Dynamic Link Library (generic) (4.1%)
Generic Win/DOS Executable (1.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3ea0
timedatestamp.....: 0x358c54e7 (Sun Jun 21 00:33:43 1998)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3d7e0 0x3e000 6.02 bb300a203cd66e00982fd611b38c233b
.data 0x3f000 0x54c8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x45000 0x5948 0x6000 3.37 8ebf3f5e1072a20eae63c58aa0d91ab2

( 1 imports )
> MSVBVM60.DLL: __vbaVarTextTstLe, __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaGosubReturn, -, __vbaStrVarMove, __vbaLenBstr, -, -, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, -, _adj_fprem1, __vbaRecAnsiToUni, -, -, __vbaCopyBytes, __vbaResume, __vbaStrCat, __vbaLsetFixstr, -, __vbaVarTextTstEq, __vbaSetSystemError, __vbaRecDestruct, __vbaNameFile, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, -, __vbaAryDestruct, __vbaLateMemSt, -, __vbaForEachCollObj, __vbaBoolStr, __vbaExitProc, __vbaFileCloseAll, -, __vbaCyAdd, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, -, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaStrFixstr, __vbaBoolVar, -, __vbaForEachCollVar, __vbaStrTextCmp, -, __vbaBoolVarNull, _CIsin, -, __vbaErase, __vbaVarCmpGt, __vbaLateMemStAd, __vbaNextEachCollObj, -, -, __vbaVarZero, __vbaChkstk, __vbaGosubFree, __vbaFileClose, -, EVENT_SINK_AddRef, -, -, __vbaGenerateBoundsError, __vbaStrCmp, __vbaCyI2, -, __vbaCyI4, __vbaObjVar, __vbaNextEachCollVar, __vbaPrintObj, __vbaI2I4, DllFunctionCall, __vbaVarOr, __vbaVarLateMemSt, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, -, __vbaVarTextTstNe, __vbaUI1I2, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaVarTextCmpEq, __vbaVarMul, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, -, _adj_fprem, _adj_fdivr_m64, __vbaGosub, -, __vbaI2Str, __vbaVarDiv, -, -, -, __vbaFPException, __vbaInStrVar, -, -, __vbaStrVarVal, __vbaUbound, -, -, __vbaVarCat, __vbaDateVar, __vbaI2Var, -, -, -, _CIlog, -, __vbaErrorOverflow, __vbaFileOpen, -, -, __vbaInStr, __vbaNew2, -, __vbaCyMulI2, _adj_fdiv_m32i, -, _adj_fdivr_m32i, -, __vbaStrCopy, -, __vbaFreeStrList, -, __vbaDerefAry1, __vbaVarTextTstGt, _adj_fdivr_m32, __vbaPowerR8, -, _adj_fdiv_r, -, -, -, -, __vbaI4Var, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, -, __vbaFpI2, -, __vbaFpI4, __vbaVarCopy, __vbaVarLateMemCallLd, -, __vbaLateMemCallLd, _CIatan, -, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, -, -, _allmul, __vbaLenVarB, __vbaLateIdSt, -, __vbaVarTextCmpNe, _CItan, -, __vbaAryUnlock, __vbaFPInt, _CIexp, __vbaMidStmtBstr, -, __vbaFreeStr, __vbaFreeObj, -

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set

( PC Utilities )

> PC Utilities - 510 utilities: SETUP1.EXE

( Autodesk )

> Autodesk Map: SETUP1.EXE

( Paraben Corporation )

> ftp madness: SETUP1.EXE
> Paraben Corporation Bits and Info: SETUP1.EXE

( Unknown )

> Miscellaneous Software: SETUP1.EXE
> StegoArchive CD: SETUP1.EXE

( Vlad Pambucol )

> Drive log: SETUP1.EXE

( Dark Bay Ltd. )

> Hackers Handbook: SETUP1.EXE

( ZG Financial Corp )

> Hard Drives & Subsystems: SETUP1.EXE

( RonsWare )

> Ulitimate Golf Scorecard: SETUP1.EXE

( Wingear )

> PCHardDriveUtilities: SETUP1.EXE
> MP3 Studio Deluxe: SETUP1.EXE
> Internet Utilities: SETUP1.EXE

( Next Step Publishing )

> Network Tools: SETUP1.EXE
> Desktop Security: SETUP1.EXE
> System Tools: SETUP1.EXE
> System Tools 2003: SETUP1.EXE

( Core Publishing Inc. )

> Master Hacker Internet Terrorism: SETUP1.EXE

( TradeTouch.com inc. )

> Hard drive Tools 2003: SETUP1.EXE,Setup1.exe
> Network Toolbox 2003: SETUP1.EXE
> PC Hardware Tools 2003: SETUP1.EXE
> PC Diagnostics & Repair Tools 2003: SETUP1.EXE
> Car Hacker and Care Tools 2003: SETUP1.EXE
> Windows XP/NT Tools for Administrators: SETUP1.EXE
> Game Crackers and Tools Pro: SETUP1.EXE
> Digital Camera Photography: SETUP1.EXE
> Mobile Phone Tools 2003: SETUP1.EXE

( Sierra Inc. )

> NasCar Racing: SETUP1.EXE

( Whirlwind Software )

> Hackers Encyclopedia 2002: SETUP1.EXE

( Cosmi Corporation )

> 225 Winning Educational Programs: SETUP1.EXE
> 300 Arcade Games: SETUP1.EXE
> 1,000 Solitare Games: SETUP1.EXE

( Microsoft )

> Disc 2435.4: SETUP1.EXE
> Applications, Developer Tools: SETUP1.EXE
> Windows DNA XML Resource Kit: SETUP1.EXE
> MSDN Development Platform Disc 1: SETUP1.EXE
> Platforms, SDK/DDK: SETUP1.EXE
> Mobile Information Server Developer Edition: SETUP1.EXE
> MSDN Development Platform Disc 2: SETUP1.EXE
> MSDN BizTalk Server 2004 beta, BizTalk server 2002 dev. ed., MS content mgmt server, eMbedded visual C++ 4.0 with SP2, Exchange server 2000, SMS 2003: SETUP1.EXE
> MSDN Disc MSDN Index Oct 2000 IE Versions Platform SDK July 2000 Edition: SETUP1.EXE
> MSDN Disc 2427.2: SETUP1.EXE
> Developer Tools, Servers: SETUP1.EXE
> MSDN MS .NET framework 1.1 SDK, App. Center 2000 dev. ed., Commerce server 2002 dev. ed., Data Analyzer 3.5, Host Integration server 2000: SETUP1.EXE
> Exchange Server 2000: SETUP1.EXE
> SDK/DDK, Servers - Special Release: SETUP1.EXE
> Servers: SETUP1.EXE
> Platforms, SDK/DDK, Developer Tools: SETUP1.EXE
> MSDN Disc 0003: SETUP1.EXE
> Windows 2000 Server Resource Kit: SETUP1.EXE
> .NET Framework SDK: SETUP1.EXE
> Windows DNA XML Resource Kit: SETUP1.EXE
> Applications, Developer Tools, Servers: SETUP1.EXE
> MSDN Disc 1016.1: SETUP1.EXE
> Microsoft Visual Basic 6.0 Learning Edition: SETUP1.EXE
> MSDN Development Platform Disc12: SETUP1.EXE
> MSDN Disc 2432.9: SETUP1.EXE
> BackOffice Server - Developers edition: SETUP1.EXE
> Exchange 2000 Enterprise Server: SETUP1.EXE
> Windows DDks: SETUP1.EXE
> MSDN Disc 2427.1: SETUP1.EXE
> Platforms, Servers, Applications: SETUP1.EXE
> MSDN Disc 2432.2: SETUP1.EXE
> Exchange 2000 Conference Server: SETUP1.EXE
> MSDN Development Platform Disc 19: SETUP1.EXE
> MSDN Disc 0727.1: SETUP1.EXE
> Microsoft Security Resource Kit: SETUP1.EXE
> MSDN Disc 0727.3: SETUP1.EXE
> MSDN Disc 0727.2: SETUP1.EXE
> MSDN Disc 2435.5: SETUP1.EXE
> Commerce Server Resource Kit: SETUP1.EXE
> MSDN Disc 2435.2: SETUP1.EXE
> MSDN Disc 2435.1: SETUP1.EXE
> MSDN Disc 0727.4: SETUP1.EXE
> Windows 2000 Server Administrators Companion: SETUP1.EXE
> MSDN Disc 2432.4: SETUP1.EXE
> MSDN Disc 0727.5: SETUP1.EXE
> MSDN Disc 2435: SETUP1.EXE
> MSDN Disk 2436.22: SETUP1.EXE
> SDKs and Tools: SETUP1.EXE
> Visual Studio Enterprise Edition: SETUP1.EXE
> Visual Basic 6.0 Prof. Edition Upgrade: Setup1.exe
> Visual Basic Professional Edition: Setup1.exe
> MSDN Disc 2432: SETUP1.EXE
> MSDN Disc 2085: SETUP1.EXE
> MSDN Disc 2432.7: SETUP1.EXE
> MSDN Disc 2432.12: SETUP1.EXE
> MSDN Disc 2432.10: SETUP1.EXE
> MSDN Development Platform Disc1: SETUP1.EXE
> MSDN Disc 2427.3: SETUP1.EXE
> MSDN Disc 0727: SETUP1.EXE
> MSDN Disc 2432.11: SETUP1.EXE
> MSDN Disc 2435.3: SETUP1.EXE
> BackOffice Server: SETUP1.EXE
> MSDN Disc 0527.1: SETUP1.EXE
> MSDN Disc 0526: SETUP1.EXE
> Building Interactive Entertainment and E-Commerce Content: SETUP1.EXE
> MSDN Disc 0527.2: SETUP1.EXE
> MSDN Disc 3235: SETUP1.EXE
> MSDN Disc0003: SETUP1.EXE
> MSDN Disc 2436.20: SETUP1.EXE
> MSDN MS Commerce Server 2002 Developer ed., Exchange Server 2003 Enterprise ed., Exchange Server 2003 Standard ed., Host Integration server 2000, SQL: SETUP1.EXE
> Visual Basic: Setup1.exe
> Windows Server Resource Kit: SETUP1.EXE
> MSDN Development Platform Disc1: SETUP1.EXE
> MSDN Development Platform Disc2: SETUP1.EXE
> MSDN Disc 2436.22: SETUP1.EXE

( Silver Star Publishing )

> Guide to Hacking Software Security 2002: SETUP1.EXE

( Bytesize CD-ROM Inc. )

> PC Maintenance: SETUP1.EXE
> CD Recorder: SETUP1.EXE

------------------------------------------------------------------------------------------------------

And lastly c:\windows\ST6UNST.EXE

------------------------------------------------------------------------------------------------------

a-squared 4.0.0.101 2009.05.08 -
AhnLab-V3 5.0.0.2 2009.05.07 -
AntiVir 7.9.0.160 2009.05.07 -
Antiy-AVL 2.0.3.1 2009.05.07 -
Authentium 5.1.2.4 2009.05.07 -
Avast 4.8.1335.0 2009.05.07 -
AVG 8.5.0.327 2009.05.07 -
BitDefender 7.2 2009.05.08 -
CAT-QuickHeal 10.00 2009.05.06 -
ClamAV 0.94.1 2009.05.08 -
Comodo 1154 2009.05.06 -
DrWeb 5.0.0.12182 2009.05.08 -
eSafe 7.0.17.0 2009.05.07 -
eTrust-Vet 31.6.6495 2009.05.08 -
F-Prot 4.4.4.56 2009.05.07 -
F-Secure 8.0.14470.0 2009.05.08 -
Fortinet 3.117.0.0 2009.05.07 -
GData 19 2009.05.08 -
Ikarus T3.1.1.49.0 2009.05.08 -
K7AntiVirus 7.10.728 2009.05.07 -
Kaspersky 7.0.0.125 2009.05.08 -
McAfee 5608 2009.05.07 -
McAfee+Artemis 5608 2009.05.07 -
McAfee-GW-Edition 6.7.6 2009.05.08 -
Microsoft 1.4602 2009.05.07 -
NOD32 4061 2009.05.07 -
Norman 6.01.05 2009.05.07 -
nProtect 2009.1.8.0 2009.05.08 -
Panda 10.0.0.14 2009.05.07 -
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.08 -
Rising 21.28.32.00 2009.05.07 -
Sophos 4.41.0 2009.05.08 -
Sunbelt 3.2.1858.2 2009.05.08 -
Symantec 1.4.4.12 2009.05.08 -
TheHacker 6.3.4.1.321 2009.05.07 -
TrendMicro 8.950.0.1092 2009.05.07 -
VBA32 3.12.10.4 2009.05.07 -
ViRobot 2009.5.7.1723 2009.05.07 -
VirusBuster 4.6.5.0 2009.05.07 -
Additional information
File size: 73216 bytes
MD5...: 996f83e516552ca3b51445bb994a6d38
SHA1..: 56fc6ba49195dedf735e6ce1b03ab36d72334f66
SHA256: 7e60c894a8cead6880fd3ed040504d02304a0b961304e40741340e31f5fa973d
SHA512: 5868100fdb274dbad44ea0996aa4ed0a930cce5c61ce55631869bd19ee09feb8
a957bf2a4a87ba563f48bb65807dae5b2363c042d451843e9598b10f6c334d2f
ssdeep: 1536:hKTg6tZkYVxqdE5NLt3mZCSRCxDka6tg7N4G:IsixsE5b3mZCwC1AtgZ4G
PEiD..: InstallShield 2000
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x80c0
timedatestamp.....: 0x35895e6d (Thu Jun 18 18:37:33 1998)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa9f5 0xaa00 6.38 be72f98a15ebe8bc983139a077df8032
.rdata 0xc000 0x1a52 0x1c00 5.15 c86d8eb1bd161433edaebb9900da49ad
.data 0xe000 0x4678 0x2e00 1.72 be105b956c09e423dbd672cd44ddc0ba
.rsrc 0x13000 0x24e0 0x2600 3.54 362a8a318293fe1f63a341f5db7fe423

( 7 imports )
> KERNEL32.dll: CreateFileA, ReadFile, LocalFree, SetFilePointer, LocalAlloc, GlobalDeleteAtom, Sleep, GlobalAddAtomA, GlobalFree, GlobalAlloc, IsDBCSLeadByte, GlobalLock, GlobalFindAtomA, CompareStringA, WideCharToMultiByte, WriteFile, CloseHandle, GetWindowsDirectoryA, OpenProcess, GetVersion, FreeLibrary, RemoveDirectoryA, GetLastError, DeleteFileA, FindFirstFileA, FindClose, lstrlenA, lstrcpyA, lstrcatA, lstrcmpA, lstrcpynA, MultiByteToWideChar, CreateProcessA, WaitForSingleObject, SetErrorMode, GetCurrentDirectoryA, OutputDebugStringA, LoadLibraryA, GetProcAddress, GetFileAttributesA, GlobalUnlock, VirtualAlloc, IsBadWritePtr, IsBadReadPtr, SetUnhandledExceptionFilter, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, IsBadCodePtr, FreeEnvironmentStringsW, FreeEnvironmentStringsA, lstrcmpiA, GetModuleFileNameA, UnhandledExceptionFilter, GetOEMCP, GetACP, GetCPInfo, HeapAlloc, HeapFree, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, GetCurrentProcess, TerminateProcess, ExitProcess, SetCurrentDirectoryA, SetEnvironmentVariableA, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW
> USER32.dll: PackDDElParam, SendMessageA, DispatchMessageA, DefWindowProcA, CharNextA, DestroyWindow, UnregisterClassA, CreateWindowExA, RegisterClassA, wsprintfA, UnpackDDElParam, LoadStringA, LoadIconA, LoadCursorA, MessageBoxA, wvsprintfA, TranslateMessage, GetMessageA, SetCursor, ShowCursor, SetDlgItemTextA, SetWindowLongA, EndDialog, GetDlgItem, SetFocus, DialogBoxParamA, UpdateWindow, SetWindowTextA, InvalidateRect, CharUpperA, CharPrevA, BeginPaint, GetClientRect, DrawTextA, SetRect, EndPaint, PostQuitMessage, GetSystemMenu, EnableMenuItem, CreateDialogParamA, GetWindowRect, GetSystemMetrics, SetWindowPos, ShowWindow, PostMessageA, PeekMessageA, FillRect, SetClassLongA
> GDI32.dll: CreateSolidBrush, SetROP2, Rectangle, SelectObject, SetTextColor, SetBkMode, GetStockObject, GetTextMetricsA, ExtTextOutA, CreateFontIndirectA, DeleteObject
> ADVAPI32.dll: RegOpenKeyA, RegEnumValueA, RegEnumKeyA, RegDeleteKeyA, RegCloseKey, RegDeleteValueA, RegQueryValueExA, RegSetValueExA, RegCreateKeyA
> SHELL32.dll: SHGetMalloc, SHGetSpecialFolderLocation, SHGetPathFromIDListA
> ole32.dll: OleInitialize, OleUninitialize
> OLEAUT32.dll: -

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set

( Ziff-Davis Publishing Company L.P. )

> 3 Volume Software Library I: ST6UNST.EXE

( PC Utilities )

> PC Utilities - 510 utilities: ST6UNST.EXE

( Autodesk )

> Autodesk Map: ST6UNST.EXE

( Whirlwind Software )

> Hackers Encyclopedia 2002: ST6UNST.EXE

( Paraben Corporation )

> ftp madness: ST6UNST.EXE
> Paraben Corporation Bits and Info: ST6UNST.EXE

( Unknown )

> Miscellaneous Software: ST6UNST.EXE
> StegoArchive CD: ST6UNST.EXE

( TradeTouch.com inc. )

> Hard drive Tools 2003: ST6UNST.EXE,St6unst.exe
> Network Toolbox 2003: ST6UNST.EXE
> PC Hardware Tools 2003: ST6UNST.EXE
> PC Diagnostics & Repair Tools 2003: ST6UNST.EXE
> Car Hacker and Care Tools 2003: ST6UNST.EXE
> Windows XP/NT Tools for Administrators: ST6UNST.EXE
> WinCE Tools 2003: st6unst.exe
> Game Crackers and Tools Pro: ST6UNST.EXE
> Digital Camera Photography: ST6UNST.EXE
> Mobile Phone Tools 2003: ST6UNST.EXE

( Cosmi Corporation )

> 225 Winning Educational Programs: ST6UNST.EXE
> 300 Arcade Games: ST6UNST.EXE
> 1,000 Solitare Games: ST6UNST.EXE

( Dark Bay Ltd. )

> Hackers Handbook: ST6UNST.EXE

( ZG Financial Corp )

> Hard Drives & Subsystems: ST6UNST.EXE

( RonsWare )

> Ulitimate Golf Scorecard: ST6UNST.EXE

( Wingear )

> PCHardDriveUtilities: ST6UNST.EXE
> MP3 Studio Deluxe: ST6UNST.EXE
> Internet Utilities: ST6UNST.EXE

( Next Step Publishing )

> Network Tools: ST6UNST.EXE
> Desktop Security: ST6UNST.EXE
> System Tools: ST6UNST.EXE
> System Tools 2003: ST6UNST.EXE

( Core Publishing Inc. )

> Master Hacker Internet Terrorism: ST6UNST.EXE

( Mortgage Marketing Inc. )

> Mortgage Master: ST6UNST.EXE

( Sierra Inc. )

> NasCar Racing: ST6UNST.EXE

( Vlad Pambucol )

> Drive log: ST6UNST.EXE

( Barnes & Noble )

> Free Unlimited Internet Service Barnes & Nobles: ST6UNST.EXE

( Microsoft )

> Disc 2435.4: ST6UNST.EXE
> Applications, Developer Tools: ST6UNST.EXE
> Windows DNA XML Resource Kit: ST6UNST.EXE
> MSDN Development Platform Disc 1: ST6UNST.EXE
> Platforms, SDK/DDK: ST6UNST.EXE
> Mobile Information Server Developer Edition: ST6UNST.EXE
> MSDN Development Platform Disc 2: ST6UNST.EXE
> MSDN BizTalk Server 2004 beta, BizTalk server 2002 dev. ed., MS content mgmt server, eMbedded visual C++ 4.0 with SP2, Exchange server 2000, SMS 2003: ST6UNST.EXE
> MSDN Disc MSDN Index Oct 2000 IE Versions Platform SDK July 2000 Edition: ST6UNST.EXE
> MSDN Disc 2427.2: ST6UNST.EXE
> Developer Tools, Servers: ST6UNST.EXE
> MSDN MS .NET framework 1.1 SDK, App. Center 2000 dev. ed., Commerce server 2002 dev. ed., Data Analyzer 3.5, Host Integration server 2000: ST6UNST.EXE
> Exchange Server 2000: ST6UNST.EXE
> SDK/DDK, Servers - Special Release: ST6UNST.EXE
> Servers: ST6UNST.EXE
> Platforms, SDK/DDK, Developer Tools: ST6UNST.EXE
> Windows Server Resource Kit: ST6UNST.EXE
> MSDN Disc 0003: ST6UNST.EXE
> Windows 2000 Server Resource Kit: ST6UNST.EXE
> .NET Framework SDK: ST6UNST.EXE
> Windows DNA XML Resource Kit: ST6UNST.EXE
> Applications, Developer Tools, Servers: ST6UNST.EXE
> MSDN Disc 1016.1: ST6UNST.EXE
> Microsoft Visual Basic 6.0 Learning Edition: ST6UNST.EXE
> MSDN Development Platform Disc12: ST6UNST.EXE
> MSDN Disc 2432.9: ST6UNST.EXE
> BackOffice Server - Developers edition: ST6UNST.EXE
> Exchange 2000 Enterprise Server: ST6UNST.EXE
> Windows DDks: ST6UNST.EXE
> MSDN Disc 2427.1: ST6UNST.EXE
> Platforms, Servers, Applications: ST6UNST.EXE
> MSDN Disc 2432.2: ST6UNST.EXE
> Exchange 2000 Conference Server: ST6UNST.EXE
> MSDN Development Platform Disc 19: ST6UNST.EXE
> MSDN Disc 0727.1: ST6UNST.EXE
> Microsoft Security Resource Kit: ST6UNST.EXE
> MSDN Disc 0727.3: ST6UNST.EXE
> MSDN Disc 0727.2: ST6UNST.EXE
> MSDN Disc 2435.5: ST6UNST.EXE
> Commerce Server Resource Kit: ST6UNST.EXE
> MSDN Disc 2435.2: ST6UNST.EXE
> MSDN Disc 2435.1: ST6UNST.EXE
> MSDN Disc 0727.4: ST6UNST.EXE
> Windows 2000 Server Administrators Companion: ST6UNST.EXE
> MSDN Disc 2432.4: ST6UNST.EXE
> MSDN Disc 0727.5: ST6UNST.EXE
> MSDN Disc 2435: ST6UNST.EXE
> Tahoe Server: st6unst.exe
> SDKs and Tools: ST6UNST.EXE
> Visual Studio Enterprise Edition: ST6UNST.EXE
> Visual Basic 6.0 Prof. Edition Upgrade: St6unst.exe
> Visual Basic Professional Edition: St6unst.exe
> MSDN Disc 2432: ST6UNST.EXE
> MSDN Disc 2085: ST6UNST.EXE
> MSDN Disc 2432.7: ST6UNST.EXE
> MSDN Disc 2432.12: ST6UNST.EXE
> MSDN Disc 2432.10: ST6UNST.EXE
> MSDN Development Platform Disc1: ST6UNST.EXE
> MSDN Disc 2427.3: ST6UNST.EXE
> MSDN Disc 0727: ST6UNST.EXE
> MSDN Disk 2436.22: ST6UNST.EXE
> MSDN Disc 2435.3: ST6UNST.EXE
> BackOffice Server: ST6UNST.EXE
> MSDN Disc 0527.1: ST6UNST.EXE
> MSDN Disc 0526: ST6UNST.EXE
> Building Interactive Entertainment and E-Commerce Content: ST6UNST.EXE
> MSDN Disc 0527.2: ST6UNST.EXE
> MSDN Disc 3235: ST6UNST.EXE
> MSDN Disc0003: ST6UNST.EXE
> MSDN Disc 2436.20: ST6UNST.EXE
> MSDN MS Commerce Server 2002 Developer ed., Exchange Server 2003 Enterprise ed., Exchange Server 2003 Standard ed., Host Integration server 2000, SQL: ST6UNST.EXE
> Visual Basic: St6unst.exe
> MSDN Disc 2432.11: ST6UNST.EXE
> MSDN Development Platform Disc1: ST6UNST.EXE
> MSDN Development Platform Disc2: ST6UNST.EXE
> MSDN Disc 2436.22: ST6UNST.EXE

( Silver Star Publishing )

> Guide to Hacking Software Security 2002: ST6UNST.EXE

( Bytesize CD-ROM Inc. )

> PC Maintenance: ST6UNST.EXE
> CD Recorder: ST6UNST.EXE


------------------------------------------------------------------------------------------------------

Wheew, big post. Thank you again, sleep well.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 PM

Posted 08 May 2009 - 04:06 AM

They look all clean.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Please copy and paste a fresh Hijackthis log to your reply for a final review and tell me how is your computer running.


#13 Knight488

Knight488
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 08 May 2009 - 09:58 AM

The new HJT log after java changes:

------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:57:28, on 08/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Propriétaire\Bureau\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: VirtualCamera IEMenu Class - {0246A1A7-820A-469A-85A7-7B7F01EB808C} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-21-368770998-2887171289-4059212430-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'boinc_master')
O4 - S-1-5-21-368770998-2887171289-4059212430-1009 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'boinc_master')
O4 - S-1-5-21-368770998-2887171289-4059212430-1009 User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'boinc_master')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Aide à la connexion - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C013924D-509A-4739-87CF-59B76746FCDC}: NameServer = 212.27.40.240,212.27.40.241
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8943 bytes

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:15 PM

Posted 08 May 2009 - 10:31 AM

I see still an old Java running:

C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe


How is the computer running?

Edited by farbar, 08 May 2009 - 10:33 AM.


#15 Knight488

Knight488
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 08 May 2009 - 11:06 AM

I see still an old Java running:


Hm might be because I didn't reboot yet, was no promt for it. I'll do that and make a new log and check that in a min. As for PC nothing seems "broken" anymore. But still think it lags on games more than it should with dual core processor and 2 gigs of ram :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users