Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo, Google Bing, etc., redirecting


  • This topic is locked This topic is locked
16 replies to this topic

#1 jtmansur

jtmansur

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 09 December 2009 - 10:48 PM

Whenever I do a query in Yahoo, Google or Bing and select a result, it gets redirected to other sites which look like ads for different things. Tried my Malwarebytes and my McAfee to remove - they found trojans but this has not fixed the issue. Hoping y'all can help! For a while when I opened Yahoo, I would get the website and two additional pages would start 'loading' but I cld close them out. That seems to have stopped now. I do get error msgs when I rebooted that certain .dll files weren't working. Other than the redirections, I don't seem to have any other issues. Thanks!


DDS (Ver_09-12-01.01) - NTFSx86
Run by TONI at 17:26:38.10 on Wed 12/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.141 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Documents and Settings\TONI\My Documents\RCA Detective\RCADetective.exe
C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\TONI\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - No File
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: AT&&T Yahoo! Sidebar: {51085e3d-a958-42a2-a6be-a6a9b0baf276} - c:\program files\yahoo!\browser\ysidebarIE.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [calc] rundll32.exe c:\docume~1\toni\ntuser.dll,_IWMPEvents@0
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Lexmark 3100 Series] "c:\program files\lexmark 3100 series\lxbrbmgr.exe"
mRun: [LXBRKsk] c:\progra~1\lexmar~1\LXBRKsk.exe
mRun: [IPInSightLAN 02] "c:\program files\visual networks\visual ip insight\sbc\IPClient.exe" -l
mRun: [IPInSightMonitor 02] "c:\program files\visual networks\visual ip insight\sbc\IPMon32.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\toni\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\toni\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\toni\startm~1\programs\startup\sbcyah~1.lnk - c:\program files\yahoo!\browser\ybrowser.exe
StartupFolder: c:\docume~1\toni\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\toni\startm~1\programs\startup\trueas~1.lnk - c:\program files\trueswitchat&tyahoo\TrueWizard.exe
StartupFolder: c:\docume~1\toni\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: fnismls.com
Trusted Zone: housevalues.com\hvu
Trusted Zone: housevalues.com\marketleader
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} - hxxp://www.talkingbuddy.com/talkingbuddyinstall.exe
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://www.trueswitch.com/sbc/TrueInstallSBC.exe
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 91.212.127.226 aviraplatinum.microsoft.com
Hosts: 91.212.127.226 aviraplatinum.com
Hosts: 91.212.127.226 www.aviraplatinum.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\toni\applic~1\mozilla\firefox\profiles\92cnnr9i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\toni\application data\mozilla\firefox\profiles\92cnnr9i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\toni\application data\mozilla\firefox\profiles\92cnnr9i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-17 130936]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-8-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-8-22 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-8-22 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-8-22 34248]

=============== Created Last 30 ================

2009-12-09 22:31:12 0 d-----w- c:\program files\Trend Micro
2009-12-07 00:16:34 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-05 15:07:35 0 d-----w- c:\docume~1\toni\applic~1\PC
2009-12-05 13:11:48 124 ----a-w- C:\xcrashdump.dat
2009-12-05 03:04:37 369 ----a-w- c:\windows\system32\uses32.dat
2009-12-05 03:04:37 100 ----a-w- c:\windows\system32\flags.ini
2009-12-05 02:48:40 30206 ----a-w- C:\wxiuk.exe
2009-12-03 02:44:55 26113 ----a-w- c:\windows\system32\xbwg.oko
2009-11-12 22:52:11 0 d-----w- C:\912528a708673d6ad8d8

==================== Find3M ====================

2009-12-09 09:40:44 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-09 09:40:44 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-10-30 23:54:18 690969 ----a-w- c:\windows\unins001.exe
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2005-02-19 16:50:34 6526608 ----a-w- c:\program files\MicrosoftAntiSpywareInstall.exe

============= FINISH: 17:38:57.01 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 PM

Posted 10 December 2009 - 11:40 AM

Hi jtmansur,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • You have still some leftovers from an incomplete uninstalled Norton Antivirus on your computer.

    To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

    Also delete the folders in bold (if present):

    C:\Program Files\Coupon
    C:\Program Files\Coupons

  • Please disable McAfee as follows:
    • Please open McAfee Security Centre
    • Under Common Tasks click on Home
    • Click Computer Files
    • Click Configure
    • Make sure the following are disabled by ticking the "Off" button.

      Virus protection
      Spyware protection
      System Guards Protection
      Script Scanning Protection (you may have to scroll down to see it)

    • Next, select never for "When to re-enable real time scanning"
    • and click OK.
    Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/micros...ternalID=222820

    Note: It is important to enable those setting(s) immediately after ComboFix produced its log.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 11 December 2009 - 08:43 PM

Hi Farber,

Thank you sooooooooooo much for helping me with this. Whew! What a mess, eh?

I ran the combfix and here's what came out of it:

ComboFix 09-12-11.01 - TONI 12/11/2009 17:53:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.110 [GMT -6:00]
Running from: C:\Documents and Settings\TONI\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\TONI\Application Data\PC
C:\Documents and Settings\TONI\Application Data\PC\faq\guide.html
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg1.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg10.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg2.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg3.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg4.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg5.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg6.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg7.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg8.jpg
C:\Documents and Settings\TONI\Application Data\PC\faq\images\gimg9.jpg
C:\Documents and Settings\TONI\Application Data\PC\settings.ini
C:\Documents and Settings\TONI\ntuser.dll
C:\Documents and Settings\TONI\Start Menu\Programs\Startup\scandisk.lnk
C:\WINDOWS\Install.txt
C:\WINDOWS\MailSwitch.ocx
C:\WINDOWS\patch.exe
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\curslib.dll
C:\WINDOWS\system32\dbxDgrevCheck.dll
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\system32\flags.ini
C:\WINDOWS\system32\Install.txt
C:\WINDOWS\system32\lsm32.sys
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\uses32.dat
C:\WINDOWS\system32\wincert.dll
C:\WINDOWS\system32\wmdtc.exe
C:\xcrashdump.dat

Infected copy of C:\WINDOWS\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))
.

2009-12-09 22:31:12 . 2009-12-09 22:31:12 -------- d-----w- C:\Program Files\Trend Micro
2009-12-09 09:24:24 . 2009-12-09 09:24:24 112216 ----a-w- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-07 00:16:34 . 2009-11-03 02:42:06 195456 ------w- C:\WINDOWS\system32\MpSigStub.exe
2009-12-07 00:14:04 . 2009-12-07 00:14:12 -------- d-----w- C:\Program Files\Windows Defender
2009-12-05 02:48:40 . 2009-12-05 02:48:42 30206 ----a-w- C:\wxiuk.exe
2009-11-12 22:52:11 . 2009-11-12 22:52:25 -------- d-----w- C:\912528a708673d6ad8d8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 23:46:51 . 2008-05-20 22:36:15 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2009-12-11 22:53:09 . 2008-04-26 15:09:03 -------- d-----w- C:\Program Files\Coupons
2009-12-11 22:31:17 . 2008-05-21 02:54:14 -------- d-----w- C:\Program Files\TrueSwitchAT&TYahoo
2009-12-09 09:40:44 . 2002-08-29 06:27:50 96512 ----a-w- C:\WINDOWS\system32\drivers\atapi.sys
2009-12-07 00:12:46 . 2009-03-25 21:39:04 -------- d-----w- C:\Program Files\Windows Live Safety Center
2009-12-07 00:04:23 . 2009-09-17 22:13:22 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-06 14:23:52 . 2008-09-30 22:13:36 -------- d-----w- C:\Documents and Settings\TONI\Application Data\OpenOffice.org2
2009-11-21 17:36:53 . 2009-08-22 16:23:16 -------- d-----w- C:\Program Files\McAfee
2009-10-30 23:56:31 . 2009-10-30 23:56:31 -------- d-----w- C:\Documents and Settings\TONI\Application Data\WeatherBug
2009-10-30 23:54:30 . 2009-10-30 23:54:29 872 ----a-w- C:\WINDOWS\unins001.dat
2009-10-30 23:54:18 . 2009-10-30 23:54:30 690969 ----a-w- C:\WINDOWS\unins001.exe
2009-10-30 23:52:50 . 2009-10-30 23:52:50 -------- d-----w- C:\Program Files\Windows Media Components
2009-10-29 07:45:38 . 2005-10-21 18:51:36 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-10-21 05:38:36 . 2004-08-04 07:56:45 75776 ----a-w- C:\WINDOWS\system32\strmfilt.dll
2009-10-21 05:38:36 . 2004-08-04 07:56:42 25088 ----a-w- C:\WINDOWS\system32\httpapi.dll
2009-10-20 16:20:16 . 2004-08-04 06:00:13 265728 ------w- C:\WINDOWS\system32\drivers\http.sys
2009-10-13 10:30:16 . 2002-08-29 10:00:00 270336 ----a-w- C:\WINDOWS\system32\oakley.dll
2009-10-12 13:38:19 . 2002-08-29 10:00:00 149504 ----a-w- C:\WINDOWS\system32\rastls.dll
2009-10-12 13:38:18 . 2002-08-29 10:00:00 79872 ----a-w- C:\WINDOWS\system32\raschap.dll
2009-09-18 23:15:05 . 2004-04-14 01:04:45 48224 ----a-w- C:\Documents and Settings\TONI\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-16 15:22:48 . 2009-08-22 16:25:34 40552 ----a-w- C:\WINDOWS\system32\drivers\mfesmfk.sys
2009-09-16 15:22:48 . 2009-08-22 16:25:33 79816 ----a-w- C:\WINDOWS\system32\drivers\mfeavfk.sys
2009-09-16 15:22:48 . 2009-08-22 16:25:33 35272 ----a-w- C:\WINDOWS\system32\drivers\mfebopk.sys
2009-09-16 15:22:48 . 2009-07-08 18:44:20 214664 ----a-w- C:\WINDOWS\system32\drivers\mfehidk.sys
2009-09-16 15:22:14 . 2009-08-22 16:17:41 34248 ----a-w- C:\WINDOWS\system32\drivers\mferkdk.sys
2005-02-19 16:50:34 . 2005-02-19 16:50:34 6526608 ----a-w- C:\Program Files\MicrosoftAntiSpywareInstall.exe
2006-10-11 08:04:58 . 2006-12-19 00:42:48 61036 ----a-w- C:\Program Files\mozilla firefox\components\jar50.dll
2006-10-11 08:04:59 . 2006-12-19 00:42:48 48742 ----a-w- C:\Program Files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05:03 . 2006-12-19 00:42:48 29313 ----a-w- C:\Program Files\mozilla firefox\components\myspell.dll
2006-10-11 08:05:03 . 2006-12-19 00:42:49 41082 ----a-w- C:\Program Files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04:58 . 2006-12-19 00:42:49 166510 ----a-w- C:\Program Files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 17:09:36 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-08 16:58:40 68856]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 15:55:32 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-06-22 05:48:18 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-06-22 05:44:34 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 09:59:24 122880]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 06:04:00 114741]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 06:01:00 155648]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 15:27:40 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-27 00:47:34 204800]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-04-20 18:24:50 53248]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 02:33:54 106496]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 14:57:18 294912]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 07:52:24 380928]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 07:52:26 122880]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 21:19:46 129536]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 15:24:00 16384]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 15:55:32 206064]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 01:58:04 177472]
"ATT-SST_McciTrayApp"="C:\Program Files\ATT-SST\McciTrayApp.exe" [2008-09-19 01:11:19 1529856]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-05-26 22:18:30 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-06-05 18:39:22 292136]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2009-10-29 12:54:44 1218008]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2009-07-08 02:02:26 1176808]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 19:53:56 1312080]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-04 01:20:12 866584]

C:\Documents and Settings\TONI\Start Menu\Programs\Startup\
RCA Detective.lnk - C:\Documents and Settings\TONI\My Documents\RCA Detective\RCADetective.exe [2009-10-30 942592]
SBC Yahoo! DSL.lnk - C:\Program Files\Yahoo!\browser\ybrowser.exe [2007-7-2 668184]
TrueAssistant.lnk - C:\Program Files\TrueSwitchAT&TYahoo\TrueWizard.exe [2008-4-29 1069056]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-5-4 2913840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
McAfee Security Scan.lnk - C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Audio Bible Download Manager\\FCBHDownloadManager3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 PCTCore;PCTools KDS;C:\WINDOWS\SYSTEM32\DRIVERS\PCTCore.sys [9/17/2009 4:12:59 PM 130936]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [8/22/2009 10:30:00 AM 203280]
R2 sdAuxService;PC Tools Auxiliary Service;C:\Program Files\Spyware Doctor\pctsAuxs.exe [9/17/2009 4:12:29 PM 348752]
R2 WinDefend;Windows Defender;C:\Program Files\Windows Defender\MsMpEng.exe [11/3/2006 7:19:58 PM 13592]
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
Trusted Zone: fnismls.com
Trusted Zone: housevalues.com\hvu
Trusted Zone: housevalues.com\marketleader
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} - hxxp://www.talkingbuddy.com/talkingbuddyinstall.exe
FF - ProfilePath - C:\Documents and Settings\TONI\Application Data\Mozilla\Firefox\Profiles\92cnnr9i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: C:\Documents and Settings\TONI\Application Data\Mozilla\Firefox\Profiles\92cnnr9i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: C:\Documents and Settings\TONI\Application Data\Mozilla\Firefox\Profiles\92cnnr9i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Reader for Palm OS - C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 PM

Posted 12 December 2009 - 07:00 AM

The major infection is taken care of. Now just the leftovers.

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

@echo off
del /a /f /q C:\wxiuk.exe
(dir /a /o:e  "C:\" & dir /a /s C:\WINDOWS\tasks) >log.txt
start log.txt
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click dirlook.bat on the desktop.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#5 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 12 December 2009 - 09:24 AM

Here's what ran:

Volume in drive C has no label.
Volume Serial Number is 5881-8994

Directory of C:\

01/28/2006 11:08 AM <DIR> DRIVERS
09/16/2009 04:41 PM <DIR> 67bcfb0234d440b73184b5462bdb6b5b
11/12/2009 04:52 PM <DIR> 912528a708673d6ad8d8
12/20/2008 11:29 AM 250,048 NTLDR
03/18/2009 03:54 PM <DIR> My Music
12/11/2009 05:47 PM <DIR> Program Files
10/26/2004 08:49 PM <DIR> LRSYSTEM
10/26/2004 08:47 PM <DIR> LOGOS20
12/11/2009 07:32 PM 211,186 logfile
12/11/2009 05:32 PM <DIR> cmdcons
08/03/2004 11:00 PM 260,272 cmldr
12/11/2009 07:00 PM <DIR> ComboFix
12/11/2009 07:30 PM <DIR> WINDOWS
12/11/2009 06:59 PM <DIR> Qoobox
05/01/2004 10:25 PM <DIR> WUTemp
04/16/2004 09:23 PM <DIR> I386
08/22/2009 02:15 AM <DIR> d5b2dc4f6a641d74d0521c33c970
09/18/2009 05:37 AM <DIR> dd106434d3e5f1ca23136c84ae4c
04/08/2007 06:51 PM <DIR> DELL
01/11/2009 09:09 PM <DIR> TEMP
11/12/2009 05:19 PM <DIR> Documents and Settings
03/19/2005 04:02 PM <DIR> Open Office
01/11/2009 08:56 PM <DIR> System Volume Information
11/15/2006 03:01 AM <DIR> e20c48e35bd27c58c8a385
05/29/2006 05:29 PM 211 Boot.bak
09/03/2002 07:59 AM 0 AUTOEXEC.BAT
05/29/2006 05:18 PM 47,564 NTDETECT.COM
04/30/2009 09:23 PM 5,658 winmail.dat
06/27/2006 09:32 PM 89,767 EasyShare.dmp
09/03/2002 07:38 AM 512 BOOTSECT.DOS
10/25/2008 07:53 PM 1,277,680 CouponPrinter.exe
10/15/2004 09:17 PM 571,040 install_easyshare.exe
12/24/2008 04:39 PM 68,756,776 iTunesSetup.exe
04/05/2009 08:36 PM 11,288 articles.htm
04/09/2004 07:03 AM 87 SystemInfo.ini
12/11/2009 05:32 PM 281 BOOT.INI
07/19/2007 03:56 PM 129 Shortcut to CD Drive.lnk
08/05/2005 06:49 PM 7,431 caavsetup.log
02/18/2005 09:21 PM 168 setupfax.log
04/15/2005 04:40 PM 647 EasyShareInstall.log
06/02/2007 09:22 AM 547 INSTALL.LOG
07/24/2009 09:32 AM 22,278,144 20090426SpiritKingSaul_Vett.mp3
08/17/2008 07:52 AM 4,324,389 ThinkOnTheseThings.mp3
12/06/2009 06:14 PM <DIR> Config.Msi
08/10/2008 05:24 PM 7,680 Glen in action at JFK.MSWMM
04/09/2004 07:05 AM 501 IPH.PH
04/09/2004 06:39 AM 5,480 DELL.SDR
09/03/2002 07:59 AM 0 CONFIG.SYS
12/11/2009 07:28 PM 805,306,368 pagefile.sys
09/03/2002 07:59 AM 0 IO.SYS
09/03/2002 07:59 AM 0 MSDOS.SYS
12/11/2009 07:28 PM 534,843,392 hiberfil.sys
12/09/2009 07:48 PM 13,388 RootRepeal report 12-09-09 (19-48-28).txt
02/09/2007 12:44 PM 146 YServer.txt
08/08/2007 10:03 AM 51 DVDPATH.TXT
04/30/2009 12:03 PM 10,067 How can I serve you.xlsx
06/12/2008 06:09 PM 230 config.xml
35 File(s) 1,438,281,128 bytes
22 Dir(s) 25,687,343,104 bytes free
Volume in drive C has no label.
Volume Serial Number is 5881-8994

Directory of C:\WINDOWS\tasks

12/11/2009 07:32 PM <DIR> .
12/11/2009 07:32 PM <DIR> ..
12/10/2009 04:30 PM 396 Advanced WindowsCare V2 Pro.job
12/07/2009 09:06 PM 284 AppleSoftwareUpdate.job
12/11/2009 08:00 PM 408 AwcProUpdate.job
08/29/2002 04:00 AM 65 DESKTOP.INI
11/15/2009 01:22 AM 338 McDefragTask.job
12/01/2009 01:00 AM 316 McQcTask.job
12/12/2009 01:32 AM 330 MP Scheduled Scan.job
12/11/2009 07:29 PM 6 SA.DAT
8 File(s) 2,143 bytes

Total Files Listed:
8 File(s) 2,143 bytes
2 Dir(s) 25,687,343,104 bytes free

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 PM

Posted 12 December 2009 - 09:50 AM

Are you sure you posted the whole Combofix log? If not disregard the rest of this post and post the whole log. If yes McAfee has probably removed a component of ComboFix. I don't see the rootkit scanner part of ComboFix. That is why we want to run it again.

Make sure you disable McAfee and then remove your copy of ComboFix from your desktop and download a fresh copy from the link given.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

File::
c:\CouponPrinter.exe
Folder::
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Coupons

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

#7 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 12 December 2009 - 08:58 PM

Hi Again,

Ok. It's taken most of the day because my system seemed to have crashed - had to reinstall Windows, etc. But ran the Combo like you said and here's the result:

ComboFix 09-12-11.05 - TONI 12/12/2009 18:38:12.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.510.243 [GMT -6:00]
Running from: c:\documents and settings\TONI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TONI\Desktop\cfscript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\CouponPrinter.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\CouponPrinter.exe
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\program files\Coupons
c:\program files\Coupons\uninstall.exe

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-13 01:02 . 2008-05-21 02:54 -------- d-----w- c:\program files\TrueSwitchAT&TYahoo
2009-12-12 23:44 . 2004-04-14 01:04 48416 ----a-w- c:\documents and settings\TONI\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-12 23:17 . 2002-09-03 13:56 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2009-12-09 22:31 . 2009-12-09 22:31 -------- d-----w- c:\program files\Trend Micro
2009-12-09 09:24 . 2009-12-09 09:24 112216 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-07 00:14 . 2009-12-07 00:14 -------- d-----w- c:\program files\Windows Defender
2009-12-07 00:12 . 2009-03-25 21:39 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-07 00:04 . 2009-09-17 22:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-06 14:23 . 2008-09-30 22:13 -------- d-----w- c:\documents and settings\TONI\Application Data\OpenOffice.org2
2009-11-21 17:36 . 2009-08-22 16:23 -------- d-----w- c:\program files\McAfee
2009-11-03 02:42 . 2009-12-07 00:16 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 23:56 . 2009-10-30 23:56 -------- d-----w- c:\documents and settings\TONI\Application Data\WeatherBug
2009-10-30 23:54 . 2009-10-30 23:54 872 ----a-w- c:\windows\unins001.dat
2009-10-30 23:54 . 2009-10-30 23:54 690969 ----a-w- c:\windows\unins001.exe
2009-10-30 23:52 . 2009-10-30 23:52 -------- d-----w- c:\program files\Windows Media Components
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-09-16 15:22 . 2009-08-22 16:25 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-08-22 16:25 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-08-22 16:25 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-07-08 18:44 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 15:22 . 2009-08-22 16:17 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2005-02-19 16:50 . 2005-02-19 16:50 6526608 ----a-w- c:\program files\MicrosoftAntiSpywareInstall.exe
2006-10-11 08:04 . 2006-12-19 00:42 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2006-12-19 00:42 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2006-12-19 00:42 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2006-12-19 00:42 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2006-12-19 00:42 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\wscntfy.exe
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\xmlprov.dll
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\xmlprov.dll

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\ip6fw.sys
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\DRIVERS\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-08 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-06-22 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-04-20 53248]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-04 106496]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"IPInSightLAN 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 02"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2003-07-16 40960]

c:\documents and settings\TONI\Start Menu\Programs\Startup\
RCA Detective.lnk - c:\documents and settings\TONI\My Documents\RCA Detective\RCADetective.exe [2009-10-30 942592]
SBC Yahoo! DSL.lnk - c:\program files\Yahoo!\browser\ybrowser.exe [2007-7-2 668184]
TrueAssistant.lnk - c:\program files\TrueSwitchAT&TYahoo\TrueWizard.exe [2008-4-29 1069056]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-5-4 2913840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Audio Bible Download Manager\\FCBHDownloadManager3.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [8/22/2009 10:30 AM 203280]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/17/2009 4:12 PM 348752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [9/17/2009 4:12 PM 130936]
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: fnismls.com
Trusted Zone: housevalues.com\hvu
Trusted Zone: housevalues.com\marketleader
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} - hxxp://www.talkingbuddy.com/talkingbuddyinstall.exe
FF - ProfilePath - c:\documents and settings\TONI\Application Data\Mozilla\Firefox\Profiles\92cnnr9i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\TONI\Application Data\Mozilla\Firefox\Profiles\92cnnr9i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\TONI\Application Data\Mozilla\Firefox\Profiles\92cnnr9i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-12 18:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iycvniduwmextpd]
"imagepath"="\??\c:\windows\TEMP\E0.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-179114538-355733123-2662699446-1007\Software\Corel\WordPerfect\11\Power Bar\Power Bar Last Selected - \
* |***]
"0BernhardFashion BT"=hex(80000006):30
"1OzHandicraft BT"=hex(80000006):30
"2Arial"=hex(80000006):30
"3Comic Sans MS"=hex(80000006):30
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(736)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3452)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\System32\msctfime.ime
c:\windows\System32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\System32\WgaTray.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\BCMSMMSG.exe
c:\program files\Lexmark 3100 Series\lxbrbmon.exe
c:\program files\Lexmark 3100 Series\lxbrcmon.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-12-12 19:12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-13 01:12

Pre-Run: 28,443,885,568 bytes free
Post-Run: 28,549,361,664 bytes free

- - End Of File - - AB763E5D6789983A11742DB74247D8BF

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 PM

Posted 13 December 2009 - 06:04 AM

So you mean you had to do a repair install of Windows? What do do specifically mean by the system crashed. Is this the log after the repair install?

Click on this link--> virustotal

Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.


c:\windows\system32\qmgr.dll
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\xmlprov.dll
c:\windows\SYSTEM32\DRIVERS\ip6fw.sys
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll


If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post. If any of them is totally clean you may mention it, no need to post the log.

#9 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 13 December 2009 - 10:13 AM

Yes, I did have to do a repair install.

Here's the first log
File qmgr.dll received on 2009.12.13 15:10:51 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.13 -
AhnLab-V3 5.0.0.2 2009.12.12 -
AntiVir 7.9.1.108 2009.12.11 -
Antiy-AVL 2.0.3.7 2009.12.11 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.13 -
AVG 8.5.0.427 2009.12.13 -
BitDefender 7.2 2009.12.13 -
CAT-QuickHeal 10.00 2009.12.12 -
ClamAV 0.94.1 2009.12.13 -
Comodo 3229 2009.12.13 -
DrWeb 5.0.0.12182 2009.12.13 -
eSafe 7.0.17.0 2009.12.13 -
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.12 -
F-Secure 9.0.15370.0 2009.12.13 -
Fortinet 4.0.14.0 2009.12.13 -
GData 19 2009.12.13 -
Ikarus T3.1.1.74.0 2009.12.13 -
Jiangmin 13.0.900 2009.12.13 -
K7AntiVirus 7.10.918 2009.12.11 -
Kaspersky 7.0.0.125 2009.12.13 -
McAfee 5831 2009.12.13 -
McAfee+Artemis 5831 2009.12.13 -
McAfee-GW-Edition 6.8.5 2009.12.13 -
Microsoft 1.5302 2009.12.13 -
NOD32 4683 2009.12.13 -
Norman 6.04.03 2009.12.12 -
nProtect 2009.1.8.0 2009.12.13 -
Panda 10.0.2.2 2009.12.13 -
PCTools 7.0.3.5 2009.12.13 -
Prevx 3.0 2009.12.13 -
Rising 22.25.06.05 2009.12.13 -
Sophos 4.48.0 2009.12.13 -
Sunbelt 3.2.1858.2 2009.12.13 -
Symantec 1.4.4.12 2009.12.13 -
TheHacker 6.5.0.2.092 2009.12.12 -
TrendMicro 9.100.0.1001 2009.12.13 -
VBA32 3.12.12.0 2009.12.13 -
ViRobot 2009.12.12.2085 2009.12.12 -
VirusBuster 5.0.21.0 2009.12.12 -
Additional information
File size: 361984 bytes
MD5...: 696ac82fb290a03f205901442e0e9589
SHA1..: 5d1f4e0bf21a2799ab1f8cc790662d1801b139a2
SHA256: b525520e2aa4b66bdf512e107e1d39f0b25aa32ee25dbc62c45a6784af7949ab
ssdeep: 6144:ZsGQWC9tVZB7sHlNzkV5mIoKY9ZGSH52kn6jOAYKmopeO9R9Wakjv:fQ191
BgFNzkVAfzoxk6jOAHmSRWJ

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4228f
timedatestamp.....: 0x40e48b52 (Thu Jul 01 22:08:18 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4c9cc 0x4ca00 6.54 4872fbe45d7d3c0d60d5b08dec6de4a0
.data 0x4e000 0x47a4 0x200 4.81 9e53d22650a572a112dc8cc481d9ead2
.rsrc 0x53000 0x4870 0x4a00 5.70 f017cffc3d0167edc9ec176edb924971
.reloc 0x58000 0x6b9a 0x6c00 6.24 1180e6e686fd21eed52d3690592cc630

( 18 imports )
> msvcrt.dll: qsort, _purecall, wcsncpy, isalpha, _wcsnicmp, _ftol, _memicmp, __CxxFrameHandler, _CxxThrowException, wcscmp, wcstok, wcschr, _vsnwprintf, _wcsdup, _onexit, __dllonexit, _terminate@@YAXXZ, _except_handler3, __1type_info@@UAE@XZ, _adjust_fdiv, _initterm, swscanf, _wcsicmp, memmove, sscanf, wcsncmp, wcsstr, free, malloc, _vsnprintf, wcslen
> ntdll.dll: NtRaiseException, VerSetConditionMask, NtQueryInformationThread, RtlLengthSecurityDescriptor, RtlCreateHeap, RtlNtStatusToDosError, NtQueryInformationFile, NtSetInformationFile
> ADVAPI32.dll: QueryServiceConfigW, StartTraceW, EnableTrace, ControlTraceW, UnregisterTraceGuids, RegisterTraceGuidsW, GetTraceLoggerHandle, GetTraceEnableLevel, GetTraceEnableFlags, TraceEvent, RegCreateKeyExW, RegSetValueExW, AllocateAndInitializeSid, FreeSid, CopySid, GetSidSubAuthorityCount, GetSidSubAuthority, MapGenericMask, OpenProcessToken, LogonUserW, CreateProcessAsUserW, GetLengthSid, RegOpenKeyExW, GetSecurityDescriptorOwner, GetSecurityDescriptorGroup, GetSecurityDescriptorDacl, GetSecurityDescriptorSacl, GetSecurityDescriptorControl, SetNamedSecurityInfoW, DuplicateTokenEx, LookupPrivilegeValueW, AdjustTokenPrivileges, GetSecurityInfo, ConvertSidToStringSidW, ConvertStringSidToSidW, RevertToSelf, IsTokenRestricted, EqualSid, CloseServiceHandle, OpenServiceW, ChangeServiceConfig2W, CreateServiceW, OpenSCManagerW, RegisterServiceCtrlHandlerExW, SetServiceStatus, ChangeServiceConfigW, RegCloseKey, RegQueryValueExW, RegOpenKeyW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetThreadToken, ImpersonateLoggedOnUser, GetTokenInformation, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, OpenThreadToken, ImpersonateSelf, AccessCheck, MakeSelfRelativeSD, MakeAbsoluteSD, CheckTokenMembership, RegisterEventSourceW, DeregisterEventSource, ReportEventW, LookupAccountSidW
> CRYPT32.dll: CryptProtectData, CryptUnprotectData
> iphlpapi.dll: GetBestInterface, GetIfEntry, GetIfTable
> KERNEL32.dll: UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, GetFileSize, GetWindowsDirectoryW, GetSystemTime, MultiByteToWideChar, GetTimeZoneInformation, LocalFileTimeToFileTime, GetLocalTime, SleepEx, CancelIo, SetFilePointer, GetVolumeInformationW, SetFileAttributesW, GetFileAttributesW, InterlockedExchange, GetLongPathNameW, LoadLibraryA, RaiseException, GetFileInformationByHandle, GetVolumePathNameW, GetFullPathNameW, GlobalMemoryStatus, QueryPerformanceFrequency, CreateDirectoryW, OutputDebugStringW, UnhandledExceptionFilter, QueueUserWorkItem, GetDriveTypeW, GetTempFileNameW, GetLastError, GetProcAddress, GetVersionExW, LoadLibraryExW, GetSystemDirectoryW, SetLastError, FreeLibrary, Sleep, LoadLibraryW, InterlockedDecrement, InterlockedIncrement, CloseHandle, WaitForSingleObject, OpenEventW, DisableThreadLibraryCalls, SetEvent, GetModuleFileNameW, CreateEventW, GetSystemTimeAsFileTime, LockResource, LoadResource, FindResourceW, ExpandEnvironmentStringsW, InterlockedCompareExchange, HeapAlloc, HeapFree, LocalFree, GetCurrentThread, LocalAlloc, GlobalFree, EnterCriticalSection, LeaveCriticalSection, GetTickCount, SetThreadPriority, GetThreadPriority, DuplicateHandle, GetCurrentProcess, ResetEvent, InitializeCriticalSection, DeleteCriticalSection, UnregisterWait, SetWaitableTimer, CancelWaitableTimer, RegisterWaitForSingleObject, WideCharToMultiByte, lstrlenW, InitializeCriticalSectionAndSpinCount, FormatMessageW, GetCurrentThreadId, lstrcmpiW, GetExitCodeProcess, CreateFileW, SetEndOfFile, SetFilePointerEx, GetFileSizeEx, FlushFileBuffers, WriteFile, ReadFile, CopyFileW, CreateWaitableTimerW, MoveFileExW, DeleteFileW, GetFileAttributesExW, SetFileTime, BindIoCompletionCallback, GetFileTime, GetFileType, SystemTimeToFileTime, QueryPerformanceCounter, TlsSetValue, ReleaseMutex, ReleaseSemaphore, TlsGetValue, WaitForMultipleObjects, CreateSemaphoreW, TlsFree, WaitForMultipleObjectsEx, CreateMutexW, TlsAlloc, GetExitCodeThread, CreateThread, GetCurrentProcessId, VerifyVersionInfoW, GetVolumeNameForVolumeMountPointW
> MPR.dll: WNetGetConnectionW
> ole32.dll: CoTaskMemFree, CoRegisterClassObject, CoRevokeClassObject, StringFromGUID2, CoImpersonateClient, CoInitializeEx, CoInitializeSecurity, CoTaskMemAlloc, CoCreateGuid, IIDFromString, StringFromIID, CoCreateInstance, CoUninitialize
> OLEAUT32.dll: -, -, -, -
> RPCRT4.dll: RpcBindingFree, RpcBindingSetAuthInfoExW, RpcBindingFromStringBindingW, NdrClientCall2, UuidCreate
> SHFOLDER.dll: SHGetFolderPathW
> SHLWAPI.dll: UrlCombineW
> USER32.dll: DestroyWindow, UnregisterClassW, LoadStringW, DefWindowProcW, GetWindowLongW, DispatchMessageW, TranslateMessage, MsgWaitForMultipleObjectsEx, PeekMessageW, SetWindowLongW, CreateWindowExW, RegisterClassExW, UnregisterDeviceNotification, RegisterDeviceNotificationW, PostMessageW
> USERENV.dll: DestroyEnvironmentBlock, CreateEnvironmentBlock
> VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
> WS2_32.dll: -, -, WSASocketW, -, -, -, WSAIoctl, -
> WTSAPI32.dll: WTSQuerySessionInformationW, WTSEnumerateSessionsW, WTSFreeMemory
> WINHTTP.dll: WinHttpQueryDataAvailable, WinHttpSetCredentials, WinHttpReadData, WinHttpOpenRequest, WinHttpQueryAuthSchemes, WinHttpConnect, WinHttpWriteData, WinHttpSetOption, WinHttpCrackUrl, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpGetProxyForUrl, WinHttpGetIEProxyConfigForCurrentUser, WinHttpAddRequestHeaders, WinHttpCloseHandle, WinHttpOpen, WinHttpQueryHeaders, WinHttpSetStatusCallback

( 17 exports )
__0CNestedImpersonation@@QAE@AAVTokenHandle@@@Z, __0CNestedImpersonation@@QAE@PAX@Z, __0CNestedImpersonation@@QAE@XZ, __0PROXY_SETTINGS_CONTAINER@@QAE@PBGPBUPROXY_SETTINGS@@@Z, _BITSAlloc@@YGPAXI@Z, _BITSFree@@YGXPAX@Z, _BytesRemainingInCurrentRange@CRangeCollection@@QAE_KXZ, _CalculateBytesTotal@CRangeCollection@@IAE_NXZ, _Find@CCredentialsContainer@@QBEJW4__MIDL_IBackgroundCopyJob2_0001@@W4__MIDL_IBackgroundCopyJob2_0002@@PAPAU__MIDL_IBackgroundCopyJob2_0005@@@Z, _FindInterfaceIndex@@YGKPBG@Z, _GetSubRanges@CRangeCollection@@QAEJ_K0KIPAPAV1@@Z, _HostFromProxyDescription@@YG_AV_$auto_ptr@G@std@@PAG@Z, _s_EmptyString@_$GenericStringHandle@G@@0UStringData@1@A, BITSServiceMain, DllRegisterServer, DllUnregisterServer, ServiceMain

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Background Intelligent Transfer Service
original name: qmgr.dll
internal name: qmgr.dll
file version.: 6.6.2600.1569 (xpsp2_gdr.040517-1325)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#10 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 13 December 2009 - 10:17 AM

here's the 2nd
File wscntfy.exe received on 2009.12.13 15:14:11 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 90 and 128 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.13 -
AhnLab-V3 5.0.0.2 2009.12.12 -
AntiVir 7.9.1.108 2009.12.11 -
Antiy-AVL 2.0.3.7 2009.12.11 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.13 -
AVG 8.5.0.427 2009.12.13 -
BitDefender 7.2 2009.12.13 -
CAT-QuickHeal 10.00 2009.12.12 -
ClamAV 0.94.1 2009.12.13 -
Comodo 3229 2009.12.13 -
DrWeb 5.0.0.12182 2009.12.13 -
eSafe 7.0.17.0 2009.12.13 -
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.12 -
F-Secure 9.0.15370.0 2009.12.13 -
Fortinet 4.0.14.0 2009.12.13 -
GData 19 2009.12.13 -
Ikarus T3.1.1.74.0 2009.12.13 -
Jiangmin 13.0.900 2009.12.13 -
K7AntiVirus 7.10.918 2009.12.11 -
Kaspersky 7.0.0.125 2009.12.13 -
McAfee 5831 2009.12.13 -
McAfee+Artemis 5831 2009.12.13 -
McAfee-GW-Edition 6.8.5 2009.12.13 -
Microsoft 1.5302 2009.12.13 -
NOD32 4683 2009.12.13 -
Norman 6.04.03 2009.12.12 -
nProtect 2009.1.8.0 2009.12.13 -
Panda 10.0.2.2 2009.12.13 -
PCTools 7.0.3.5 2009.12.13 -
Prevx 3.0 2009.12.13 -
Rising 22.25.06.05 2009.12.13 -
Sophos 4.48.0 2009.12.13 -
Sunbelt 3.2.1858.2 2009.12.13 -
Symantec 1.4.4.12 2009.12.13 -
TheHacker 6.5.0.2.092 2009.12.12 -
TrendMicro 9.100.0.1001 2009.12.13 -
VBA32 3.12.12.0 2009.12.13 -
ViRobot 2009.12.12.2085 2009.12.12 -
VirusBuster 5.0.21.0 2009.12.12 -
Additional information
File size: 13824 bytes
MD5...: f92e1076c42fcd6db3d72d8cfe9816d5
SHA1..: 549f0a01848375d03159fc74171ed97790fa9650
SHA256: 94135acf2d9426bb78e4522429120b03d94b541422c277b9aca31410874a464c
ssdeep: 192:JmvFvF8NbUW94QtMXREaELt2y1PT6zu7R3bolyk+gahQQMnvLAIguynlmsWT
1PWK:Wd8NQWzk5ELt7P/hkQqLde7WT1PWS

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x27f2
timedatestamp.....: 0x48025335 (Sun Apr 13 18:38:45 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x27e0 0x2800 6.16 6b938c455457f7d1b5c5a674b8ebf6f1
.data 0x4000 0x6c 0x200 0.62 a46ea3afddd245a4720f45eb859ddfbf
.rsrc 0x5000 0x6e0 0x800 3.99 98ba1bbfda46d37793d588959529ce08

( 5 imports )
> msvcrt.dll: __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _adjust_fdiv, __setusermatherr, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit
> KERNEL32.dll: GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, GetUserDefaultUILanguage, GetLocaleInfoW, CreateProcessW, GetProcessHeap, HeapFree, HeapAlloc, LoadLibraryExW, GetStartupInfoW, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetLastError, CreateMutexW, CloseHandle, FormatMessageW, CreateEventW, GetCurrentProcessId
> USER32.dll: PeekMessageW, DispatchMessageW, MsgWaitForMultipleObjects, RegisterWindowMessageW, LoadStringW, LoadImageW, PostQuitMessage, PostMessageW, DestroyMenu, TrackPopupMenu, SetMenuDefaultItem, SetMenuItemInfoW, AppendMenuW, CreatePopupMenu, SetForegroundWindow, GetCursorPos, DefWindowProcW, CreateWindowExW, LoadCursorW, LoadIconW, ShowWindow, RegisterClassExW
> SHELL32.dll: SHGetFolderPathW, ShellExecuteW, Shell_NotifyIconW
> RPCRT4.dll: RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcBindingFree, RpcSsDestroyClientContext, NdrClientCall2, RpcStringFreeW

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Security Center Notification App
original name: wscntfy.exe
internal name: wscntfy.exe
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#11 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 13 December 2009 - 10:23 AM

3rd one

File xmlprov.dll received on 2009.12.13 15:17:45 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.13 -
AhnLab-V3 5.0.0.2 2009.12.12 -
AntiVir 7.9.1.108 2009.12.11 -
Antiy-AVL 2.0.3.7 2009.12.11 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.13 -
AVG 8.5.0.427 2009.12.13 -
BitDefender 7.2 2009.12.13 -
CAT-QuickHeal 10.00 2009.12.12 -
ClamAV 0.94.1 2009.12.13 -
Comodo 3229 2009.12.13 -
DrWeb 5.0.0.12182 2009.12.13 -
eSafe 7.0.17.0 2009.12.13 -
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.12 -
Fortinet 4.0.14.0 2009.12.13 -
GData 19 2009.12.13 -
Ikarus T3.1.1.74.0 2009.12.13 -
Jiangmin 13.0.900 2009.12.13 -
K7AntiVirus 7.10.918 2009.12.11 -
Kaspersky 7.0.0.125 2009.12.13 -
McAfee 5831 2009.12.13 -
McAfee+Artemis 5831 2009.12.13 -
McAfee-GW-Edition 6.8.5 2009.12.13 -
Microsoft 1.5302 2009.12.13 -
NOD32 4683 2009.12.13 -
Norman 6.04.03 2009.12.12 -
nProtect 2009.1.8.0 2009.12.13 -
Panda 10.0.2.2 2009.12.13 -
PCTools 7.0.3.5 2009.12.13 -
Prevx 3.0 2009.12.13 -
Rising 22.25.06.05 2009.12.13 -
Sophos 4.48.0 2009.12.13 -
Sunbelt 3.2.1858.2 2009.12.13 -
Symantec 1.4.4.12 2009.12.13 -
TheHacker 6.5.0.2.092 2009.12.12 -
TrendMicro 9.100.0.1001 2009.12.13 -
VBA32 3.12.12.0 2009.12.13 -
ViRobot 2009.12.12.2085 2009.12.12 -
VirusBuster 5.0.21.0 2009.12.12 -
Additional information
File size: 129024 bytes
MD5...: 295d21f14c335b53cb8154e5b1f892b9
SHA1..: 090e95953f71d654ea885af74d491ad1e6a0f8c7
SHA256: 9418477c2e3ea93e93d931a4edd4500da568fad6040204b5201d1080203b0bbc
ssdeep: 3072:K/IvBpoLMlwcXZznLt02SJW3gADcCAJud:t7oLM2mMlCd

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16275
timedatestamp.....: 0x4802a12c (Mon Apr 14 00:11:24 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1c9e4 0x1ca00 6.47 747443081460292df346889068115d90
.data 0x1e000 0x1c8 0x200 1.80 b62cd350158fbbe46e93f101d823e152
.rsrc 0x1f000 0x718 0x800 3.95 c12db74733218834ea913973eeef7c1d
.reloc 0x20000 0x1e46 0x2000 5.66 721c28ab2d9a2d9c714d8a294ac146c0

( 13 imports )
> msvcrt.dll: memmove, _wtoi, _vsnwprintf, __0exception@@QAE@ABV0@@Z, _CxxThrowException, wcsrchr, _wfullpath, wcstoul, _wcsdup, wcslen, free, realloc, __CxxFrameHandler, _purecall, _vsnprintf, __2@YAPAXI@Z, malloc, _initterm, _adjust_fdiv, _terminate@@YAXXZ, _except_handler3, __1type_info@@UAE@XZ, __3@YAXPAX@Z
> MSVCP60.dll: __0bad_alloc@std@@QAE@PBD@Z, __1bad_alloc@std@@UAE@XZ, __0bad_alloc@std@@QAE@ABV01@@Z
> ATL.DLL: -, -, -, -, -, -, -, -, -
> ADVAPI32.dll: UnlockServiceDatabase, RegisterServiceCtrlHandlerExW, SetServiceStatus, OpenSCManagerW, OpenServiceW, CloseServiceHandle, LockServiceDatabase, ChangeServiceConfigW, QueryServiceConfigW, RegEnumKeyExW, RegisterEventSourceW, ReportEventW, DeregisterEventSource, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW
> KERNEL32.dll: GetDiskFreeSpaceExW, LocalFree, LocalAlloc, GetFileAttributesExW, HeapFree, GetProcessHeap, CreateTimerQueueTimer, RemoveDirectoryW, FileTimeToSystemTime, EnumUILanguagesW, InitializeCriticalSection, GetCurrentThreadId, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileW, FormatMessageW, DeleteTimerQueueTimer, InterlockedExchange, CopyFileW, Sleep, WaitForSingleObject, QueueUserWorkItem, WideCharToMultiByte, HeapAlloc, DisableThreadLibraryCalls, MultiByteToWideChar, lstrlenW, GetStringTypeExW, GetThreadLocale, lstrcmpW, InterlockedDecrement, InterlockedIncrement, EnterCriticalSection, LeaveCriticalSection, lstrlenA, GetLastError, CreateEventW, CloseHandle, SetEvent, InterlockedCompareExchange, DeleteCriticalSection, GetSystemTimeAsFileTime, lstrcmpiW, DebugBreak, OutputDebugStringW, FindNextFileW, FindClose, SetFileAttributesW, CreateDirectoryW, lstrcpyW, InitializeCriticalSectionAndSpinCount, SetLastError, FindFirstFileW, MoveFileExW
> ole32.dll: CoTaskMemFree, CLSIDFromString, CoTaskMemAlloc, CoCreateInstance, CoInitializeEx, StringFromCLSID, IIDFromString, CoUninitialize, CoSwitchCallContext
> OLEAUT32.dll: -, -, -, -, -, -, -
> rtutils.dll: TraceRegisterExW, TracePrintfA, TraceDeregisterW
> SHELL32.dll: SHGetFolderPathW
> SHLWAPI.dll: PathCanonicalizeW, PathIsRelativeW, PathRemoveExtensionW, PathFileExistsW, PathStripPathW, PathCreateFromUrlW, UrlIsW
> USER32.dll: LoadStringW, CharNextW, CharUpperW, CharLowerW, wvsprintfW
> WINHTTP.dll: WinHttpCrackUrl
> ntdll.dll: RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlDeleteResource, RtlInitializeResource

( 3 exports )
DllRegisterServer, DllUnregisterServer, ServiceMain

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Network Provisioning Service
original name: xmlprov.dll
internal name: xmlprov.dll
file version.: 5.1.2600.5512 (xpsp.080413-0852)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#12 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 13 December 2009 - 10:25 AM

File ip6fw.sys received on 2009.12.13 15:23:50 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/40 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.13 -
AhnLab-V3 5.0.0.2 2009.12.12 -
AntiVir 7.9.1.108 2009.12.11 -
Antiy-AVL 2.0.3.7 2009.12.11 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.13 -
AVG 8.5.0.427 2009.12.13 -
BitDefender 7.2 2009.12.13 -
CAT-QuickHeal 10.00 2009.12.12 -
ClamAV 0.94.1 2009.12.13 -
Comodo 3229 2009.12.13 -
DrWeb 5.0.0.12182 2009.12.13 -
eSafe 7.0.17.0 2009.12.13 -
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.12 -
F-Secure 9.0.15370.0 2009.12.13 -
Fortinet 4.0.14.0 2009.12.13 -
GData 19 2009.12.13 -
Ikarus T3.1.1.74.0 2009.12.13 -
Jiangmin 13.0.900 2009.12.13 -
K7AntiVirus 7.10.918 2009.12.11 -
Kaspersky 7.0.0.125 2009.12.13 -
McAfee 5831 2009.12.13 -
McAfee+Artemis 5831 2009.12.13 -
McAfee-GW-Edition 6.8.5 2009.12.13 -
Microsoft 1.5302 2009.12.13 -
NOD32 4683 2009.12.13 -
Norman 6.04.03 2009.12.12 -
nProtect 2009.1.8.0 2009.12.13 -
Panda 10.0.2.2 2009.12.13 -
PCTools 7.0.3.5 2009.12.13 -
Rising 22.25.06.05 2009.12.13 -
Sophos 4.48.0 2009.12.13 -
Sunbelt 3.2.1858.2 2009.12.13 -
Symantec 1.4.4.12 2009.12.13 -
TheHacker 6.5.0.2.092 2009.12.12 -
TrendMicro 9.100.0.1001 2009.12.13 -
VBA32 3.12.12.0 2009.12.13 -
ViRobot 2009.12.12.2085 2009.12.12 -
VirusBuster 5.0.21.0 2009.12.12 -
Additional information
File size: 36608 bytes
MD5...: 3bb22519a194418d5fec05d800a19ad0
SHA1..: 4755dd23eb1780211f8ccf27966f78907d2eb851
SHA256: f6662f440950596dc1382dd1db5d7891ccea30a6062bea942c18445b5f0d8b16
ssdeep: 384:N4AgBbM15FuO+s1w0FOksQOhaKPI+c5FZcOs/cERbw86v9T2FnYp9rZDroAu
9EZ0:yZSU0FLlOhDgkBmrEhGFdjtuHJ

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x71aa
timedatestamp.....: 0x480256ac (Sun Apr 13 18:53:32 2008)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x300 0x5754 0x5780 6.37 9019e1fe5238ba1ba959f4c746afcfa7
.rdata 0x5a80 0x3c4 0x400 4.53 20531d7d6d0c7452bfaee097b7331d39
.data 0x5e80 0x964 0x980 0.43 4d957aa1cd3c86d1622558f376d01204
PAGE 0x6800 0x17e 0x180 5.60 b43bd25ecd09129a4adadd0107811744
INIT 0x6980 0xf78 0xf80 6.18 4853ff7eab7e42528ac6074726842a32
.rsrc 0x7900 0xa20 0xa80 6.27 3c19e8752b2fbc98024c9721f95202d1
.reloc 0x8380 0xb5a 0xb80 6.17 a62455e5f0755f8f0db618c2f49378f9

( 4 imports )
> ntoskrnl.exe: _except_handler3, KeInitializeSpinLock, WmiQueryTraceInformation, RtlInitUnicodeString, IoWMIRegistrationControl, RtlCopyUnicodeString, ZwQueryValueKey, ZwClose, ZwOpenKey, ObReleaseObjectSecurity, ObSetSecurityObjectByPointer, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, RtlDeleteAce, RtlEqualSid, SeExports, RtlGetAce, RtlGetDaclSecurityDescriptor, ObGetObjectSecurity, KeInitializeEvent, KeSetEvent, KeWaitForSingleObject, IoDeleteDevice, ExGetPreviousMode, IoCreateSymbolicLink, IoCreateDevice, KefReleaseSpinLockFromDpcLevel, RtlSplay, KefAcquireSpinLockAtDpcLevel, KeTickCount, IoWMIWriteEvent, KeQuerySystemTime, InterlockedPopEntrySList, InterlockedPushEntrySList, KeInsertQueueDpc, ExAllocatePoolWithTagPriority, ExDeleteNPagedLookasideList, RtlDelete, KeInitializeDpc, ExInitializeNPagedLookasideList, KeCancelTimer, KeSetTimerEx, _alldiv, KeInitializeTimer, KeQueryTimeIncrement, KeBugCheckEx, MmUserProbeAddress, ExRaiseAccessViolation, ExAllocatePoolWithTag, ExFreePoolWithTag, PsGetCurrentProcessId, IofCompleteRequest, IoDeleteSymbolicLink, WmiTraceMessage
> HAL.dll: KfAcquireSpinLock, KfRaiseIrql, KfLowerIrql, KfReleaseSpinLock
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest
> tcpip6.sys: IPv6DisableFirewallHook, IPv6ObtainPacketData, IPv6GetBestRouteInfo, IPv6EnableFirewallHook

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IPv6 Windows Firewall Driver
original name: ip6fw.sys
internal name: ip6fw.sys
file version.: 5.1.2600.5512 (xpsp.080413-0852)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 PM

Posted 13 December 2009 - 01:50 PM

Please do the same for the last file. No need for the log if it is clean.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Go to Start => Run (OR press Windows key Posted Image+R )

    Copy and paste the following in the Run box and click OK:

    notepad C:\windows\system32\drivers\etc\hosts

    A text file opens. Please post its content to your reply.

  • Also tell me how is your computer running or if you get redirected or get any error at start up.


#14 jtmansur

jtmansur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 13 December 2009 - 01:57 PM

final one....

File comctl32.dll received on 2009.12.13 18:55:35 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 60 and 85 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.13 -
AhnLab-V3 5.0.0.2 2009.12.12 -
AntiVir 7.9.1.108 2009.12.11 -
Antiy-AVL 2.0.3.7 2009.12.11 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.13 -
AVG 8.5.0.427 2009.12.13 -
BitDefender 7.2 2009.12.13 -
CAT-QuickHeal 10.00 2009.12.12 -
ClamAV 0.94.1 2009.12.13 -
Comodo 3230 2009.12.13 -
DrWeb 5.0.0.12182 2009.12.13 -
eSafe 7.0.17.0 2009.12.13 -
eTrust-Vet 35.1.7171 2009.12.11 -
F-Prot 4.5.1.85 2009.12.12 -
F-Secure 9.0.15370.0 2009.12.13 -
Fortinet 4.0.14.0 2009.12.13 -
GData 19 2009.12.13 -
Ikarus T3.1.1.74.0 2009.12.13 -
Jiangmin 13.0.900 2009.12.13 -
K7AntiVirus 7.10.918 2009.12.11 -
Kaspersky 7.0.0.125 2009.12.13 -
McAfee 5831 2009.12.13 -
McAfee+Artemis 5831 2009.12.13 -
McAfee-GW-Edition 6.8.5 2009.12.13 -
Microsoft 1.5302 2009.12.13 -
NOD32 4684 2009.12.13 -
Norman 6.04.03 2009.12.12 -
nProtect 2009.1.8.0 2009.12.13 -
Panda 10.0.2.2 2009.12.13 -
PCTools 7.0.3.5 2009.12.13 -
Prevx 3.0 2009.12.13 -
Rising 22.25.06.05 2009.12.13 -
Sophos 4.48.0 2009.12.13 -
Sunbelt 3.2.1858.2 2009.12.13 -
Symantec 1.4.4.12 2009.12.13 -
TheHacker 6.5.0.2.092 2009.12.12 -
TrendMicro 9.100.0.1001 2009.12.13 -
VBA32 3.12.12.0 2009.12.13 -
ViRobot 2009.12.12.2085 2009.12.12 -
VirusBuster 5.0.21.0 2009.12.13 -
Additional information
File size: 1054208 bytes
MD5...: bd38d1ebe24a46bd3eda059560afba12
SHA1..: 0328e098555de9b7e0881588440c0275b3899ac6
SHA256: c2ea526d4ff0c18b84bf8958081516e2154c2e39e49a545c2df954c822f7ebea
ssdeep: 12288:OX3NGml4PEdXeALSt5k7rU4B5b92AkX+Xh0GPecLEJJ0sbMxCgZxAsv9C8
VPtXoU:I3EuLVVI9X+XuGPdEJJ0sbMLZxT96

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4256
timedatestamp.....: 0x4802a094 (Mon Apr 14 00:08:52 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x90a4a 0x90c00 6.58 6d749c7cb4d1d1b2ce496bf6a59516f9
.data 0x92000 0xa50 0x600 3.98 a0f0c5c3a85adc5edd51f1d95c70f883
.rsrc 0x93000 0x69fa0 0x6a000 4.48 2cb467f1acf2b3f7bad4552cf74c68b0
.reloc 0xfd000 0x5e28 0x6000 6.39 fd244873c9bec037804bcd50fb1d3397

( 7 imports )
> msvcrt.dll: wcslen, _ftol, _vsnwprintf, memmove, _except_handler3
> ntdll.dll: RtlRunEncodeUnicodeString, RtlRunDecodeUnicodeString
> ADVAPI32.dll: RegSetValueExW, RegOpenKeyExA, RegQueryValueExA, RegEnumValueW, RegQueryValueW, RegOpenCurrentUser, RegCreateKeyW, RegOpenKeyExW, OpenProcessToken, RegCloseKey, RegQueryValueExW, RegCreateKeyExW, FreeSid, CheckTokenMembership, AllocateAndInitializeSid
> GDI32.dll: GdiAlphaBlend, QueryFontAssocStatus, GdiTransparentBlt, SetLayoutWidth, GdiGradientFill, GdiGetCharDimensions, EnumFontFamiliesExW, DeleteDC, CreateSolidBrush, DeleteObject, GetStockObject, GetTextExtentPointW, BitBlt, StretchDIBits, SelectObject, CreateCompatibleBitmap, CreateDIBSection, CreateCompatibleDC, CreateRectRgn, SetWindowOrgEx, OffsetWindowOrgEx, CreateFontIndirectW, GetObjectW, GetDeviceCaps, Polyline, CreatePen, ExtTextOutW, SetBkColor, CreateDCW, ExcludeClipRect, CombineRgn, GetTextMetricsW, TranslateCharsetInfo, CreateHalftonePalette, CreatePalette, GetDIBColorTable, GetTextExtentPoint32W, RealizePalette, SelectPalette, UnrealizeObject, StretchBlt, SetTextColor, SetBkMode, SetBrushOrgEx, GetDCOrgEx, GetCharWidthInfo, CreatePatternBrush, PatBlt, GetNearestColor, SetTextAlign, GetTextAlign, RestoreDC, IntersectClipRect, SaveDC, RectVisible, SelectClipRgn, CreateBitmap, GetPaletteEntries, SetPixelV, SetPixel, GetPixel, SetDIBColorTable, GetBitmapBits, MaskBlt, GetBkColor, SetStretchBltMode, CreateEllipticRgn, Ellipse, GetCharABCWidthsW, GetCharABCWidthsA, GetTextCharsetInfo, GetTextCharset, ExtTextOutA, GetTextExtentPointA, GetTextColor, GetBkMode, TextOutW, PlayEnhMetaFile, GetCharWidthW, GetClipBox, Rectangle, LineTo, MoveToEx, GetCurrentObject, CreateFontW, CreateRectRgnIndirect, SetViewportOrgEx, GetClipRgn, OffsetRgn, GetBrushOrgEx, GetTextFaceW, GetCharWidthA, GetDIBits, SetDIBits, SetBoundsRect, CreateBitmapIndirect, GetLayout, CreatePolygonRgn, CreateRoundRectRgn, FrameRgn
> KERNEL32.dll: QueryPerformanceCounter, GetSystemTimeAsFileTime, TerminateProcess, SetUnhandledExceptionFilter, GetWindowsDirectoryW, LocalAlloc, LocalFree, GetProcAddress, FreeLibrary, InterlockedCompareExchange, LoadLibraryA, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSectionAndSpinCount, GlobalAddAtomW, GetACP, DeleteCriticalSection, DisableThreadLibraryCalls, lstrcmpiW, lstrcmpiA, lstrlenW, WideCharToMultiByte, LocalReAlloc, LocalSize, FreeResource, LockResource, LoadResource, FindResourceW, CloseHandle, GetCurrentProcess, GetTickCount, LoadLibraryW, MulDiv, lstrlenA, UnhandledExceptionFilter, ActivateActCtx, DeactivateActCtx, SizeofResource, InterlockedDecrement, InterlockedIncrement, lstrcmpW, EnumResourceLanguagesW, FindResourceExW, GetLocaleInfoW, GetModuleHandleW, GetUserDefaultLCID, GetThreadLocale, FindResourceExA, ReleaseActCtx, GetCurrentActCtx, MultiByteToWideChar, InterlockedExchange, GetLastError, GetNumberFormatW, HeapAlloc, GetProcessHeap, HeapFree, HeapReAlloc, GetCurrentProcessId, GetCurrentThreadId, IsBadWritePtr, IsProcessorFeaturePresent, IsDBCSLeadByte, lstrcmpA, CompareStringA, CompareStringW, GetSystemDefaultLCID, SetLastError, IsValidLocale, ConvertDefaultLocale, GetVersionExW, LocalLock, LocalUnlock, GlobalFree, GetCPInfo, Sleep, GetOEMCP, GlobalAlloc, GlobalReAlloc, GlobalUnlock, GlobalLock, GetUserDefaultLangID, GetDateFormatW, EnumCalendarInfoW, GetStringTypeExW, GetCalendarInfoA, GlobalHandle, GetLocalTime, GetTimeFormatW, InitializeCriticalSection, GetStringTypeW, GetStringTypeA, IsBadReadPtr, IsDBCSLeadByteEx, GetLogicalDrives, FindClose, FindNextFileW, FindFirstFileW, HeapSize, GlobalFlags, MapViewOfFile, CreateFileMappingW, GetFileSize, CreateFileW, UnmapViewOfFile, GetModuleHandleA, GetVersionExA, DelayLoadFailureHook, lstrcpynW
> SHLWAPI.dll: SHRegGetBoolUSValueW, StrCmpIW, -, -
> USER32.dll: GetSysColorBrush, SystemParametersInfoW, GetSysColor, MapWindowPoints, CharLowerW, SetWindowPos, GetParent, ClientToScreen, GetWindowRect, EndDialog, GetDC, GetCapture, WaitMessage, ReleaseCapture, PtInRect, DispatchMessageW, TranslateMessage, CallMsgFilterW, PeekMessageW, IsWindow, SetCapture, SetRect, TrackMouseEvent, SendMessageW, GetMessageTime, MessageBeep, RedrawWindow, UnionRect, ScrollWindowEx, GetDoubleClickTime, SetRectEmpty, ScreenToClient, GetMessagePos, GetDlgItem, SetWindowLongW, GetWindowLongW, IsRectEmpty, EnumDisplayDevicesW, DefWindowProcW, FillRect, OffsetRect, InflateRect, GetDCEx, RegisterWindowMessageW, CopyRect, CreateDialogIndirectParamW, DestroyWindow, CreateDialogIndirectParamA, LoadImageW, DrawTextW, LoadStringW, ShowWindow, IsWindowVisible, SendDlgItemMessageW, SetFocus, IsChild, IsWindowEnabled, EnableWindow, GetFocus, DeferWindowPos, EndDeferWindowPos, BeginDeferWindowPos, GetClassNameW, InvalidateRect, SetLastErrorEx, GetDlgCtrlID, GetNextDlgTabItem, SetWindowTextW, IsDialogMessageW, GetKeyState, MapDialogRect, SetForegroundWindow, CopyImage, GetMonitorInfoW, MonitorFromWindow, DestroyIcon, SetDlgItemTextW, SetCursor, LoadCursorW, SetWindowTextA, WinHelpW, EndPaint, BeginPaint, SetActiveWindow, GetActiveWindow, PostQuitMessage, GetMessageW, GetDesktopWindow, IsZoomed, CreateWindowExA, DrawIconEx, DrawEdge, DrawFrameControl, UpdateWindow, NotifyWinEvent, GetIconInfo, UnregisterClassW, RegisterClassW, GetWindow, MoveWindow, GetWindowTextW, GetCaretBlinkTime, KillTimer, GetCursorPos, SetTimer, GetPropW, GetWindowThreadProcessId, SetPropW, RemovePropW, CallWindowProcW, SendNotifyMessageW, EnumChildWindows, CloseDesktop, EnumWindows, SetThreadDesktop, GetThreadDesktop, OpenDesktopW, EnumDesktopsW, GetProcessWindowStation, GetSystemMetrics, DrawIcon, LoadIconW, GetScrollPos, GetScrollRange, GetScrollInfo, ShowScrollBar, EnableScrollBar, SetScrollPos, SetScrollRange, SetScrollInfo, GetMenuItemID, GetMenuItemCount, GetMenuItemInfoW, GetSubMenu, GetSystemMenu, CheckMenuItem, SetMenu, GetMenuState, SubtractRect, CreateIconIndirect, IntersectRect, CopyIcon, CharNextA, CharPrevW, DrawFocusRect, EqualRect, PostMessageW, GetScrollBarInfo, SetWindowRgn, LoadBitmapW, AnimateWindow, GetClassLongW, DeleteMenu, InsertMenuItemW, GetKeyboardLayout, ShowCaret, HideCaret, SendMessageA, DestroyMenu, TrackPopupMenuEx, IsClipboardFormatAvailable, EnableMenuItem, LoadMenuW, GetAncestor, PeekMessageA, OemToCharBuffW, CharToOemBuffW, IsCharLowerW, OemToCharBuffA, CharToOemBuffA, IsCharLowerA, CharUpperBuffW, CharUpperBuffA, CharLowerBuffW, CharLowerBuffA, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, MapVirtualKeyW, GetCaretPos, AdjustWindowRectEx, GetWindowTextLengthW, DrawFrame, DrawStateW, DrawTextExW, GetNextDlgGroupItem, AppendMenuW, CreatePopupMenu, FrameRect, MonitorFromRect, TrackPopupMenu, AdjustWindowRect, GetKeyNameTextW, SetCaretPos, GrayStringW, CreateCaret, DestroyCaret, ReplyMessage, InSendMessage, GetAsyncKeyState, InvertRect, GetShellWindow, DestroyCursor, MonitorFromPoint, GetUpdateRgn, GetUpdateRect, GetWindowRgn, ValidateRect, LockWindowUpdate, SetKeyboardState, GetKeyboardState, PostMessageA, SetParent, TabbedTextOutW, DragDetect, IsCharAlphaNumericW, ScrollDC, GetClipboardData, GetWindowLongA, GetWindowDC, GetWindowInfo, RegisterClassExW, GetCursor, GetForegroundWindow, GetMenu, SetLayeredWindowAttributes, InvalidateRgn, WindowFromPoint, CharNextW, CreateWindowExW, DialogBoxIndirectParamW, MBToWCSEx, GetCursorFrameInfo, WCSToMBEx, SetCursorPos, ChildWindowFromPoint, GetClientRect, ReleaseDC

( 108 exports )
AddMRUStringW, CreateMRUListW, CreateMappedBitmap, CreatePropertySheetPage, CreatePropertySheetPageA, CreatePropertySheetPageW, CreateStatusWindow, CreateStatusWindowA, CreateStatusWindowW, CreateToolbar, CreateToolbarEx, CreateUpDownControl, DPA_DeleteAllPtrs, DPA_DeletePtr, DPA_DestroyCallback, DPA_EnumCallback, DPA_InsertPtr, DPA_Search, DPA_SetPtr, DPA_Sort, DSA_Create, DSA_Destroy, DSA_DestroyCallback, DSA_GetItemPtr, DSA_InsertItem, DefSubclassProc, DestroyPropertySheetPage, DllGetVersion, DllInstall, DrawInsert, DrawShadowText, DrawStatusText, DrawStatusTextA, DrawStatusTextW, EnumMRUListW, FlatSB_EnableScrollBar, FlatSB_GetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollProp, FlatSB_GetScrollRange, FlatSB_SetScrollInfo, FlatSB_SetScrollPos, FlatSB_SetScrollProp, FlatSB_SetScrollRange, FlatSB_ShowScrollBar, FreeMRUList, GetEffectiveClientRect, GetMUILanguage, GetWindowSubclass, HIMAGELIST_QueryInterface, ImageList_Add, ImageList_AddIcon, ImageList_AddMasked, ImageList_BeginDrag, ImageList_Copy, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_Draw, ImageList_DrawEx, ImageList_DrawIndirect, ImageList_Duplicate, ImageList_EndDrag, ImageList_GetBkColor, ImageList_GetDragImage, ImageList_GetFlags, ImageList_GetIcon, ImageList_GetIconSize, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_GetImageRect, ImageList_LoadImage, ImageList_LoadImageA, ImageList_LoadImageW, ImageList_Merge, ImageList_Read, ImageList_ReadEx, ImageList_Remove, ImageList_Replace, ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_SetDragCursorImage, ImageList_SetFilter, ImageList_SetFlags, ImageList_SetIconSize, ImageList_SetImageCount, ImageList_SetOverlayImage, ImageList_Write, ImageList_WriteEx, InitCommonControls, InitCommonControlsEx, InitMUILanguage, InitializeFlatSB, LBItemFromPt, MakeDragList, MenuHelp, PropertySheet, PropertySheetA, PropertySheetW, RemoveWindowSubclass, SetWindowSubclass, ShowHideMenuCtl, Str_SetPtrW, UninitializeFlatSB, _TrackMouseEvent

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: User Experience Controls Library
original name: comctl32.DLL
internal name: comctl32
file version.: 6.0 (xpsp.080413-2105)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 PM

Posted 13 December 2009 - 02:01 PM

Thanks please don't miss my previous post. I'll wait for feedback on them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users