Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Active Rootkit Infection


  • This topic is locked This topic is locked
35 replies to this topic

#1 Caniac

Caniac

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 13 September 2009 - 04:14 PM

I have been working with Blade Zephon in the "Am I Infected" Forum and he has determined that I have an active rootkit infection and refered me here. Due to the infecton, I am unable to run DDS and Rootrepeal logs. I was, however able to generate a Win32Kdiag. log. I am posting it here. Any help will be much appreciated.
Ken

Running from: C:\Documents and Settings\User\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\User\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB951072-v2\KB951072-v2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP319.tmp\ZAP319.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40E.tmp\ZAP40E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42B.tmp\ZAP42B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP66.tmp\ZAP66.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b7338a44a2d58177630e18c98faad8c7\download\download

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-436374069-926492609-725345543-1003\S-1-5-21-436374069-926492609-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Services\Services

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Dell\SystemProfiler\SystemProfiler

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 06:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-04 06:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()



Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\12128\chrome_11964\source\Chrome-bin\Chrome-bin

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 AM

Posted 19 September 2009 - 01:34 PM

Hello Caniac,

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)

"%userprofile%\desktop\win32kdiag.exe" -f -r

into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Caniac

Caniac
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 19 September 2009 - 05:49 PM

Sifumike, Thanks for your reply. Here nis the log.

Running from: C:\Documents and Settings\User\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\User\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB951072-v2\KB951072-v2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB951072-v2\KB951072-v2

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP319.tmp\ZAP319.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP319.tmp\ZAP319.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40E.tmp\ZAP40E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP40E.tmp\ZAP40E.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42B.tmp\ZAP42B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42B.tmp\ZAP42B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP66.tmp\ZAP66.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP66.tmp\ZAP66.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b7338a44a2d58177630e18c98faad8c7\download\download

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b7338a44a2d58177630e18c98faad8c7\download\download

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-436374069-926492609-725345543-1003\S-1-5-21-436374069-926492609-725345543-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-436374069-926492609-725345543-1003\S-1-5-21-436374069-926492609-725345543-1003

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Services\Services

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Services\Services

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\Dell\SystemProfiler\SystemProfiler

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Dell\SystemProfiler\SystemProfiler

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\12128\chrome_11964\source\Chrome-bin\Chrome-bin

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\12128\chrome_11964\source\Chrome-bin\Chrome-bin

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700



Finished!

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 AM

Posted 19 September 2009 - 06:16 PM

Hi Caniac,


Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (next step) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========


:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Caniac

Caniac
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 20 September 2009 - 10:31 AM

SifuMike: Here is the log.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 11:24:30 2009

11:24:30: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Sep 20 11:25:01 2009

11:25:01: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.
Ken

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 AM

Posted 20 September 2009 - 11:57 AM

Hi Ken,


Please tell me the antivirus you are using.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Caniac

Caniac
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 20 September 2009 - 12:01 PM

Stopzilla

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 AM

Posted 20 September 2009 - 12:10 PM

Hi Ken,

Stopzilla is a anti spyware, not a antivirus program.
Sounds like you dont have an antivirus installed.

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Antivirus before running ComboFix, as it will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 20 September 2009 - 12:11 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Caniac

Caniac
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 20 September 2009 - 02:05 PM

Here is my Combofix log
ComboFix 09-09-18.02 - User 09/20/2009 14:50.1.1 - NTFSx86
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\kyge.reg
c:\documents and settings\All Users\Documents\iwisemuka.sys
c:\documents and settings\All Users\Documents\wavuju.exe
c:\documents and settings\User\Application Data\fesolek.scr
c:\documents and settings\User\Application Data\hibopudezo.com
c:\documents and settings\User\Cookies\fapa.ban
c:\documents and settings\User\Cookies\kefyvu.dat
c:\documents and settings\User\Local Settings\Application Data\vihobylary.pif
c:\documents and settings\User\Local Settings\Temporary Internet Files\afyvi.dll
c:\documents and settings\User\Local Settings\Temporary Internet Files\bekysal.com
c:\documents and settings\User\Local Settings\Temporary Internet Files\bununajihy.scr
c:\documents and settings\User\Local Settings\Temporary Internet Files\wariso.exe
c:\documents and settings\User\Local Settings\Temporary Internet Files\wipena.bin
C:\Images
c:\images\Thumbs.db
c:\program files\Common Files\gibefy.sys
c:\program files\Common Files\ymekeguja.dl
c:\program files\version.txt
c:\windows\system32\41.exe
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\cypatesa.scr
c:\windows\system32\desote.exe
c:\windows\system32\pafelewa.dll
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\voxup.bin
c:\windows\system32\yfahikuni.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-13 18:46 . 2009-09-20 18:42 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\SITEguard
2009-09-13 18:34 . 2009-09-13 18:49 -------- d-----w- c:\program files\STOPzilla!
2009-09-13 14:33 . 2009-09-13 14:33 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-09-13 14:33 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 14:33 . 2009-09-13 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-13 14:33 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 14:33 . 2009-09-17 19:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 14:53 . 2009-09-12 14:53 -------- d-----w- c:\program files\ESET
2009-09-11 17:24 . 2009-09-12 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\10807504
2009-09-04 23:11 . 2009-09-04 23:11 10386 ----a-w- c:\program files\Common Files\uhycyrydah.dat
2009-09-04 23:11 . 2009-09-04 23:11 10126 ----a-w- c:\windows\rotug.com
2009-09-03 23:02 . 2009-09-03 23:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-03 23:01 . 2009-09-03 23:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-08-22 03:09 . 2009-08-22 03:09 -------- d-----w- C:\2537ff1de90ac07aca33ad82d06e

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 18:45 . 2009-06-25 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-20 14:51 . 2009-09-20 14:51 2048 ----a-w- c:\windows\system32\drivers\F52B2776-8F7A-49C2-BC90-ECF8BFC91DB2.cxv
2009-09-20 14:31 . 2009-09-20 14:31 2048 ----a-w- c:\windows\system32\drivers\6C76D551-8EEE-4F4C-8348-95AE48556941.cxv
2009-09-19 22:42 . 2009-09-19 22:42 2048 ----a-w- c:\windows\system32\drivers\1A31FE86-CD4D-42A1-9E61-F63E07F62991.cxv
2009-09-19 22:13 . 2007-01-11 16:31 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2009-09-19 17:38 . 2009-09-19 17:38 2048 ----a-w- c:\windows\system32\drivers\347F986F-6B69-40F5-81D2-6EF6F03F463B.cxv
2009-09-19 00:24 . 2009-09-19 00:24 2048 ----a-w- c:\windows\system32\drivers\DCE69270-861A-4E24-B80A-23E9719A6E44.cxv
2009-09-18 19:22 . 2009-09-18 19:22 2048 ----a-w- c:\windows\system32\drivers\8B2780A0-9B7C-4485-8ED5-8009359F1D1E.cxv
2009-09-17 19:17 . 2009-09-17 19:17 2048 ----a-w- c:\windows\system32\drivers\975C232A-D13F-40C3-88C9-3BA22F42200C.cxv
2009-09-16 20:29 . 2009-09-16 20:29 2048 ----a-w- c:\windows\system32\drivers\820B9F57-96C0-49BE-867A-6D29AF8E53AA.cxv
2009-09-15 22:37 . 2009-09-15 22:37 2048 ----a-w- c:\windows\system32\drivers\3119AD3F-09B0-4310-9E34-C9DBFF7B00C5.cxv
2009-09-14 20:40 . 2009-09-14 20:40 2048 ----a-w- c:\windows\system32\drivers\A749BE6D-6895-48C1-9601-B079B77DCE0A.cxv
2009-09-13 19:48 . 2009-09-13 19:48 2048 ----a-w- c:\windows\system32\drivers\66D4A301-9D90-4552-805C-D46A7F5F01BB.cxv
2009-09-13 19:39 . 2009-09-13 19:39 2048 ----a-w- c:\windows\system32\drivers\CF838ECD-CF33-471B-B0AC-DA63B32B1DDF.cxv
2009-09-13 19:39 . 2009-06-30 20:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 19:10 . 2009-09-13 19:10 2048 ----a-w- c:\windows\system32\drivers\251B482B-AF85-41AB-A7AE-9941209521BB.cxv
2009-09-13 19:06 . 2009-09-13 19:05 3072 ----a-w- c:\windows\system32\drivers\BB5F7994-3F68-4BF6-AD66-CE85D118E3C8.cxv
2009-09-13 18:40 . 2009-09-13 18:40 3072 ----a-w- c:\windows\system32\drivers\B626A083-A5CC-4359-805E-0A6DF9A2F45D.cxv
2009-09-12 17:24 . 2009-06-12 17:24 88064 --sha-w- c:\windows\system32\lipoyiya.dll
2009-09-04 23:11 . 2009-09-04 23:11 14224 ----a-w- c:\program files\Common Files\emekityzu.db
2009-08-19 22:09 . 2009-08-19 22:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-19 22:09 . 2009-05-29 20:15 -------- d-----w- c:\program files\Java
2009-08-11 16:57 . 2009-08-09 20:49 -------- d-----w- c:\documents and settings\User\Application Data\ZoomBrowser EX
2009-08-09 20:56 . 2009-08-09 20:54 -------- d-----w- c:\documents and settings\User\Application Data\CameraWindowDC
2009-08-09 20:54 . 2009-08-09 20:54 -------- d-----w- c:\documents and settings\User\Application Data\CANON INC
2009-08-09 20:54 . 2007-01-11 15:05 15080 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 20:46 . 2009-08-09 20:45 -------- d-----w- c:\program files\Canon
2009-08-09 20:45 . 2009-08-09 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-08-09 20:44 . 2009-08-09 20:44 -------- d-----w- c:\program files\Common Files\Canon
2009-08-09 20:41 . 2009-08-09 20:41 -------- d-----w- c:\program files\HOJY TECH
2009-08-09 20:41 . 2007-01-11 14:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-09 15:37 . 2009-08-09 15:37 -------- d-----w- c:\program files\QuickTime
2009-08-09 15:37 . 2009-08-09 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-09 15:37 . 2009-08-09 15:37 -------- d-----w- c:\program files\Apple Software Update
2009-08-09 15:37 . 2009-08-09 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 17:26 . 2009-06-04 22:53 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-11 14:09 . 2009-07-11 14:09 5 ----a-w- c:\program files\eula.txt
2009-07-11 13:58 . 2009-07-11 13:58 3 ----a-w- c:\program files\option.txt
2009-07-03 17:09 . 2006-03-04 03:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 19:43 . 2009-06-25 19:58 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-25 19:43 . 2009-06-25 19:43 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-25 08:25 . 2004-08-04 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-28 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-19 149280]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-20 520024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"firovosan"="c:\windows\system32\lipoyiya.dll" [2009-09-12 88064]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{14f99345-241e-4ee9-b032-64e9bfb4d33e}"= "c:\windows\system32\lipoyiya.dll" [2009-09-12 88064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"lopavoyuf"= {14f99345-241e-4ee9-b032-64e9bfb4d33e} - c:\windows\system32\lipoyiya.dll [2009-09-12 88064]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 gupdate1c9dc7947e883c6;Google Update Service (gupdate1c9dc7947e883c6);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-20 1029456]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-06-26 204800]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\PCX504.sys [2003-02-14 96256]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-25 64160]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:47]

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-17 14:08]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 14:09]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 14:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.news-record.com/
mStart Page = hxxp://www.google.com
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
SharedTaskScheduler-{7265f161-0851-447b-b353-8a069cd5bc2a} - c:\windows\system32\desoyahi.dll
SharedTaskScheduler-{3d5736b0-8d33-4bf8-abb6-bb4ed957f47e} - c:\windows\system32\desoyahi.dll
SSODL-rogidebur-{7265f161-0851-447b-b353-8a069cd5bc2a} - c:\windows\system32\desoyahi.dll
SSODL-batunikif-{3d5736b0-8d33-4bf8-abb6-bb4ed957f47e} - c:\windows\system32\desoyahi.dll
AddRemove-HijackThis - c:\documents and settings\User\Local Settings\Temporary Internet Files\Content.IE5\SS72IVZR\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1392)
c:\windows\system32\WININET.dll
c:\windows\system32\lipoyiya.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-09-20 15:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 19:01

Pre-Run: 69,234,372,608 bytes free
Post-Run: 70,594,027,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

242 --- E O F --- 2009-09-02 23:38

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 AM

Posted 20 September 2009 - 02:24 PM

Hi,


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\program files\Common Files\uhycyrydah.dat
      c:\windows\rotug.com
      c:\windows\system32\lipoyiya.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Caniac

Caniac
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 20 September 2009 - 02:58 PM

Sifu Mike, I can't get those file paths to paste into the box on VirScan. Can I just type them in?
Ken

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 AM

Posted 20 September 2009 - 03:02 PM

Hi Ken,

Each of the following file paths, not all of the file paths. LOL

Copy and paste only one at a time. :(

Edited by SifuMike, 20 September 2009 - 03:04 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Caniac

Caniac
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 20 September 2009 - 03:06 PM

I'm trying one at a time, but after I copy a path, when I click in the box and click "paste" there's nothing there to paste. I know I'm missing something simple here. ?
Ken

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 AM

Posted 20 September 2009 - 03:17 PM

Try the Browse button to find the files on your computer.

Edited by SifuMike, 20 September 2009 - 03:18 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Caniac

Caniac
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:03:41 AM

Posted 20 September 2009 - 03:34 PM

Here's the first

Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

File Active_Rootkit_Infection1.mht received on 2009.09.20 20:25:53 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.20 -
AhnLab-V3 5.0.0.2 2009.09.19 -
AntiVir 7.9.1.19 2009.09.18 -
Antiy-AVL 2.0.3.7 2009.09.18 -
Authentium 5.1.2.4 2009.09.20 -
Avast 4.8.1351.0 2009.09.19 -
AVG 8.5.0.412 2009.09.20 -
BitDefender 7.2 2009.09.20 -
CAT-QuickHeal 10.00 2009.09.19 -
ClamAV 0.94.1 2009.09.19 -
Comodo 2384 2009.09.20 -
DrWeb 5.0.0.12182 2009.09.20 -
eSafe 7.0.17.0 2009.09.17 -
eTrust-Vet 31.6.6746 2009.09.18 -
F-Prot 4.5.1.85 2009.09.20 -
Fortinet 3.120.0.0 2009.09.19 -
GData 19 2009.09.20 -
Ikarus T3.1.1.72.0 2009.09.20 -
Jiangmin 11.0.800 2009.09.20 -
K7AntiVirus 7.10.849 2009.09.19 -
Kaspersky 7.0.0.125 2009.09.20 -
McAfee 5747 2009.09.20 -
McAfee+Artemis 5747 2009.09.20 -
McAfee-GW-Edition 6.8.5 2009.09.20 -
Microsoft 1.5005 2009.09.20 -
NOD32 4441 2009.09.19 -
Norman 6.01.09 2009.09.18 -
nProtect 2009.1.8.0 2009.09.20 -
Panda 10.0.2.2 2009.09.20 -
PCTools 4.4.2.0 2009.09.20 -
Prevx 3.0 2009.09.20 -
Rising 21.47.62.00 2009.09.20 -
Sophos 4.45.0 2009.09.20 -
Sunbelt 3.2.1858.2 2009.09.20 -
Symantec 1.4.4.12 2009.09.20 -
TheHacker 6.5.0.2.012 2009.09.18 -
TrendMicro 8.950.0.1094 2009.09.20 -
VBA32 3.12.10.10 2009.09.20 -
ViRobot 2009.9.18.1943 2009.09.18 -
VirusBuster 4.6.5.0 2009.09.20 -
Additional information
File size: 500306 bytes
MD5...: 3789ed78c465ed883befecea70f92823
SHA1..: baadd7e2d0d483765c02960b77fa52ec117f7447
SHA256: d331fc2689569ac5dcb5bb2dbd09299b35023793a405b5ba59ca935b7520136d
ssdeep: 6144:MVct5o1yXoYS0PX0LqyuWnsNInJDc5HYW9oMR91:hbooYYSmX0G4nRDc5HY
WbR91

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Microsoft Internet Explorer Web Archive (81.3%)
E-Mail message (Var. 2) (18.6%)
packers (F-Prot): qp


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users