Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Reader_S.exe and possibly others mkII


  • This topic is locked This topic is locked
2 replies to this topic

#1 Senti

Senti

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 18 December 2009 - 12:48 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:36 PM, on 12/11/2009
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Virtual CD v9\System\vc9play.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Virtual CD v9\System\VC9Tray.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Warcraft III\Warcraft-Version-Switcher\wvs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe" -startup
O4 - HKLM\..\Run: [VC9Player] C:\Program Files\Virtual CD v9\System\VC9Play.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
O4 - HKLM\..\RunOnce: [ÑN@] ÑN@
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w
O4 - HKCU\..\Run: [ctfmon] RUNDLL32.EXE C:\Windows\TEMP\fgjk4wvb.dll,w
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O13 - Gopher Prefix:
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit (mi-raysat_3dsmax2010_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Virtual CD v9 Management Service (VC9SecS) - H+H Software GmbH - C:\Program Files\Virtual CD v9\System\VC9SecS.exe

--
End of file - 3787 bytes
[b][/b]


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6000

11/4/2009 11:17:08 PM
mbam-log-2009-11-04 (23-17-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173431
Time elapsed: 1 hour(s), 59 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 11
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tcpsr (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\mal.db (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Unable to scan with DDS, getting errors such as the following:
13:34:06: FOPS - DeviceIoControl Error!  Error Code = 0xc0000024 Extended Info (0x000000d0)
13:34:06: DeviceIoControl Error!  Error Code = 0x1e7
13:34:06: FOPS - DeviceIoControl Error!  Error Code = 0xc0000024 Extended Info (0x000000d0)
13:34:21: DeviceIoControl Error!  Error Code = 0x0
13:34:21: DeviceIoControl Error!  Error Code = 0x0
13:34:21: DeviceIoControl Error!  Error Code = 0x0
13:34:21: DeviceIoControl Error!  Error Code = 0x0
13:34:21: DeviceIoControl Error!  Error Code = 0x0
13:34:21: DeviceIoControl Error!  Error Code = 0x0

MalwareBytes Anti-Malware does detect and remove these threats but only after they hit me, and when they hit me they change my computer's license code making it impossible to use almost all basic windows programs such as Windows Update, etc. forcing me to perform a system restore only to have it work for a few days then happen again. I've done 5 reformats/reinstalls yet every time I get hit with this again and again. If anyone could help me out, I would greatly appreciate it.

Hi Senti,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Frankly I'm not surprised you get reinfected as there is no Antivirus installed on your computer.

I see also some sign of "Virut" a file infector if that is the case the only safe and short resolution is reformatting.

1. Click on this link--> virustotal

Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.

C:\Windows\system32\userinit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe

If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

2.
QUOTE
I've done 5 reformats/reinstalls yet every time I get hit with this again and again.

Please give me some feedback on how you reformat, do you reformat the whole hard drive and reinstall using the Windows installation DVD, how long it takes to get infected after reformat. What are the steps you take after reformat and in what order (like updating Windows, installing Antivirus, etc).

File userinit.exe received on 2009.12.18 17:15:01 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 27/40 (67.5%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 	
	
Antivirus 	Version 	Last Update 	Result
a-squared	4.5.0.43	2009.12.18	-
AhnLab-V3	5.0.0.2	2009.12.18	-
AntiVir	7.9.1.114	2009.12.18	W32/Virut.Gen
Antiy-AVL	2.0.3.7	2009.12.18	-
Authentium	5.2.0.5	2009.12.02	W32/Virut.AI!Generic
Avast	4.8.1351.0	2009.12.18	Win32:Vitro
AVG	8.5.0.427	2009.12.18	Win32/Virut
BitDefender	7.2	2009.12.18	Win32.Virtob.Gen.12
CAT-QuickHeal	10.00	2009.12.18	W32.Virut.G
ClamAV	0.94.1	2009.12.18	-
Comodo	3287	2009.12.18	Virus.Win32.Virut.Ce
DrWeb	5.0.0.12182	2009.12.18	Win32.Virut.56
eSafe	7.0.17.0	2009.12.16	-
eTrust-Vet	35.1.7182	2009.12.18	Win32/Virut.17408
F-Prot	4.5.1.85	2009.12.18	W32/Virut.AI!Generic
F-Secure	9.0.15370.0	2009.12.18	Win32.Virtob.Gen.12
Fortinet	4.0.14.0	2009.12.18	-
GData	19	2009.12.18	Win32.Virtob.Gen.12
Ikarus	T3.1.1.79.0	2009.12.18	-
Jiangmin	13.0.900	2009.12.18	Win32/Virut.bo
K7AntiVirus	7.10.923	2009.12.17	-
Kaspersky	7.0.0.125	2009.12.18	Virus.Win32.Virut.ce
McAfee	5835	2009.12.17	W32/Virut.n.gen
McAfee+Artemis	5835	2009.12.17	W32/Virut.n.gen
McAfee-GW-Edition	6.8.5	2009.12.18	Heuristic.LooksLike.Win32.SuspiciousPE.H
Microsoft	1.5302	2009.12.18	-
NOD32	4699	2009.12.18	Win32/Virut.NBP
Norman	6.04.03	2009.12.18	W32/Virut.FP
nProtect	2009.1.8.0	2009.12.18	-
Panda	10.0.2.2	2009.12.15	W32/Sality.AO
PCTools	7.0.3.5	2009.12.18	Malware.Virut
Prevx	3.0	2009.12.18	-
Rising	22.26.04.02	2009.12.18	Win32.Virut.cl
Sophos	4.49.0	2009.12.18	W32/Scribble-B
Sunbelt	3.2.1858.2	2009.12.18	Virus.Win32.Virut.ce (v)
Symantec	1.4.4.12	2009.12.18	W32.Virut.CF
TheHacker	6.5.0.2.097	2009.12.18	-
TrendMicro	9.100.0.1001	2009.12.18	PE_VIRUX.J
ViRobot	2009.12.18.2097	2009.12.18	Win32.Virut.AM
VirusBuster	5.0.21.0	2009.12.17	-
Additional information
File size: 44544 bytes
MD5...: 0789ffea675c4acc6dc3d87adc4c25e0
SHA1..: ed03f2cdec7a8dc9cf8ce592a7f6f4bd822a39df
SHA256: 37bc9f872d3fb725da639e5bc80926a89106a9d1744e64dfa623d31462bd339c
ssdeep: 768:XNdFCZEK7vUXTckvcTspceo59TBXKye8RMb+nSqIOXCY/E:Xj0ZEK7vOTDvK
spcF9NXte8G9QE
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xcd59
timedatestamp.....: 0x9a85fcedL (invalid)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x492d 0x4a00 6.09 3d6c05129a856699c1a18e8ba63359d5
.data 0x6000 0x498 0x600 0.70 0ec875a7fb9e20270c4d4fba1970e380
.rsrc 0x7000 0x778 0x800 4.04 07234d248b662291f662afb14bd879ac
.reloc 0x8000 0x5400 0x5200 7.94 8faf510f66b414266087128c1f72fe21

( 9 imports )
> USER32.dll: GetSystemMetrics, SystemParametersInfoW, MessageBoxW, LoadStringW, LoadRemoteFonts, CreateWindowExW, ExitWindowsEx, GetKeyboardLayout, CharNextW, DefWindowProcW, RegisterClassExW, DestroyWindow
> ADVAPI32.dll: RegOpenKeyExA, RegQueryValueExA, RegQueryInfoKeyW, RegDeleteTreeW, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey
> CRYPT32.dll: CryptProtectData
> ntdll.dll: RtlInitUnicodeString, NtOpenKey, NtClose, DbgPrint
> NETAPI32.dll: NetApiBufferFree, DsGetDcNameW
> WLDAP32.dll: -, -, -, -, -, -
> USERENV.dll: -
> KERNEL32.dll: GetStartupInfoA, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, InterlockedExchange, DelayLoadFailureHook, ExpandEnvironmentStringsA, LoadLibraryA, InterlockedCompareExchange, HeapSetInformation, GetCurrentThread, SetThreadPriority, CreateThread, SetCurrentDirectoryW, FormatMessageW, GetCurrentProcess, GetFileAttributesExW, GetSystemDirectoryW, SetLastError, ExpandEnvironmentStringsW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, SearchPathW, SetEnvironmentVariableW, GetLastError, CloseHandle, WaitForSingleObject, Sleep, OpenEventW, SetEvent, GetUserDefaultLangID
> msvcrt.dll: exit, _acmdln, _initterm, memmove, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, _ismbblead, _terminate@@YAXXZ, _except_handler4_common, _controlfp, _XcptFilter, _vsnwprintf, _exit, _cexit, __getmainargs, _wcsicmp, __set_app_type, memset, _amsg_exit

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Userinit Logon Application
original name: USERINIT.EXE
internal name: userinit
file version.: 6.0.6000.16386 (vista_rtm.061101-2205)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File services.exe received on 2009.12.18 17:20:04 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 22.
Estimated start time is between 3 and 5 minutes.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 	
	
Antivirus 	Version 	Last Update 	Result
a-squared	4.5.0.43	2009.12.18	-
AhnLab-V3	5.0.0.2	2009.12.18	-
AntiVir	7.9.1.114	2009.12.18	-
Antiy-AVL	2.0.3.7	2009.12.18	-
Authentium	5.2.0.5	2009.12.02	-
Avast	4.8.1351.0	2009.12.18	-
AVG	8.5.0.427	2009.12.18	-
BitDefender	7.2	2009.12.18	-
CAT-QuickHeal	10.00	2009.12.18	-
ClamAV	0.94.1	2009.12.18	-
Comodo	3287	2009.12.18	-
DrWeb	5.0.0.12182	2009.12.18	-
eSafe	7.0.17.0	2009.12.16	-
eTrust-Vet	35.1.7182	2009.12.18	-
F-Prot	4.5.1.85	2009.12.18	-
F-Secure	9.0.15370.0	2009.12.18	-
Fortinet	4.0.14.0	2009.12.18	-
GData	19	2009.12.18	-
Ikarus	T3.1.1.79.0	2009.12.18	-
Jiangmin	13.0.900	2009.12.18	-
K7AntiVirus	7.10.923	2009.12.17	-
Kaspersky	7.0.0.125	2009.12.18	-
McAfee	5835	2009.12.17	-
McAfee+Artemis	5835	2009.12.17	-
McAfee-GW-Edition	6.8.5	2009.12.18	-
Microsoft	1.5302	2009.12.18	-
NOD32	4699	2009.12.18	-
Norman	6.04.03	2009.12.18	-
nProtect	2009.1.8.0	2009.12.18	-
Panda	10.0.2.2	2009.12.15	-
PCTools	7.0.3.5	2009.12.18	-
Prevx	3.0	2009.12.18	-
Rising	22.26.04.02	2009.12.18	-
Sophos	4.49.0	2009.12.18	-
Sunbelt	3.2.1858.2	2009.12.18	-
Symantec	1.4.4.12	2009.12.18	-
TheHacker	6.5.0.2.097	2009.12.18	-
TrendMicro	9.100.0.1001	2009.12.18	-
VBA32	3.12.12.0	2009.12.18	-
ViRobot	2009.12.18.2097	2009.12.18	-
VirusBuster	5.0.21.0	2009.12.18	-
Additional information
File size: 279552 bytes
MD5...: 329cf3c97ce4c19375c8abcabae258b0
SHA1..: 33e6d6e00de7c2d77da48d13cd7ddc98f2bfadb4
SHA256: 193a99eb3151c8c99b05a1ba4a69c39cc95e776cf1d39d7e318254383a4c9c0d
ssdeep: 6144:a3Tm7dPJmQyrngsCBzADmB3U21Insf8GzZ:Cm7dArn9CCCZU21InM8GzZ
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x12a77
timedatestamp.....: 0x4549add1 (Thu Nov 02 08:35:29 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3a699 0x3a800 6.35 ae0ead51f45c74360138656b214e8e13
.data 0x3c000 0x1154 0x1200 1.77 5e0ea0131ca51787b3f684eca43483b6
.rsrc 0x3e000 0x47f0 0x4800 3.88 253b4d5a16208f24347dd6da11a094cf
.reloc 0x43000 0x3d20 0x3e00 6.80 e4b9a020c2f39c607a7b3e993e8486f0

( 9 imports )
> ADVAPI32.dll: TraceMessage, GetTokenInformation, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, ConvertSidToStringSidW, RevertToSelf, CreateProcessAsUserW, ImpersonateLoggedOnUser, InitiateSystemShutdownExW, OpenThreadToken, LsaClose, LsaFreeMemory, LsaLookupSids, LsaOpenPolicy, OpenProcessToken, EqualSid, AdjustTokenPrivileges, SetSecurityDescriptorDacl, AddAce, InitializeAcl, CopySid, GetLengthSid, GetSecurityDescriptorDacl, RegGetKeySecurity, RegSetKeySecurity, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, RegLoadMUIStringW, LsaManageSidNameMapping, LookupPrivilegeValueW, RegNotifyChangeKeyValue, LsaQueryInformationPolicy, SetTokenInformation, AddAccessAllowedAce, LsaEnumeratePrivileges, LsaLookupNames, FreeSid, AllocateAndInitializeSid, AllocateLocallyUniqueId, SetKernelObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSecurityDescriptorToStringSecurityDescriptorW, GetKernelObjectSecurity, LsaStorePrivateData, EventWrite, EventRegister, RegOpenKeyW, SystemFunction005, SystemFunction029, StartServiceCtrlDispatcherW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, ControlTraceW, EnableTrace, StartTraceW, CheckTokenMembership, LogonUserExExW
> KERNEL32.dll: InterlockedCompareExchange64, CreateNamedPipeW, ReadFile, CancelIo, GetOverlappedResult, WaitForMultipleObjects, HeapAlloc, FreeLibrary, GetProcAddress, LoadLibraryW, GetModuleHandleW, TransactNamedPipe, WriteFile, GetTickCount, DuplicateHandle, GetCurrentProcess, GetSystemTimeAsFileTime, CreateEventW, SetEvent, GetCurrentThread, ResetEvent, DeviceIoControl, CreateFileW, GetProcessId, ResumeThread, GetCurrentProcessId, GetDriveTypeW, OpenEventW, GetComputerNameW, CompareStringW, SetThreadPriority, ExitThread, SetProcessShutdownParameters, SetConsoleCtrlHandler, HeapSetInformation, SetErrorMode, SetUnhandledExceptionFilter, GetProcessTimes, OpenProcess, InterlockedCompareExchange, LoadLibraryA, HeapCreate, WaitForSingleObject, TerminateProcess, HeapFree, InitializeCriticalSection, CreateThread, ExpandEnvironmentStringsW, CreateProcessW, GetLastError, CloseHandle, SetLastError, EnterCriticalSection, LeaveCriticalSection, Sleep, LocalFree, LocalAlloc, GetEnvironmentVariableW, CreateDirectoryW, FindFirstFileW, FindClose, lstrlenW, FindNextFileW, MoveFileExW, GetVersionExW, GetSystemTime, GetExitCodeThread, UnhandledExceptionFilter, GetCurrentThreadId, QueryPerformanceCounter, GetModuleHandleA, InterlockedExchange, DelayLoadFailureHook, ConnectNamedPipe
> USER32.dll: BroadcastSystemMessageW, LoadStringW, RegisterServicesProcess
> msvcrt.dll: _wcsnicmp, _itow, _vsnwprintf, wcsrchr, _wcslwr, time, memmove, wcschr, __getmainargs, _cexit, _exit, _ultow, exit, _initterm, memset, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler4_common, _terminate@@YAXXZ, _controlfp, wcsncmp, _wtol, wcscspn, _ltow, wcsstr, wcstoul, memcpy, _amsg_exit, _wcsicmp, _XcptFilter
> RPCRT4.dll: NdrServerCall2, I_RpcSessionStrictContextHandle, I_RpcBindingIsClientLocal, I_RpcBindingInqLocalClientPID, RpcRevertToSelf, RpcImpersonateClient, RpcServerInqBindingHandle, I_RpcMapWin32Status, RpcServerInqCallAttributesW, RpcBindingVectorFree, RpcServerRegisterAuthInfoW, NdrAsyncServerCall, RpcEpRegisterW, RpcStringFreeW, RpcStringBindingParseW, RpcBindingToStringBindingW, RpcServerInqBindings, RpcServerUseProtseqW, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, UuidEqual, RpcServerUnsubscribeForNotification, RpcAsyncAbortCall, RpcAsyncCompleteCall, RpcServerSubscribeForNotification, RpcServerInqDefaultPrincNameW, UuidCreateNil, RpcServerUnregisterIf, RpcMgmtWaitServerListen, RpcMgmtStopServerListening, RpcServerUnregisterIfEx, RpcServerRegisterIf, RpcServerListen, UuidCreate, RpcBindingFree, I_RpcExceptionFilter, UuidFromStringW, RpcSsGetContextBinding, RpcServerInqCallAttributesA, RpcBindingServerFromClient, NdrAsyncClientCall, RpcAsyncInitializeHandle, NdrClientCall2, RpcStringBindingComposeW, RpcBindingFromStringBindingW, RpcEpResolveBinding
> ntdll.dll: NtQueryInformationToken, RtlSetSecurityObject, RtlValidRelativeSecurityDescriptor, RtlMapGenericMask, RtlCopyUnicodeString, NtFilterToken, NtSetInformationFile, NtQueryInformationFile, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, NtWaitForSingleObject, NtQueryDirectoryFile, NtDeleteFile, RtlFreeHeap, RtlUnhandledExceptionFilter, NtSetEvent, NtSetInformationProcess, NtOpenProcessToken, RtlSetProcessIsCritical, NtOpenThread, NtQueueApcThread, RtlInitializeCriticalSection, NtDuplicateToken, NtAdjustPrivilegesToken, NtSetInformationThread, NtAccessCheckAndAuditAlarm, NtAccessCheck, NtOpenThreadToken, NtPrivilegeCheck, NtPrivilegeObjectAuditAlarm, WinSqmAddToStream, RtlSetEnvironmentVariable, RtlLengthSecurityDescriptor, RtlValidSecurityDescriptor, RtlSetControlSecurityDescriptor, NtDeleteKey, NtOpenKey, NtEnumerateKey, NtDeleteValueKey, NtSetValueKey, NtQueryValueKey, NtCreateKey, RtlCreateAcl, RtlAddAccessAllowedAce, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlConvertSharedToExclusive, RtlConvertExclusiveToShared, RtlRegisterWait, RtlCreateServiceSid, RtlGetNtProductType, RtlEqualUnicodeString, RtlLengthSid, RtlCopySid, NtLoadDriver, NtOpenDirectoryObject, NtQueryDirectoryObject, RtlCompareUnicodeString, NtUnloadDriver, RtlAdjustPrivilege, RtlExpandEnvironmentStrings_U, NtFlushKey, NtOpenFile, RtlDosPathNameToNtPathName_U, NtOpenSymbolicLinkObject, NtQuerySymbolicLinkObject, RtlFreeUnicodeString, NtDeleteObjectAuditAlarm, RtlAreAllAccessesGranted, NtCloseObjectAuditAlarm, RtlDeregisterWait, RtlQueueWorkItem, RtlCopyLuid, RtlDeleteSecurityObject, RtlReleaseResource, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlInitializeResource, NtInitializeRegistry, NtQueryKey, NtClose, RtlInitUnicodeString, NtSetSystemEnvironmentValue, RtlNtStatusToDosErrorNoTeb, RtlInitializeSid, RtlAllocateHeap, RtlLengthRequiredSid, RtlSubAuthoritySid, RtlSubAuthorityCountSid, RtlSetSaclSecurityDescriptor, RtlSetGroupSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlAddAce, RtlNewSecurityObject, RtlAnsiStringToUnicodeString, RtlInitAnsiString, RtlUnicodeStringToAnsiString, RtlUnicodeStringToInteger, RtlNtStatusToDosError, NtShutdownSystem, RtlQuerySecurityObject
> USERENV.dll: UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW, DestroyEnvironmentBlock
> SCESRV.dll: ScesrvTerminateServer, ScesrvInitializeServer
> NCObjAPI.DLL: WmiCreateObjectWithFormat, WmiEventSourceConnect, WmiSetAndCommitObject

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Services and Controller app
original name: services.exe
internal name: services.exe
file version.: 6.0.6000.16386 (vista_rtm.061101-2205)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File winlogon.exe received on 2009.12.18 17:33:48 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 	
	
Antivirus 	Version 	Last Update 	Result
a-squared	4.5.0.43	2009.12.18	-
AhnLab-V3	5.0.0.2	2009.12.18	-
AntiVir	7.9.1.114	2009.12.18	-
Antiy-AVL	2.0.3.7	2009.12.18	-
Authentium	5.2.0.5	2009.12.02	-
Avast	4.8.1351.0	2009.12.18	-
AVG	8.5.0.427	2009.12.18	-
BitDefender	7.2	2009.12.18	-
CAT-QuickHeal	10.00	2009.12.18	-
ClamAV	0.94.1	2009.12.18	-
Comodo	3287	2009.12.18	-
DrWeb	5.0.0.12182	2009.12.18	-
eSafe	7.0.17.0	2009.12.16	-
eTrust-Vet	35.1.7182	2009.12.18	-
F-Prot	4.5.1.85	2009.12.18	-
F-Secure	9.0.15370.0	2009.12.18	-
Fortinet	4.0.14.0	2009.12.18	-
GData	19	2009.12.18	-
Ikarus	T3.1.1.79.0	2009.12.18	-
Jiangmin	13.0.900	2009.12.18	-
K7AntiVirus	7.10.923	2009.12.17	-
Kaspersky	7.0.0.125	2009.12.18	-
McAfee	5835	2009.12.17	-
McAfee+Artemis	5835	2009.12.17	-
McAfee-GW-Edition	6.8.5	2009.12.18	-
Microsoft	1.5302	2009.12.18	-
NOD32	4699	2009.12.18	-
Norman	6.04.03	2009.12.18	-
nProtect	2009.1.8.0	2009.12.18	-
Panda	10.0.2.2	2009.12.15	-
PCTools	7.0.3.5	2009.12.18	-
Prevx	3.0	2009.12.18	-
Rising	22.26.04.02	2009.12.18	-
Sophos	4.49.0	2009.12.18	-
Sunbelt	3.2.1858.2	2009.12.18	-
Symantec	1.4.4.12	2009.12.18	-
TheHacker	6.5.0.2.098	2009.12.18	-
TrendMicro	9.100.0.1001	2009.12.18	-
VBA32	3.12.12.0	2009.12.18	-
ViRobot	2009.12.18.2097	2009.12.18	-
VirusBuster	5.0.21.0	2009.12.18	-
Additional information
File size: 308224 bytes
MD5...: 9f75392b9128a91abafb044ea350baad
SHA1..: 53919f23c338fa6bcd05a41544f674a81fdac92e
SHA256: 3c35607c86b9bd4e234359a5a2eac6428ad02752cecf65608951e62843e657f4
ssdeep: 6144:wLDvjf4GZMzjE75C94605yJ4WYyTQLrr:w/vU6rFd60EmLxr
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x257e2
timedatestamp.....: 0x4549aff7 (Thu Nov 02 08:44:39 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3fc06 0x3fe00 6.41 9fe2f2978d4e8fc9b5542b10e5094ff9
.data 0x41000 0x2c38 0x2200 3.05 2eba47227329379bf20a53420b3871c8
.rsrc 0x44000 0x4ac0 0x4c00 3.71 55406d7f680d1346da31eccdb02494a5
.reloc 0x49000 0x426c 0x4400 6.47 0c834f07d82b2be8968528b6fa3c97d3

( 10 imports )
> ADVAPI32.dll: TraceMessage, EventWrite, EventEnabled, InitiateShutdownW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, QueryTraceW, EnableTrace, ControlTraceW, StartTraceW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegDeleteValueW, EventRegister, EventUnregister, EventWriteEndScenario, EventWriteStartScenario, EventActivityIdControl, RegEnumValueW, RegQueryInfoKeyW, RegSetValueExW, RegOpenKeyW, GetTokenInformation, OpenProcessToken, ConvertStringSidToSidW, LsaFreeMemory, LsaGetUserName, RevertToSelf, ImpersonateLoggedOnUser, CloseEventLog, GetEventLogInformation, OpenEventLogW, RegisterEventSourceW, DeregisterEventSource, LsaNtStatusToWinError, RegCreateKeyExW, CheckTokenMembership, DuplicateTokenEx, ConvertSidToStringSidW, CreateProcessAsUserW, AllocateLocallyUniqueId, ReportEventW, LogonUserW, RegSetKeySecurity, RegDeleteKeyW, RegGetValueA, EqualSid, CredFree, NotifyServiceStatusChangeW, NotifyBootConfigStatus, CreateWellKnownSid, LookupAccountSidW, RegDeleteTreeW, OpenSCManagerW, RegEnumKeyExW, CloseServiceHandle, OpenServiceW, QueryServiceConfigW, QueryServiceStatus, MD5Init, MD5Update, MD5Final, CredReadByTokenHandle
> KERNEL32.dll: CloseHandle, SetEvent, CreateEventW, LocalReAlloc, LocalSize, MoveFileExW, Sleep, UnregisterWaitEx, InterlockedExchange, WaitForSingleObjectEx, HeapSetInformation, GetCurrentProcessId, VirtualAlloc, ExpandEnvironmentStringsW, lstrlenW, GetShortPathNameW, CompareStringW, SetEnvironmentVariableW, FreeLibrary, GetProcAddress, LoadLibraryW, GetProcessHeap, GetExitCodeProcess, UnregisterWait, OpenProcess, RegisterWaitForSingleObject, QueryInformationJobObject, DuplicateHandle, GetSystemTimeAsFileTime, InterlockedDecrement, InterlockedIncrement, GetComputerNameW, InterlockedCompareExchange, ResetEvent, TerminateJobObject, GetCommandLineW, CreateJobObjectW, VirtualFree, VirtualUnlock, SetProcessWorkingSetSize, GetProcessWorkingSetSize, VirtualLock, GetDateFormatW, GetTimeFormatW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ResumeThread, CompareFileTime, GetTickCount, TerminateProcess, AssignProcessToJobObject, SearchPathW, CreateProcessW, DeleteTimerQueueTimer, CreateTimerQueueTimer, OpenEventW, GetProcessId, GetModuleHandleW, ReadFile, CreateFileW, SetErrorMode, CreateThread, WaitForMultipleObjects, SetInformationJobObject, GetSystemDirectoryW, LoadLibraryA, GetModuleFileNameW, LocalAlloc, LocalFree, SetLastError, FormatMessageW, FindResourceExW, LoadResource, WaitForSingleObject, LockResource, GetCurrentProcess, SetPriorityClass, GetCurrentThread, SetThreadPriority, HeapSize, HeapFree, HeapAlloc, GetLastError, HeapCreate, HeapDestroy, MultiByteToWideChar, GetSystemInfo, lstrcmpW, SleepEx, GetFileAttributesW, SetTimerQueueTimer, CreateRemoteThread, GetThreadUILanguage, GetVersionExW, WideCharToMultiByte, DebugBreak, UnhandledExceptionFilter, GetCurrentThreadId, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, GetStartupInfoA, DelayLoadFailureHook, CreateProcessInternalW, BaseInitAppcompatCacheSupport
> USER32.dll: SetForegroundWindow, SetWindowPos, GetDesktopWindow, GetParent, GetDlgItemTextW, DialogBoxParamW, ShowWindow, RealGetWindowClassW, EnumWindows, SwitchDesktopWithFade, LoadLocalFonts, RegisterLogonProcess, FindWindowW, UpdatePerUserSystemParameters, GetLastInputInfo, UnlockWindowStation, LockWindowStation, LoadImageW, GetDlgItem, SendMessageW, LoadStringW, GetWindowRect, GetWindowLongW, SetThreadDesktop, SwitchDesktop, SetUserObjectSecurity, CloseWindowStation, SetProcessWindowStation, CreateWindowStationW, EndDialog, GetKeyState, SystemParametersInfoW, CreateDesktopW, CancelShutdown, GetSystemMetrics, GetAsyncKeyState, ExitWindowsEx, MessageBoxW, OpenInputDesktop, GetUserObjectInformationW, SetWindowStationUser, CloseDesktop
> msvcrt.dll: _ultow_s, swprintf_s, _wcsnicmp, wcscat_s, wcscpy_s, _wcslwr, swscanf, ___V@YAXPAX@Z, ___U@YAPAXI@Z, wcsnlen, strncmp, _wcsupr, iswalpha, iswalnum, wcstoul, _controlfp, _terminate@@YAXXZ, _except_handler4_common, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, _acmdln, exit, _ismbblead, _XcptFilter, _exit, _cexit, __getmainargs, _wtoi, _ultow, __3@YAXPAX@Z, wcstok, iswspace, wcschr, _wcsicmp, memmove, _vsnwprintf, memset, memcpy, __2@YAPAXI@Z, wcsncmp, _snwscanf_s, printf, wcsstr, __isascii, isupper, _tolower
> ntdll.dll: NtShutdownSystem, RtlNtStatusToDosError, NtClose, NtQueryInformationToken, NtOpenProcessToken, WinSqmStartSession, WinSqmEndSession, RtlGetNtProductType, NtQuerySystemInformation, NtSystemDebugControl, DbgBreakPoint, RtlRemovePrivileges, RtlEqualSid, NtFilterToken, RtlDeleteCriticalSection, RtlFreeUnicodeString, NtInitiatePowerAction, NtOpenDirectoryObject, TpAllocTimer, TpSetTimer, RtlTimeToSecondsSince1980, RtlAllocateAndInitializeSid, RtlCreateSecurityDescriptor, RtlCreateAcl, RtlAddMandatoryAce, RtlSetSaclSecurityDescriptor, NtSetSecurityObject, RtlFreeSid, RtlOpenCurrentUser, RtlCopySid, RtlExpandEnvironmentStrings_U, TpAllocWait, TpAllocWork, TpPostWork, TpSetWait, TpWaitForWait, TpWaitForTimer, RtlGetDaclSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlAddAce, NtAdjustPrivilegesToken, NtDuplicateToken, RtlUnhandledExceptionFilter, NtQueryInformationProcess, TpReleaseTimer, NtSetInformationProcess, NtReplyPort, NtCompleteConnectPort, NtReplyWaitReceivePort, NtAcceptConnectPort, NtCreatePort, NtCreateEvent, DbgPrint, RtlFreeHeap, RtlAllocateHeap, NtOpenFile, RtlGUIDFromString, RtlStringFromGUID, NtOpenKey, NtEnumerateKey, NtQueryKey, NtQueryAttributesFile, NtUnloadKey, NtLoadKey, RtlSetOwnerSecurityDescriptor, RtlLengthSecurityDescriptor, RtlAddAccessAllowedAceEx, NtCreateKey, NtDeleteValueKey, NtQueryValueKey, NtSetValueKey, NtDeleteKey, LdrGetProcedureAddress, RtlInitAnsiString, LdrGetDllHandle, NtResetEvent, NtWaitForSingleObject, NtDeviceIoControlFile, RtlGetVersion, NtQuerySymbolicLinkObject, NtOpenSymbolicLinkObject, NtAllocateUuids, TpReleaseWait, TpWaitForWork, TpReleaseWork, TpSimpleTryPost, NtAllocateLocallyUniqueId, RtlInitString, RtlDestroyEnvironment, RtlLengthSid, RtlInitializeCriticalSection, RtlEnterCriticalSection, RtlpVerifyAndCommitUILanguageSettings, RtlAdjustPrivilege, NtCreateToken, NtSetInformationToken, RtlCreateEnvironment, RtlInitUnicodeString, RtlQueryEnvironmentVariable_U, RtlSetEnvironmentVariable, RtlInitUnicodeStringEx, RtlCompareUnicodeString, NtOpenThreadToken, RtlDuplicateUnicodeString, RtlLeaveCriticalSection
> Secur32.dll: LsaCallAuthenticationPackage, LsaFreeReturnBuffer, SeciAllocateAndSetIPAddress, SeciAllocateAndSetCallFlags, LsaLogonUser, SeciFreeCallContext, LsaRegisterLogonProcess, LsaLookupAuthenticationPackage, LsaGetLogonSessionData, ChangeAccountPasswordW, GetUserNameExW
> WINSTA.dll: WinStationFreeUserCredentials, WinStationGetUserCredentials, WinStationRedirectErrorMessage, WinStationDisconnect, _WinStationWaitForConnect, WinStationIsSessionPermitted, WinStationQueryInformationW, WinStationFreeMemory, WinStationReportUIResult, WinStationNegotiateSession
> RPCRT4.dll: RpcServerUnsubscribeForNotification, RpcServerSubscribeForNotification, I_RpcBindingIsClientLocal, RpcServerUnregisterIf, RpcBindingVectorFree, RpcEpUnregister, RpcServerListen, RpcEpRegisterW, RpcServerRegisterIfEx, RpcServerUseProtseqW, NdrServerCall2, NdrAsyncServerCall, RpcRaiseException, RpcServerInqCallAttributesW, RpcServerTestCancel, NdrAsyncClientCall, RpcAsyncInitializeHandle, RpcAsyncCancelCall, RpcMgmtIsServerListening, RpcStringFreeW, RpcStringBindingComposeW, RpcBindingFromStringBindingW, RpcBindingSetAuthInfoExW, UuidFromStringW, NdrClientCall2, RpcBindingCreateW, RpcBindingBind, RpcBindingUnbind, RpcBindingFree, I_RpcExceptionFilter, RpcAsyncAbortCall, RpcAsyncCompleteCall, I_RpcMapWin32Status, I_RpcBindingInqLocalClientPID, RpcImpersonateClient, RpcRevertToSelf, RpcServerUseProtseqEpW, RpcServerInqBindings
> PSAPI.DLL: EnumProcessModules, GetModuleBaseNameW
> USERENV.dll: GetUserProfileDirectoryW, GetAllUsersProfileDirectoryW, -, -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Logon Application
original name: WINLOGON.EXE
internal name: winlogon
file version.: 6.0.6000.16386 (vista_rtm.061101-2205)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
File svchost.exe received on 2009.12.18 17:41:04 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 8.
Estimated start time is between 110 and 157 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email: 	
	
Antivirus 	Version 	Last Update 	Result
a-squared	4.5.0.43	2009.12.18	-
AhnLab-V3	5.0.0.2	2009.12.18	-
AntiVir	7.9.1.114	2009.12.18	-
Antiy-AVL	2.0.3.7	2009.12.18	-
Authentium	5.2.0.5	2009.12.02	-
Avast	4.8.1351.0	2009.12.18	-
AVG	8.5.0.427	2009.12.18	-
BitDefender	7.2	2009.12.18	-
CAT-QuickHeal	10.00	2009.12.18	-
ClamAV	0.94.1	2009.12.18	-
Comodo	3287	2009.12.18	-
DrWeb	5.0.0.12182	2009.12.18	-
eSafe	7.0.17.0	2009.12.16	-
eTrust-Vet	35.1.7182	2009.12.18	-
F-Prot	4.5.1.85	2009.12.18	-
F-Secure	9.0.15370.0	2009.12.18	-
Fortinet	4.0.14.0	2009.12.18	-
GData	19	2009.12.18	-
Ikarus	T3.1.1.79.0	2009.12.18	-
Jiangmin	13.0.900	2009.12.18	-
K7AntiVirus	7.10.923	2009.12.17	-
Kaspersky	7.0.0.125	2009.12.18	-
McAfee	5835	2009.12.17	-
McAfee+Artemis	5835	2009.12.17	-
McAfee-GW-Edition	6.8.5	2009.12.18	-
Microsoft	1.5302	2009.12.18	-
NOD32	4699	2009.12.18	-
Norman	6.04.03	2009.12.18	-
nProtect	2009.1.8.0	2009.12.18	-
Panda	10.0.2.2	2009.12.15	-
PCTools	7.0.3.5	2009.12.18	-
Prevx	3.0	2009.12.18	-
Rising	22.26.04.02	2009.12.18	-
Sophos	4.49.0	2009.12.18	-
Sunbelt	3.2.1858.2	2009.12.18	-
Symantec	1.4.4.12	2009.12.18	-
TheHacker	6.5.0.2.098	2009.12.18	-
TrendMicro	9.100.0.1001	2009.12.18	-
VBA32	3.12.12.0	2009.12.18	-
ViRobot	2009.12.18.2097	2009.12.18	-
VirusBuster	5.0.21.0	2009.12.18	-
Additional information
File size: 22016 bytes
MD5...: 10da15933d582d2fedcf705efe394b09
SHA1..: 00beb64af60255d5eb76b2edbd30b46de681da32
SHA256: 9b1619ac80379456c6d51780409e3c418dd5aa38d0a62b7f47dcd6fc3a947926
ssdeep: 384:Yz/3Bn2LShtVMZvFsvRRVL58rXId3bi9luJ1I2GgzyW9yCBbWYG+o:y34LSX
2ZtsvRFGouq1IqfBn
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x20bf
timedatestamp.....: 0x4549adc4 (Thu Nov 02 08:35:16 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3a80 0x3c00 6.22 21471d844ce211f5f40c084c3ab67645
.data 0x5000 0x5f0 0x600 0.82 dea90489b2dcadccde0a28b407e85510
.rsrc 0x6000 0x818 0xa00 3.74 ea687881916c825c6e630832222325a0
.reloc 0x7000 0x404 0x600 5.25 73b2f62822a04c23026b8c70653b8969

( 5 imports )
> KERNEL32.dll: ExpandEnvironmentStringsW, CreateActCtxW, ReleaseActCtx, LCMapStringW, lstrlenW, lstrcmpiW, DelayLoadFailureHook, InterlockedExchange, HeapSetInformation, SetUnhandledExceptionFilter, GetModuleHandleA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RegisterWaitForSingleObject, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, HeapAlloc, HeapFree, WideCharToMultiByte, LocalFree, CloseHandle, LocalAlloc, LoadLibraryA, InterlockedCompareExchange, FreeLibrary, Sleep, GetProcAddress, DeactivateActCtx, LoadLibraryExW, GetLastError, ActivateActCtx, LeaveCriticalSection, lstrcmpW, EnterCriticalSection
> msvcrt.dll: __p__commode, _adjust_fdiv, __setusermatherr, _amsg_exit, _initterm, exit, __p__fmode, _exit, memcpy, memset, __set_app_type, _terminate@@YAXXZ, _except_handler4_common, _controlfp, _cexit, __wgetmainargs, _XcptFilter
> ADVAPI32.dll: GetTokenInformation, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetEntriesInAclW, SetSecurityDescriptorDacl, StartServiceCtrlDispatcherW, RegDisablePredefinedCacheEx, EventRegister, EventEnabled, EventWrite, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegisterServiceCtrlHandlerW, SetServiceStatus, OpenProcessToken
> ntdll.dll: RtlSubAuthoritySid, RtlFreeHeap, RtlCopySid, RtlSubAuthorityCountSid, RtlLengthRequiredSid, RtlAllocateHeap, RtlInitializeSid, RtlImageNtHeader, RtlSetProcessIsCritical, RtlUnhandledExceptionFilter, RtlInitializeCriticalSection
> RPCRT4.dll: RpcServerListen, RpcServerUnregisterIf, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcMgmtStopServerListening, RpcServerUnregisterIfEx, RpcServerRegisterIf, RpcServerUseProtseqEpW, I_RpcMapWin32Status

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Host Process for Windows Services
original name: svchost.exe
internal name: svchost.exe
file version.: 6.0.6000.16386 (vista_rtm.061101-2205)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

P.S. Sorry if I don't respond right away, with the computer troubles and other problems I don't always have time to get online to check the status. And yes I do have an anti-virus, I have it installed on a read-only flash drive that I only update from known clean computers to ensure that the anti-virus doesn't get corrupted itself, I use AVG.
P.P.S. And the reformat/reinstall was a complete reformatting of the harddrive, deleting the partitions after format, repartitioning, and reinstalling windows from the OEM disc that came with the computer.

Edited by Senti, 18 December 2009 - 01:21 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:27 AM

Posted 30 December 2009 - 12:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:27 AM

Posted 05 January 2010 - 03:03 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users