Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Trojan/Malware


  • This topic is locked This topic is locked
27 replies to this topic

#1 totaldecodes

totaldecodes

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 17 May 2010 - 06:05 AM

I have provided the dds and gmer logs for this machine.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff Haley at 10:54:43.56 on Mon 17/05/2010
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_13
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.382.4 [GMT 1:00]


============== Running Processes ===============

C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINNT\system32\locator.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeff Haley\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1FD79A59-37B1-459B-9097-09F9FAB8A523} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\jeffha~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\monito~1.lnk - c:\program files\apache group\apache2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &NeoTrace It! - c:\progra~1\neotra~1\NTXcontext.htm
IE: &Search - ?p=ZUfox000
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237473326688
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeffha~1\applic~1\mozilla\firefox\profiles\gxgktbuk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-12-13 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2008-7-23 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2008-3-25 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-12-28 242896]
R1 vsdatant;vsdatant;c:\winnt\system32\vsdatant.sys [2007-4-6 394952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 vsmon;TrueVector Internet Monitor;c:\winnt\system32\zonelabs\vsmon.exe -service --> c:\winnt\system32\zonelabs\vsmon.exe -service [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\winnt\system32\drivers\libusb0.sys [2010-3-31 28160]
S2 VPCAppSv;Virtual PC Application Services;c:\winnt\system32\drivers\vpcappsv.sys [2001-9-30 9216]
S3 lsermous;Logitech Serial Mouse Driver;c:\winnt\system32\drivers\lsermous.sys [2006-2-17 55120]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [2007-11-6 34064]
S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2003-7-14 24784]
S3 S3Inc;S3Inc;c:\winnt\system32\drivers\s3mini.sys [2006-12-31 177344]
S3 SiS630;SiS630;c:\winnt\system32\drivers\sis630p.sys [2007-3-16 161747]
S3 SISNIC2K;SiS PCI Fast Ethernet Adapter Driver for NDIS5;c:\winnt\system32\drivers\sisnic2k.sys [2006-2-14 32768]
S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [2009-4-10 9038]

=============== Created Last 30 ================

2016-04-12 06:11:16 94208 -c--a-w- c:\winnt\system32\dllcache\fpencode.dll
2016-04-12 05:43:30 1167584 ----a-r- c:\winnt\SET56.tmp
2016-04-12 05:43:26 13785 ----a-r- c:\winnt\SET2E.tmp
2016-04-12 04:39:21 65832 ----a-w- c:\winnt\Santa Fe Stucco.bmp
2016-04-12 04:39:21 17336 ----a-w- c:\winnt\Gone Fishing.bmp
2016-04-12 04:39:21 1272 ----a-w- c:\winnt\Blue Lace 16.bmp
2016-04-12 04:28:44 1167584 ----a-r- c:\winnt\SET55.tmp
2016-04-12 04:28:40 13785 ----a-r- c:\winnt\SET2D.tmp
2010-05-17 09:54:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4ec.dat
2010-05-17 07:24:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_27c.dat
2010-05-16 04:17:13 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_28c.dat
2010-05-13 08:01:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_284.dat
2010-05-12 18:34:21 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e8.dat
2010-05-11 22:06:50 742338 ---h--w- c:\winnt\ShellIconCache
2010-05-11 09:27:18 0 d-----w- C:\Process Explorer
2010-04-26 16:45:20 447 ----a-w- c:\temp\RADIONAMES.zip
2010-04-25 11:18:08 0 d-----w- C:\BDM
2010-04-23 06:16:06 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_294.dat
2010-04-22 14:48:54 28574815 ----a-w- C:\A400RadioSetup.zip
2010-04-20 17:35:22 0 d-----w- C:\FreescaleBDM

==================== Find3M ====================

2010-05-05 21:01:56 25645347 ----a-w- C:\A400DOSSetup.zip
2010-04-21 12:17:30 242896 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2010-04-09 16:06:27 683879 ----a-w- C:\A400ECUSetup.zip
2010-04-09 10:47:18 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a0.dat
2010-04-07 02:51:39 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_290.dat
2010-03-23 15:31:34 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_278.dat
2010-03-20 11:08:02 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_288.dat
2010-03-17 14:13:58 12464 ----a-w- c:\winnt\system32\avgrsstx.dll
2010-03-13 21:18:31 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_170.dat
2010-03-10 12:43:08 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2e4.dat
2010-03-07 20:58:18 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2bc.dat
2010-03-03 15:43:18 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2b4.dat
2010-02-20 04:06:31 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_160.dat
2008-07-13 16:48:49 271 ---h--w- c:\program files\desktop.ini
2008-07-13 16:48:49 21952 ---h--w- c:\program files\folder.htt
2003-07-14 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys
2000-01-01 00:08:08 542 ----a-w- c:\program files\INSTALL.LOG

============= FINISH: 10:57:40.13 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-17 12:01:23
Windows 5.0.2195 Service Pack 4
Running: 4b8tier7.exe; Driver: C:\DOCUME~1\JEFFHA~1\LOCALS~1\Temp\ugtdypob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xBBA52040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xBBA4E930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xBBA59A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xBBA52510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xBBA58870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xBBA5BFD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xBBA52600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xBBA4EF20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xBBA5A6E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xBBA5A440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xBBA58580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xBBA5A8B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xBBA4ED70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xBBA58350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xBBA58150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xBBA5ACB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xBBA51C00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xBBA5B080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xBBA52220]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xBBA4F120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xBBA5A140]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xBBA58CD0]

INT 0x31 ? F82ABB44
INT 0x33 ? F8151DC4
INT 0x34 ? F8267044
INT 0x39 ? F8565B84
INT 0x3C ? F82ABDC4
INT 0x3E ? F85874A4
INT 0x3F ? F858A9E4

---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{684EB4FD-48E3-561C-A54A-7FE158CA112E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{684EB4FD-48E3-561C-A54A-7FE158CA112E}@abblnmlfeioddpndjbfhkcbaaikcpiimim 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{684EB4FD-48E3-561C-A54A-7FE158CA112E}@maijinhkohfgppbfldcofhcgco 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:09 AM

Posted 19 May 2010 - 02:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 03:26 AM

Ran OTL with the pasted instructions but it shut down abruptly before producing the logs. I tried it again but the same thing happened.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:09 AM

Posted 20 May 2010 - 04:49 AM

Hi,

please try running ComboFix then:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 07:16 AM

Interesting. Combofix deleted files that should have been clean. One was the Apache web server and the other developed in house! Also now Firefox has stopped working.

Here is the log.

ComboFix 10-05-19.02 - Jeff Haley 20/05/2010 12:26:38.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.382.202 [GMT 1:00]
Running from: c:\documents and settings\Jeff Haley\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeff Haley\Desktop\EnigmaAccess.exe
c:\documents and settings\Jeff Haley\Desktop\idafree49.exe
c:\documents and settings\Jeff Haley\Desktop\nvu-1.0-win32-installer-full.exe
c:\documents and settings\Jeff Haley\Desktop\OnyxSetupV2.0.15.0.exe
c:\documents and settings\Jeff Haley\Desktop\Ren ID33.exe
c:\documents and settings\Jeff Haley\Recent\MRADIO.EXE.pif
c:\documents and settings\Jeff Haley\Recent\WinZip running DOS program.pif
c:\program files\Apache Group\Apache2\bin\Apache.exe
c:\program files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
c:\program files\Common Files\Microsoft Shared\MSInfo\MSIOFF9.OCX
c:\program files\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE
c:\program files\Common Files\Microsoft Shared\MSInfo\OFFPRVPS.DLL
c:\program files\INSTALL.LOG
c:\program files\LibUSB-Win32\unins000.exe
c:\program files\Mozilla Firefox\freebl3.dll
c:\program files\Mozilla Firefox\nssdbm3.dll
c:\program files\Mozilla Firefox\Plugins\NPZoneSB.dll
c:\program files\Mozilla Firefox\softokn3.dll
c:\winnt\Crystal
c:\winnt\Crystal\U2DDISK.dll
c:\winnt\Crystal\U2DMAPI.dll
c:\winnt\Crystal\u2dnotes.dll
c:\winnt\Crystal\u2dpost.dll
c:\winnt\Crystal\u2dvim.dll
c:\winnt\Crystal\U2FCR.dll
c:\winnt\Crystal\U2FDIF.dll
c:\winnt\Crystal\U2FHTML.dll
c:\winnt\Crystal\U2FSEPV.dll
c:\winnt\Crystal\U2FTEXT.dll
c:\winnt\Crystal\U2FWKS.dll
c:\winnt\Crystal\U2FWORDW.dll
c:\winnt\Crystal\U2FXLS.dll
c:\winnt\INRES.DLL
c:\winnt\IsUninst.exe
c:\winnt\iun507.exe
c:\winnt\MIDIDEF.EXE
c:\winnt\msagent\agtctl15.tlb
c:\winnt\P17DEF.EXE
c:\winnt\php_mysql.dll
c:\winnt\Speech\vcauto.tlb
c:\winnt\Speech\vtxtauto.tlb
c:\winnt\System\cmicnfg.cpl
c:\winnt\System\cmids3d.dll
c:\winnt\System\SmWizard.exe
c:\winnt\system32\A3d.dll
c:\winnt\system32\Ac3audio.ax
c:\winnt\system32\ac3filter.cpl
c:\winnt\system32\activeds.tlb
c:\winnt\system32\ATL70.DLL
c:\winnt\system32\Audio3D.dll
c:\winnt\system32\bdeadmin.cpl
c:\winnt\system32\CEUTIL.DLL
c:\winnt\system32\CFX32.OCX
c:\winnt\system32\cmirmdrv.exe
c:\winnt\system32\cmuda.dll
c:\winnt\system32\COMMTB32.DLL
c:\winnt\system32\crpe32.dll
c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe
c:\winnt\unins000.exe
c:\winnt\uninst.exe
c:\winnt\Web\default.htt
c:\winnt\winhelp.ini

c:\winnt\system32\comres.dll . . . is infected!!

Infected copy of c:\winnt\system32\qmgr.dll was found and disinfected
Restored copy from - c:\winnt\system32\BITS\qmgr.dll

c:\winnt\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ENGINE
-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-04-20 to 2010-05-20 )))))))))))))))))))))))))))))))
.

2016-04-12 06:11 . 2003-03-24 15:52 94208 -c--a-w- c:\winnt\system32\dllcache\fpencode.dll
2010-05-19 12:44 . 2010-05-19 12:44 -------- d-----w- C:\MAAutos
2010-05-19 08:34 . 2010-05-19 11:42 -------- d-----w- C:\HoylesGarage
2010-05-19 08:11 . 2010-05-19 11:37 -------- d-----w- C:\decoder
2010-05-18 03:58 . 2010-05-18 03:58 -------- d-----w- C:\fport
2010-05-11 09:27 . 2010-05-11 09:28 -------- d-----w- C:\Process Explorer
2010-04-26 16:45 . 2010-04-26 16:45 447 ----a-w- c:\temp\RADIONAMES.zip
2010-04-25 11:18 . 2010-04-25 11:27 -------- d-----w- C:\BDM
2010-04-22 14:48 . 2010-04-22 14:48 28574815 ----a-w- C:\A400RadioSetup.zip
2010-04-21 12:17 . 2010-04-21 12:17 242696 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\avg9\update\backup\avgtdix.sys
2010-04-21 12:15 . 2010-04-21 12:15 1689952 ----a-w- c:\documents and settings\All Users.WINNT\Application Data\avg9\update\backup\avgupd.dll
2010-04-20 17:35 . 2010-04-25 17:20 -------- d-----w- C:\FreescaleBDM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-15 04:38 . 2006-12-31 07:32 3 ----a-w- c:\winnt\system32\BSETUP.TMP
2010-05-20 11:45 . 2008-03-24 23:32 48863249 ----a-w- c:\winnt\Internet Logs\tvDebug.zip
2010-05-20 11:41 . 2010-03-31 14:43 -------- d-----w- c:\program files\LibUSB-Win32
2010-05-20 10:13 . 2010-02-12 15:54 0 ----a-w- c:\documents and settings\Jeff Haley\Local Settings\Application Data\prvlcl.dat
2010-05-20 07:42 . 2008-12-08 08:17 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-05 21:01 . 2010-03-22 15:32 25645347 ----a-w- C:\A400DOSSetup.zip
2010-04-21 12:17 . 2009-12-28 15:21 242896 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2010-04-16 11:35 . 2009-04-19 18:43 1 ----a-w- c:\documents and settings\Jeff Haley\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-09 16:06 . 2010-04-09 16:06 683879 ----a-w- C:\A400ECUSetup.zip
2010-04-06 19:57 . 2009-02-20 17:14 -------- d-----w- c:\documents and settings\Jeff Haley\Application Data\TeamViewer
2010-03-31 15:13 . 2010-03-31 14:22 -------- d-----w- c:\program files\UrJTAG
2010-03-24 18:29 . 2009-12-28 15:20 -------- d---a-w- c:\documents and settings\All Users.WINNT\Application Data\avg9
2010-03-23 12:16 . 2010-03-23 12:16 -------- d-----w- c:\program files\WinPcap
2010-03-19 17:18 . 2010-03-19 17:21 2317824 ----a-w- c:\winnt\Internet Logs\xDB18.tmp
2010-03-17 14:13 . 2010-03-17 14:13 12464 ----a-w- c:\winnt\system32\avgrsstx.dll
2010-03-17 14:13 . 2008-03-25 07:21 29512 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2010-03-17 14:10 . 2008-07-23 22:32 216200 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2008-07-13 16:48 . 2006-02-18 01:29 21952 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [2003-07-14 111376]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [2003-07-14 20752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-07-14 186640]

c:\documents and settings\Default User.WINNT\Start Menu\Programs\Startup\
Camio Viewer.lnk.disabled [2008-11-3 724]

c:\documents and settings\Jeff Haley\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2006-7-27 41042]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-12-18 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 14:13 12464 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"btbb_wcm_McciTrayApp"=c:\program files\btbb_wcm\McciTrayApp.exe

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [13/12/2009 12:30 AM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [23/07/2008 11:32 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [28/12/2009 4:21 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/03/2010 3:13 PM 308064]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\winnt\system32\drivers\libusb0.sys [31/03/2010 3:43 PM 28160]
S2 VPCAppSv;Virtual PC Application Services;c:\winnt\system32\drivers\vpcappsv.sys [30/09/2001 5:51 PM 9216]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 2:19 PM 1181328]
S3 lsermous;Logitech Serial Mouse Driver;c:\winnt\system32\drivers\lsermous.sys [17/02/2006 7:52 PM 55120]
S3 NPF;NetGroup Packet Filter Driver;c:\winnt\system32\drivers\npf.sys [06/11/2007 9:22 PM 34064]
S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [14/07/2003 1:00 PM 24784]
S3 S3Inc;S3Inc;c:\winnt\system32\drivers\s3mini.sys [31/12/2006 9:30 AM 177344]
S3 SiS630;SiS630;c:\winnt\system32\drivers\sis630p.sys [16/03/2007 1:01 AM 161747]
S3 SISNIC2K;SiS PCI Fast Ethernet Adapter Driver for NDIS5;c:\winnt\system32\drivers\sisnic2k.sys [14/02/2006 5:18 PM 32768]
S3 viafilter;VIA USB Filter;c:\winnt\system32\drivers\viausb.sys [10/04/2009 7:21 PM 9038]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-20 c:\winnt\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:29]

2010-05-20 c:\winnt\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:29]

2010-05-20 c:\winnt\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:29]

2010-05-20 c:\winnt\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:29]

2010-05-20 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 17:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &NeoTrace It! - c:\progra~1\NEOTRA~1\NTXcontext.htm
IE: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jeff Haley\Application Data\Mozilla\Firefox\Profiles\gxgktbuk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-HPDJ Taskbar Utility - c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe
AddRemove-C-Media Audio Driver - c:\winnt\system32\cmirmdrv.exe
AddRemove-LibUSB-Win32_is1 - c:\program files\LibUSB-Win32\unins000.exe
AddRemove-SiS7018 - c:\progra~1\SiS7018\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7018
AddRemove-Spybot - Search & Destroy_is1 - c:\winnt\unins000.exe
AddRemove-VAG_Pin_Calculator_1.0 - c:\winnt\iun507.exe
AddRemove-Windows CE Services - c:\winnt\ISUNINST.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-20 12:46
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-764733703-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{684EB4FD-48E3-561C-A54A-7FE158CA112E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abblnmlfeioddpndjbfhkcbaaikcpiimim"=hex:61,61,00,00
"maijinhkohfgppbfldcofhcgco"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(212)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1412)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\winnt\system32\locator.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-05-20 12:53:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-20 11:53

Pre-Run: 94,967,361,536 bytes free
Post-Run: 95,105,896,448 bytes free

- - End Of File - - BB43C7699772C91DEF50ECB5343DC6AE


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:09 AM

Posted 20 May 2010 - 07:31 AM

Hi,

this looks like a possible FP, I will have to check back with a couple of people.

Could you first of all please check a file with Virustotal:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.


c:\qoobox\quarantine\program files\Apache Group\Apache2\bin\Apache.exe.vir
c:\qoobox\quarantine\program files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe.vir
c:\qoobox\quarantine\winnt\system32\cmirmdrv.exe.vir

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Could you please post the content of C:\qoobox\combofix-quarantined-files.txt in your next reply too.

regards myrti

Edited by myrti, 20 May 2010 - 07:37 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 08:25 AM

combofix quarantined files log

2010-05-20 11:52:17 . 2010-05-20 11:52:17 836 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Windows CE Services.reg.dat
2010-05-20 11:52:17 . 2010-05-20 11:52:17 538 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-VAG_Pin_Calculator_1.0.reg.dat
2010-05-20 11:52:17 . 2010-05-20 11:52:17 1,456 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Spybot - Search & Destroy_is1.reg.dat
2010-05-20 11:52:17 . 2010-05-20 11:52:17 494 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-SiS7018.reg.dat
2010-05-20 11:52:17 . 2010-05-20 11:52:17 1,486 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-LibUSB-Win32_is1.reg.dat
2010-05-20 11:52:17 . 2010-05-20 11:52:17 470 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-C-Media Audio Driver.reg.dat
2010-05-20 11:50:22 . 2010-05-20 11:50:22 167 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-HPDJ Taskbar Utility.reg.dat
2010-05-20 11:50:22 . 2010-05-20 11:50:22 125 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Cmaudio.reg.dat
2010-05-20 11:36:15 . 2010-05-20 11:36:15 892 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_MYWEBSEARCHSERVICE.reg.dat
2010-05-20 11:36:15 . 2010-05-20 11:36:15 790 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_ENGINE.reg.dat
2010-05-20 11:35:43 . 2010-05-20 11:35:43 11,201 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-05-20 11:21:14 . 2010-05-20 11:21:14 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-05-19 11:23:03 . 2010-05-19 11:23:03 2,855 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\MRADIO.EXE.pif.vir
2010-03-31 14:43:36 . 2010-03-31 14:42:48 695,609 ----a-w- C:\Qoobox\Quarantine\C\Program Files\LibUSB-Win32\unins000.exe.vir
2009-12-18 03:12:53 . 2009-12-18 03:12:53 2,855 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\WinZip running DOS program.pif.vir
2009-10-17 05:47:35 . 2006-08-23 17:14:36 49,211 ----a-w- C:\Qoobox\Quarantine\C\WINNT\php_mysql.dll.vir
2009-07-14 10:33:11 . 2009-07-14 10:34:08 6,904,036 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\nvu-1.0-win32-installer-full.exe.vir
2009-05-29 17:22:30 . 2002-04-11 01:41:06 65,536 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\A3d.dll.vir
2009-04-12 22:59:48 . 2009-04-12 23:00:53 15,776,696 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\OnyxSetupV2.0.15.0.exe.vir
2009-03-08 15:32:22 . 2009-03-08 15:32:29 151,552 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\EnigmaAccess.exe.vir
2009-02-19 17:37:39 . 2002-01-05 06:18:00 84,992 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\ATL70.DLL.vir
2009-01-28 23:17:11 . 1996-08-16 13:49:54 298,496 ----a-w- C:\Qoobox\Quarantine\C\WINNT\uninst.exe.vir
2009-01-26 09:22:55 . 2010-04-06 08:16:09 98,304 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\nssdbm3.dll.vir
2008-12-10 11:34:13 . 2001-02-03 15:05:56 28,672 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2DDISK.dll.vir
2008-12-10 11:34:13 . 2001-02-03 15:05:56 106,496 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FWORDW.dll.vir
2008-12-10 11:34:13 . 2000-11-08 22:46:00 40,960 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FWKS.dll.vir
2008-12-10 11:34:12 . 2001-02-03 15:05:56 90,112 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FTEXT.dll.vir
2008-12-10 11:34:12 . 2000-11-08 22:46:00 36,864 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FSEPV.dll.vir
2008-12-10 11:34:12 . 2001-02-03 15:05:56 45,056 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FHTML.dll.vir
2008-12-10 11:34:12 . 2001-02-03 15:05:56 36,864 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FDIF.dll.vir
2008-12-10 11:34:12 . 2001-02-03 15:05:56 28,672 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FCR.dll.vir
2008-12-10 11:34:12 . 2000-11-08 22:46:00 57,344 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dvim.dll.vir
2008-12-10 11:34:12 . 2001-02-03 15:05:56 102,400 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dpost.dll.vir
2008-12-10 11:34:11 . 2000-11-08 22:46:00 53,248 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dnotes.dll.vir
2008-12-10 11:34:11 . 2000-11-08 22:46:00 40,960 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2DMAPI.dll.vir
2008-12-10 11:34:11 . 2001-02-03 15:05:56 212,992 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FXLS.dll.vir
2008-12-10 11:33:17 . 2001-02-10 02:43:52 4,587,577 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\crpe32.dll.vir
2008-06-28 17:50:23 . 2008-06-28 17:54:40 15,689,246 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\idafree49.exe.vir
2008-06-27 18:35:04 . 2008-06-27 18:32:53 286,720 ----a-w- C:\Qoobox\Quarantine\C\WINNT\iun507.exe.vir
2008-03-25 03:38:41 . 2008-03-25 03:26:29 691,545 ----a-w- C:\Qoobox\Quarantine\C\WINNT\unins000.exe.vir
2008-03-03 11:41:45 . 2008-03-03 11:41:37 24,673 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll.vir
2007-10-25 02:22:19 . 2010-04-06 08:16:11 155,648 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\softokn3.dll.vir
2007-10-25 02:22:19 . 2010-04-06 08:16:03 249,856 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\freebl3.dll.vir
2007-03-04 11:26:56 . 2007-03-04 11:26:56 68,096 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe.vir
2007-02-21 20:51:23 . 2001-07-17 09:09:08 200,704 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe.vir
2007-01-14 22:17:24 . 2007-01-14 22:17:24 443,904 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\Ren ID33.exe.vir
2007-01-06 01:47:13 . 2007-01-06 01:47:26 178 ----a-w- C:\Qoobox\Quarantine\C\WINNT\WINHELP.INI.vir
2006-12-31 07:49:37 . 2000-01-01 00:08:08 542 ----a-w- C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2006-12-11 15:33:24 . 2003-03-26 23:28:36 53,325 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\CEUTIL.DLL.vir
2006-07-27 15:55:26 . 2006-07-27 15:55:26 20,541 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Apache Group\Apache2\bin\Apache.exe.vir
2006-04-07 17:47:24 . 2002-02-07 15:38:00 306,688 ----a-w- C:\Qoobox\Quarantine\C\WINNT\IsUninst.exe.vir
2006-02-18 01:29:52 . 2008-07-13 16:48:49 5,296 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Web\default.htt.vir
2006-02-17 18:49:55 . 2003-07-14 12:00:00 6,144 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Speech\vtxtauto.tlb.vir
2006-02-17 18:49:55 . 2003-07-14 12:00:00 6,656 ----a-w- C:\Qoobox\Quarantine\C\WINNT\Speech\vcauto.tlb.vir
2005-06-15 03:07:24 . 2005-06-15 03:07:24 11,264 ----a-w- C:\Qoobox\Quarantine\C\WINNT\INRES.DLL.vir
2005-05-03 11:35:56 . 2005-05-03 11:35:56 20,480 ----a-w- C:\Qoobox\Quarantine\C\WINNT\P17DEF.EXE.vir
2003-11-03 20:22:50 . 2003-11-03 20:22:50 118,784 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\cmuda.dll.vir
2003-10-15 16:26:44 . 2003-10-15 16:26:44 1,454,080 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system\SmWizard.exe.vir
2003-10-14 11:52:32 . 2003-10-14 11:52:32 2,301,952 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system\cmicnfg.cpl.vir
2003-08-20 18:46:52 . 2003-08-20 18:46:52 233,472 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\cmirmdrv.exe.vir
2003-08-19 07:20:04 . 2003-08-19 07:20:04 180,224 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\ac3filter.cpl.vir
2003-07-14 12:00:00 . 2003-07-14 12:00:00 17,920 ----a-w- C:\Qoobox\Quarantine\C\WINNT\msagent\agtctl15.tlb.vir
2003-07-14 12:00:00 . 2003-07-14 12:00:00 107,520 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\activeds.tlb.vir
2003-07-14 12:00:00 . 2003-07-14 12:00:00 244,224 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\qmgr.dll.vir
2002-12-03 09:16:00 . 2002-12-03 09:16:00 49,152 ----a-w- C:\Qoobox\Quarantine\C\WINNT\MIDIDEF.EXE.vir
2002-04-29 15:04:40 . 2002-04-29 15:04:40 917,504 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system\cmids3d.dll.vir
2001-11-23 12:08:20 . 2001-11-23 12:08:20 712,704 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\Audio3D.dll.vir
2001-05-10 23:00:00 . 2001-05-10 23:00:00 183,808 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\bdeadmin.cpl.vir
2001-03-02 15:48:44 . 2001-03-02 15:48:44 294,912 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\Ac3audio.ax.vir
1999-01-28 20:31:24 . 1999-01-28 20:31:24 380,928 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\MSIOFF9.OCX.vir
1999-01-22 01:30:10 . 1999-01-22 01:30:10 5,120 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRVPS.DLL.vir
1999-01-22 01:29:12 . 1999-01-22 01:29:12 44,032 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE.vir
1997-07-31 23:00:00 . 1997-07-31 23:00:00 57,344 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\COMMTB32.DLL.vir
1996-06-10 14:24:26 . 1996-06-10 14:24:26 307,200 ----a-w- C:\Qoobox\Quarantine\C\WINNT\system32\CFX32.OCX.vir

Apache scan

File apache.exe received on 2009.11.15 18:54:20 (UTC)
Current status: finished

Result: 0/41 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.15 -
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.15 -
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.15 -
Avast 4.8.1351.0 2009.11.15 -
AVG 8.5.0.425 2009.11.15 -
BitDefender 7.2 2009.11.15 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.15 -
Comodo 2957 2009.11.15 -
DrWeb 5.0.0.12182 2009.11.15 -
eSafe 7.0.17.0 2009.11.15 -
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.15 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.15 -
GData 19 2009.11.15 -
Ikarus T3.1.1.74.0 2009.11.15 -
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.15 -
McAfee 5803 2009.11.15 -
McAfee+Artemis 5803 2009.11.15 -
McAfee-GW-Edition 6.8.5 2009.11.15 -
Microsoft 1.5202 2009.11.15 -
NOD32 4610 2009.11.15 -
Norman 6.03.02 2009.11.15 -
nProtect 2009.1.8.0 2009.11.15 -
Panda 10.0.2.2 2009.11.15 -
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.15 -
Rising 22.21.06.05 2009.11.15 -
Sophos 4.47.0 2009.11.15 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.15 -
TheHacker 6.5.0.2.070 2009.11.14 -
TrendMicro 9.0.0.1003 2009.11.15 -
VBA32 3.12.10.11 2009.11.15 -
ViRobot 2009.11.14.2037 2009.11.14 -
VirusBuster 4.6.5.0 2009.11.15 -
Additional information
File size: 20541 bytes
MD5 : 898eb29e06b363a57524365acfbc1b73
SHA1 : 2a1cc69b2b7d422d5e4cbc63da6d2054e53b69be
SHA256: 5e3c941454c301f0869e1bd9545d020ebdfb9b6dbd7b1cfcecd61384a0654c9e
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401CCF
timedatestamp.....: 0x44C9283C (Thu Jul 27 22:55:24 2006)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xE20 0x1000 5.29 729cfe6bcf3f4f86cfbdc55a644987e4
.rdata 0x2000 0x800 0x1000 2.96 8ea7a612e66e9a429301ff1d50073036
.data 0x3000 0xAAC 0x1000 3.87 b2199fddc9231d11027173b52624bb61
.rsrc 0x4000 0xC70 0x1000 2.81 04989857773364203ba900c6acd24c04

( 0 imports )


( 0 exports )

TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 192:soX+kIJjt2g8312GntBqiauxuA+caA0gKONNoynRK30UNg+laatB5UijBX5GqdZ2:WkI32H12EIA50TOD230Uy6tr/lX4qdZ2
PEiD : Armadillo v1.71
CWSandbox: http://research.sunbelt-software.com/partn...524365acfbc1b73
RDS : NSRL Reference Data Set
-

Macromedia scan

File Macromedia_Licensing.exe received on 2009.06.02 12:08:26 (UTC)
Current status: finished

Result: 0/40 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.06.02 -
AhnLab-V3 5.0.0.2 2009.06.02 -
AntiVir 7.9.0.180 2009.06.02 -
Antiy-AVL 2.0.3.1 2009.06.02 -
Authentium 5.1.2.4 2009.06.02 -
Avast 4.8.1335.0 2009.06.01 -
AVG 8.5.0.339 2009.06.02 -
BitDefender 7.2 2009.06.02 -
CAT-QuickHeal 10.00 2009.06.02 -
ClamAV 0.94.1 2009.06.02 -
Comodo 1233 2009.06.02 -
DrWeb 5.0.0.12182 2009.06.02 -
eSafe 7.0.17.0 2009.06.01 -
eTrust-Vet 31.6.6535 2009.06.02 -
F-Prot 4.4.4.56 2009.06.02 -
F-Secure 8.0.14470.0 2009.06.02 -
Fortinet 3.117.0.0 2009.06.02 -
GData 19 2009.06.02 -
Ikarus T3.1.1.57.0 2009.06.02 -
K7AntiVirus 7.10.749 2009.05.29 -
Kaspersky 7.0.0.125 2009.06.02 -
McAfee 5633 2009.06.01 -
McAfee+Artemis 5633 2009.06.01 -
McAfee-GW-Edition 6.7.6 2009.05.29 -
Microsoft 1.4701 2009.06.02 -
NOD32 4122 2009.06.02 -
Norman 6.01.05 2009.06.01 -
nProtect 2009.1.8.0 2009.06.02 -
Panda 10.0.0.14 2009.06.01 -
PCTools 4.4.2.0 2009.06.02 -
Prevx 3.0 2009.06.02 -
Rising 21.32.13.00 2009.06.02 -
Sophos 4.42.0 2009.06.02 -
Sunbelt 3.2.1858.2 2009.06.02 -
Symantec 1.4.4.12 2009.06.02 -
TheHacker 6.3.4.3.335 2009.06.01 -
TrendMicro 8.950.0.1092 2009.06.02 -
VBA32 3.12.10.6 2009.06.02 -
ViRobot 2009.6.2.1765 2009.06.02 -
VirusBuster 4.6.5.0 2009.06.01 -
Additional information
File size: 68096 bytes
MD5 : 04d3a71875699098af856ee5f9f72ac3
SHA1 : 33e1a9fa46e14f1b18865be4de0f62271687ba91
SHA256: b7eb995882cb2f4fe24f9df516583c428840e878d5416965196ba2e2c5943edb
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4AC0
timedatestamp.....: 0x3FFBDAC2 (Wed Jan 7 11:09:06 2004)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xB526 0xB600 6.62 4780c0778a6efd2f7679079c924bae6a
.rdata 0xD000 0x14D8 0x1600 5.26 4a676530334aaf67698db04c23c381d1
.data 0xF000 0x4CC8 0x3600 1.53 5babcb5864ef60a8716def6459fdda0e
.rsrc 0x14000 0x248 0x400 2.03 882edf91479ee55186688d7f35f651c4

( 3 imports )

> advapi32.dll: RegDeleteValueA, QueryServiceConfigA, RegEnumKeyExA, RegCloseKey, RegOpenKeyExA, RegisterEventSourceA, ReportEventA, RegDeleteKeyA, SetServiceStatus, RegisterServiceCtrlHandlerA, DeregisterEventSource, OpenServiceA, CloseServiceHandle, OpenSCManagerA, SetSecurityDescriptorDacl, StartServiceCtrlDispatcherA, InitializeSecurityDescriptor, RegSetValueExA, GetLengthSid, RegCreateKeyExA, QueryServiceStatus, OpenServiceW, StartServiceW, RegQueryValueExA, OpenSCManagerW
> kernel32.dll: ConnectNamedPipe, FindClose, FindNextFileA, FindFirstFileA, CreateDirectoryA, GetProcAddress, LeaveCriticalSection, EnterCriticalSection, WaitForSingleObject, WaitForMultipleObjectsEx, ReleaseMutex, QueryDosDeviceA, CreateFileW, GetExitCodeThread, GetModuleHandleA, lstrcpyW, lstrlenW, QueryDosDeviceW, SetWaitableTimer, CreateWaitableTimerA, DisconnectNamedPipe, GetOverlappedResult, GetTickCount, SetEvent, ResumeThread, SuspendThread, CreateEventA, InitializeCriticalSection, LoadLibraryA, CreateThread, CreateMutexA, CreateNamedPipeA, WriteFile, FreeLibrary, WaitForSingleObjectEx, GetSystemDirectoryA, GetVersionExA, GetLastError, lstrlenA, SetFilePointer, ReadFile, OpenProcess, DeviceIoControl, TlsAlloc, CloseHandle, CreateFileA, SetLastError, SetEnvironmentVariableA, CompareStringA, FlushFileBuffers, GetStringTypeW, GetStringTypeA, HeapFree, HeapAlloc, RtlUnwind, InterlockedDecrement, InterlockedIncrement, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetCommandLineA, GetVersion, ExitProcess, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, HeapSize, GetCurrentThreadId, TlsSetValue, CompareStringW, GetStdHandle, TlsGetValue, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, SetStdHandle
> user32.dll: wsprintfA, DestroyWindow, DispatchMessageA, TranslateMessage, GetMessageA, CreateWindowExA, RegisterClassA, DefWindowProcA

( 0 exports )

TrID : File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
ssdeep: 1536:exJBQsGcBTJwKogS+Oiag8yTzxeroxhs:8Ji9McgSzTg8yTzxeroxhs
PEiD : Armadillo v1.71
RDS : NSRL Reference Data Set
-
File Macromedia_Licensing.exe received on 2009.06.02 12:08:26 (UTC)
Current status: finished

Result: 0/40 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.06.02 -
AhnLab-V3 5.0.0.2 2009.06.02 -
AntiVir 7.9.0.180 2009.06.02 -
Antiy-AVL 2.0.3.1 2009.06.02 -
Authentium 5.1.2.4 2009.06.02 -
Avast 4.8.1335.0 2009.06.01 -
AVG 8.5.0.339 2009.06.02 -
BitDefender 7.2 2009.06.02 -
CAT-QuickHeal 10.00 2009.06.02 -
ClamAV 0.94.1 2009.06.02 -
Comodo 1233 2009.06.02 -
DrWeb 5.0.0.12182 2009.06.02 -
eSafe 7.0.17.0 2009.06.01 -
eTrust-Vet 31.6.6535 2009.06.02 -
F-Prot 4.4.4.56 2009.06.02 -
F-Secure 8.0.14470.0 2009.06.02 -
Fortinet 3.117.0.0 2009.06.02 -
GData 19 2009.06.02 -
Ikarus T3.1.1.57.0 2009.06.02 -
K7AntiVirus 7.10.749 2009.05.29 -
Kaspersky 7.0.0.125 2009.06.02 -
McAfee 5633 2009.06.01 -
McAfee+Artemis 5633 2009.06.01 -
McAfee-GW-Edition 6.7.6 2009.05.29 -
Microsoft 1.4701 2009.06.02 -
NOD32 4122 2009.06.02 -
Norman 6.01.05 2009.06.01 -
nProtect 2009.1.8.0 2009.06.02 -
Panda 10.0.0.14 2009.06.01 -
PCTools 4.4.2.0 2009.06.02 -
Prevx 3.0 2009.06.02 -
Rising 21.32.13.00 2009.06.02 -
Sophos 4.42.0 2009.06.02 -
Sunbelt 3.2.1858.2 2009.06.02 -
Symantec 1.4.4.12 2009.06.02 -
TheHacker 6.3.4.3.335 2009.06.01 -
TrendMicro 8.950.0.1092 2009.06.02 -
VBA32 3.12.10.6 2009.06.02 -
ViRobot 2009.6.2.1765 2009.06.02 -
VirusBuster 4.6.5.0 2009.06.01 -
Additional information
File size: 68096 bytes
MD5 : 04d3a71875699098af856ee5f9f72ac3
SHA1 : 33e1a9fa46e14f1b18865be4de0f62271687ba91
SHA256: b7eb995882cb2f4fe24f9df516583c428840e878d5416965196ba2e2c5943edb
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4AC0
timedatestamp.....: 0x3FFBDAC2 (Wed Jan 7 11:09:06 2004)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xB526 0xB600 6.62 4780c0778a6efd2f7679079c924bae6a
.rdata 0xD000 0x14D8 0x1600 5.26 4a676530334aaf67698db04c23c381d1
.data 0xF000 0x4CC8 0x3600 1.53 5babcb5864ef60a8716def6459fdda0e
.rsrc 0x14000 0x248 0x400 2.03 882edf91479ee55186688d7f35f651c4

( 3 imports )

> advapi32.dll: RegDeleteValueA, QueryServiceConfigA, RegEnumKeyExA, RegCloseKey, RegOpenKeyExA, RegisterEventSourceA, ReportEventA, RegDeleteKeyA, SetServiceStatus, RegisterServiceCtrlHandlerA, DeregisterEventSource, OpenServiceA, CloseServiceHandle, OpenSCManagerA, SetSecurityDescriptorDacl, StartServiceCtrlDispatcherA, InitializeSecurityDescriptor, RegSetValueExA, GetLengthSid, RegCreateKeyExA, QueryServiceStatus, OpenServiceW, StartServiceW, RegQueryValueExA, OpenSCManagerW
> kernel32.dll: ConnectNamedPipe, FindClose, FindNextFileA, FindFirstFileA, CreateDirectoryA, GetProcAddress, LeaveCriticalSection, EnterCriticalSection, WaitForSingleObject, WaitForMultipleObjectsEx, ReleaseMutex, QueryDosDeviceA, CreateFileW, GetExitCodeThread, GetModuleHandleA, lstrcpyW, lstrlenW, QueryDosDeviceW, SetWaitableTimer, CreateWaitableTimerA, DisconnectNamedPipe, GetOverlappedResult, GetTickCount, SetEvent, ResumeThread, SuspendThread, CreateEventA, InitializeCriticalSection, LoadLibraryA, CreateThread, CreateMutexA, CreateNamedPipeA, WriteFile, FreeLibrary, WaitForSingleObjectEx, GetSystemDirectoryA, GetVersionExA, GetLastError, lstrlenA, SetFilePointer, ReadFile, OpenProcess, DeviceIoControl, TlsAlloc, CloseHandle, CreateFileA, SetLastError, SetEnvironmentVariableA, CompareStringA, FlushFileBuffers, GetStringTypeW, GetStringTypeA, HeapFree, HeapAlloc, RtlUnwind, InterlockedDecrement, InterlockedIncrement, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetCommandLineA, GetVersion, ExitProcess, GetModuleFileNameA, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, DeleteCriticalSection, TerminateProcess, GetCurrentProcess, HeapSize, GetCurrentThreadId, TlsSetValue, CompareStringW, GetStdHandle, TlsGetValue, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, LCMapStringW, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, SetStdHandle
> user32.dll: wsprintfA, DestroyWindow, DispatchMessageA, TranslateMessage, GetMessageA, CreateWindowExA, RegisterClassA, DefWindowProcA

( 0 exports )

TrID : File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
ssdeep: 1536:exJBQsGcBTJwKogS+Oiag8yTzxeroxhs:8Ji9McgSzTg8yTzxeroxhs
PEiD : Armadillo v1.71
RDS : NSRL Reference Data Set
-

cmirmdrv scan

File CMIRMDRV.EXE received on 2010.03.11 16:17:10 (UTC)
Current status: finished

Result: 0/42 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.03.11 -
AhnLab-V3 5.0.0.2 2010.03.11 -
AntiVir 8.2.1.180 2010.03.11 -
Antiy-AVL 2.0.3.7 2010.03.11 -
Authentium 5.2.0.5 2010.03.11 -
Avast 4.8.1351.0 2010.03.10 -
Avast5 5.0.332.0 2010.03.10 -
AVG 9.0.0.787 2010.03.11 -
BitDefender 7.2 2010.03.11 -
CAT-QuickHeal 10.00 2010.03.11 -
ClamAV 0.96.0.0-git 2010.03.11 -
Comodo 4225 2010.03.11 -
DrWeb 5.0.1.12222 2010.03.11 -
eSafe 7.0.17.0 2010.03.11 -
eTrust-Vet 35.2.7354 2010.03.11 -
F-Prot 4.5.1.85 2010.03.11 -
F-Secure 9.0.15370.0 2010.03.11 -
Fortinet 4.0.14.0 2010.03.09 -
GData 19 2010.03.11 -
Ikarus T3.1.1.80.0 2010.03.11 -
Jiangmin 13.0.900 2010.03.11 -
K7AntiVirus 7.10.995 2010.03.11 -
Kaspersky 7.0.0.125 2010.03.11 -
McAfee 5917 2010.03.11 -
McAfee+Artemis 5917 2010.03.11 -
McAfee-GW-Edition 6.8.5 2010.03.11 -
Microsoft 1.5502 2010.03.11 -
NOD32 4935 2010.03.11 -
Norman 6.04.08 2010.03.11 -
nProtect 2009.1.8.0 2010.03.11 -
Panda 10.0.2.2 2010.03.11 -
PCTools 7.0.3.5 2010.03.11 -
Prevx 3.0 2010.03.11 -
Rising 22.38.03.04 2010.03.11 -
Sophos 4.51.0 2010.03.11 -
Sunbelt 5824 2010.03.11 -
Symantec 20091.2.0.41 2010.03.11 -
TheHacker 6.5.2.0.230 2010.03.11 -
TrendMicro 9.120.0.1004 2010.03.11 -
VBA32 3.12.12.2 2010.03.11 -
ViRobot 2010.3.11.2222 2010.03.11 -
VirusBuster 5.0.27.0 2010.03.11 -
Additional information
File size: 233472 bytes
MD5 : 7c50692718c1f38536e0e9aec3e52433
SHA1 : 0b3702a72f1b842c395fc51a06ae6dabb11f590b
SHA256: e4372c9ebee7021519fe6cfd00f2255963fc6afa36bc249ec4d2b17e1030dc78
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xAC7E
timedatestamp.....: 0x3F435199 (Wed Aug 20 12:46:49 2003)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x24C4F 0x25000 6.60 d2798d3bbcffd33716322c2a58e669be
.rdata 0x26000 0x8B42 0x9000 4.70 1655ea1eee87157900d4bc9dd8946a1f
.data 0x2F000 0x8808 0x5000 2.45 5ad186fa488bc082bf90f6b57ac50789
.rsrc 0x38000 0x4E78 0x5000 3.96 7f42133d376fa132ec302c5c56a903bc

( 12 imports )

> advapi32.dll: RegCloseKey, RegDeleteValueA, AdjustTokenPrivileges, RegSetValueExA,
RegCreateKeyExA, LookupPrivilegeValueA, OpenProcessToken, RegDeleteKeyA, RegOpenKeyExA
> comctl32.dll: -
> comdlg32.dll: GetFileTitleA
> gdi32.dll: GetObjectA, SetBkColor, SetTextColor, GetClipBox, BitBlt, DeleteObject,
CreateCompatibleDC, CreateDIBitmap, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx,
CreateSolidBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextColor,
GetBkColor, DPtoLP, LPtoDP, GetMapMode, PatBlt, ScaleWindowExtEx, SetWindowExtEx,
SetViewportExtEx, OffsetViewportOrgEx, ScaleViewportExtEx, SetMapMode, SetViewportOrgEx,
SetBkMode, GetStockObject, SelectObject, SaveDC, RestoreDC, GetTextExtentPointA,
IntersectClipRect, DeleteDC, CreateBitmap
> kernel32.dll: GetTickCount, GetFullPathNameA, GetFileSize, GetVolumeInformationA,
GetStartupInfoA, GetFileTime, RtlUnwind, TerminateProcess, HeapFree, UnlockFile, SetEndOfFile,
GetTimeZoneInformation, GetCommandLineA, GetACP, HeapReAlloc, HeapSize, ExitProcess,
RaiseException, SetFilePointer, HeapAlloc, FreeEnvironmentStringsA, FreeEnvironmentStringsW,
GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType,
GetEnvironmentVariableA, HeapDestroy, LocalAlloc, GetDriveTypeA, GetStringTypeA, GetStringTypeW,
VirtualAlloc, LockFile, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW,
SetEnvironmentVariableA, FlushFileBuffers, CreateFileA, WriteFile, ReadFile, DuplicateHandle,
SetErrorMode, GetOEMCP, GetThreadLocale, SizeofResource, GetCurrentDirectoryA, GetCPInfo,
GetProcessVersion, WritePrivateProfileStringA, TlsGetValue, GlobalFlags, MulDiv, LCMapStringW,
UnhandledExceptionFilter, GlobalReAlloc, InterlockedIncrement, GetVersionExA,
GetSystemDirectoryA, GetShortPathNameA, MoveFileExA, Sleep, LoadLibraryA, GetProcAddress,
FreeLibrary, GetWindowsDirectoryA, MultiByteToWideChar, GetVersion, SetFileAttributesA,
GetCurrentProcess, GetLastError, CloseHandle, DeleteFileA, GetFileAttributesA, LocalReAlloc,
TlsSetValue, TlsAlloc, TlsFree, GlobalHandle, HeapCreate, FileTimeToLocalFileTime,
GetProfileStringA, FileTimeToSystemTime, EnterCriticalSection, LeaveCriticalSection,
DeleteCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalFree, FindResourceA,
LoadResource, LockResource, lstrcatA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA,
GetModuleHandleA, GetModuleFileNameA, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA,
GetCurrentThread, GetCurrentThreadId, FormatMessageA, LocalFree, FindNextFileA, lstrcpyA,
FindFirstFileA, SetLastError, FindClose, lstrcpynA, lstrcmpiA, WideCharToMultiByte, lstrlenA,
InterlockedDecrement, VirtualFree, SetUnhandledExceptionFilter, LCMapStringA, IsBadWritePtr
> ole32.dll: CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes,
CoGetClassObject, OleInitialize, CoTaskMemFree, CoRevokeClassObject, CoInitialize,
CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CLSIDFromString, OleUninitialize,
CLSIDFromProgID, CoRegisterMessageFilter, OleIsCurrentClipboard, OleFlushClipboard,
CoTaskMemAlloc
> oleaut32.dll: -, -, -, -, -, -, -, -, -
> oledlg.dll: -
> olepro32.dll: -
> setupapi.dll: SetupCloseInfFile, SetupFindFirstLineA, SetupFindNextLine, SetupGetStringFieldA,
SetupOpenInfFileA
> user32.dll: InvalidateRect, CharUpperA, InflateRect, RegisterClipboardFormatA,
PostThreadMessageA, BeginPaint, GetWindowDC, ReleaseDC, GetDC, PtInRect, GetClassNameA,
ClientToScreen, GetDesktopWindow, LoadCursorA, MapDialogRect, SetWindowContextHelpId,
LoadStringA, EndDialog, CreateDialogIndirectParamA, LoadIconA, UpdateWindow, MapWindowPoints,
GetSysColor, SetActiveWindow, AdjustWindowRectEx, ScreenToClient, GetClientRect, CopyRect,
GetTopWindow, IsChild, GetCapture, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount,
GetSubMenu, GetMenuItemID, DefWindowProcA, DestroyWindow, GetSysColorBrush, GetPropA,
CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow,
SetForegroundWindow, GetWindow, RegisterWindowMessageA, OffsetRect, IntersectRect,
SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetSystemMetrics, SetFocus,
ShowWindow, SetWindowPos, MoveWindow, SetWindowLongA, GetDlgCtrlID, GetWindowTextLengthA,
GetWindowTextA, SetWindowTextA, IsDialogMessageA, SendDlgItemMessageA, GetDlgItem,
GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps,
CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage,
DispatchMessageA, GetNextDlgGroupItem, MessageBeep, CharNextA, SetRect, CopyAcceleratorTableA,
WinHelpA, wsprintfA, DestroyMenu, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect,
IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup,
IsWindowEnabled, GetWindowLongA, EnableWindow, SetCursor, PostQuitMessage, FindWindowA,
MessageBoxA, ExitWindowsEx, IsWindow, PostMessageA, SendMessageA, TabbedTextOutA, GrayStringA,
DrawTextA, SetPropA, EndPaint, UnhookWindowsHookEx, GetClassLongA, CreateWindowExA,
UnregisterClassA, HideCaret, ShowCaret, ExcludeUpdateRgn, DrawFocusRect, DefDlgProcA,
IsWindowUnicode
> winspool.drv: OpenPrinterA, DocumentPropertiesA, ClosePrinter

( 0 exports )

TrID : File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
ssdeep: 3072:c1xCfPJvUBLMekWKSTPdpGE2Nb/pWTrTCC6oGAJFehdiSJOoL7B9N7k:4WJvUBzaSTlpGE2NLM2lAKdJ9
sigcheck: publisher....:
copyright....: Copyright © 2003
product......: CmiRemoveDriver Application
description..: CmiRemoveDriver MFC Application
original name: CmiRemoveDriver.EXE
internal name: CmiRemoveDriver
file version.: 1, 0, 0, 11
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned

PEiD : Armadillo v1.71
CWSandbox: http://research.sunbelt-software.com/partn...6e0e9aec3e52433
RDS : NSRL Reference Data Set
-


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:09 AM

Posted 20 May 2010 - 09:36 AM

Hi,

please zip up the files that were deleted, so we can check why they were deleted:
Open notepad and copy/paste the text in the codebox below into it:

CODE
@echo off
for %%g in (
"C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\MRADIO.EXE.pif.vir"
"C:\Qoobox\Quarantine\C\Program Files\LibUSB-Win32\unins000.exe.vir"
"C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\WinZip running DOS program.pif.vir"
"C:\Qoobox\Quarantine\C\WINNT\php_mysql.dll.vir"
"C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\nvu-1.0-win32-installer-full.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\A3d.dll.vir"
"C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\OnyxSetupV2.0.15.0.exe.vir"
"C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\EnigmaAccess.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\ATL70.DLL.vir"
"C:\Qoobox\Quarantine\C\WINNT\uninst.exe.vir"
"C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\nssdbm3.dll.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\crpe32.dll.vir"
"C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\idafree49.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\iun507.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\unins000.exe.vir"
"C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll.vir"
"C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\softokn3.dll.vir"
"C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\freebl3.dll.vir"
"C:\Qoobox\Quarantine\C\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe.vir"
"C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\Ren ID33.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\WINHELP.INI.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\CEUTIL.DLL.vir"
"C:\Qoobox\Quarantine\C\Program Files\Apache Group\Apache2\bin\Apache.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\IsUninst.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\Web\default.htt.vir"
"C:\Qoobox\Quarantine\C\WINNT\Speech\vtxtauto.tlb.vir"
"C:\Qoobox\Quarantine\C\WINNT\Speech\vcauto.tlb.vir"
"C:\Qoobox\Quarantine\C\WINNT\INRES.DLL.vir"
"C:\Qoobox\Quarantine\C\WINNT\P17DEF.EXE.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\cmuda.dll.vir"
"C:\Qoobox\Quarantine\C\WINNT\system\SmWizard.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\system\cmicnfg.cpl.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\cmirmdrv.exe.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\ac3filter.cpl.vir"
"C:\Qoobox\Quarantine\C\WINNT\msagent\agtctl15.tlb.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\activeds.tlb.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\qmgr.dll.vir"
"C:\Qoobox\Quarantine\C\WINNT\MIDIDEF.EXE.vir"
"C:\Qoobox\Quarantine\C\WINNT\system\cmids3d.dll.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\Audio3D.dll.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\bdeadmin.cpl.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\Ac3audio.ax.vir"
"C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\MSIOFF9.OCX.vir"
"C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRVPS.DLL.vir"
"C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\COMMTB32.DLL.vir"
"C:\Qoobox\Quarantine\C\WINNT\system32\CFX32.OCX.vir"
) do zip "%userprofile%\Desktop\Files_for_submission" %%g
del %0

Save this as zip.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:
Double click on zip.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop. Please upload that file here -->http://www.bleepingcomputer.com/submit-malware.php?channel=4

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 09:59 AM

Had to call the batch file zipfiles.bat because calling it zip.bat just made it call itself recursively. I am now uploading the zip file.

#10 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 10:20 AM

The page took a while to finish uploading then I got this.

Malware Submission
There was a problem with your submission. Please Contact Us and let us know the name of the file, the size of the file, and the error code given below.

Unknown error.
Error number

The file size was 43MB

Edited by totaldecodes, 20 May 2010 - 10:21 AM.


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:09 AM

Posted 20 May 2010 - 10:26 AM

Hi,

could you please upload the files to http://www.mediafire.com and post the download link in your next reply.

regards myrti

Edited by myrti, 20 May 2010 - 10:27 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 11:25 AM

I get upload error#-43 on Media Fire. The zip file isn't corrupted so I have no idea what is going on. BTW I have used a clean machine for the Media Fire upload. I copied the zip file onto a usb drive.

#13 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 11:39 AM

I have ftp'd it to http://www.totaldecodes.co.uk/Files_for_submission.zip

If you can give it 5 minutes to complete uploading.

Edited by totaldecodes, 20 May 2010 - 11:40 AM.


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:09 AM

Posted 20 May 2010 - 02:05 PM

Hi,

thanks, upload received. smile.gif

As a first step let's dequarantine the files:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
DeQuarantine::
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\MRADIO.EXE.pif.vir
C:\Qoobox\Quarantine\C\Program Files\LibUSB-Win32\unins000.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\WinZip running DOS program.pif.vir
C:\Qoobox\Quarantine\C\WINNT\php_mysql.dll.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\nvu-1.0-win32-installer-full.exe.vir
C:\Qoobox\Quarantine\C\WINNT\system32\A3d.dll.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\OnyxSetupV2.0.15.0.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\EnigmaAccess.exe.vir
C:\Qoobox\Quarantine\C\WINNT\system32\ATL70.DLL.vir
C:\Qoobox\Quarantine\C\WINNT\uninst.exe.vir
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\nssdbm3.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2DDISK.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FWORDW.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FWKS.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FTEXT.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FSEPV.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FHTML.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FDIF.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FCR.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dvim.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dpost.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dnotes.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2DMAPI.dll.vir
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FXLS.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system32\crpe32.dll.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\idafree49.exe.vir
C:\Qoobox\Quarantine\C\WINNT\iun507.exe.vir
C:\Qoobox\Quarantine\C\WINNT\unins000.exe.vir
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll.vir
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\softokn3.dll.vir
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\freebl3.dll.vir
C:\Qoobox\Quarantine\C\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe.vir
C:\Qoobox\Quarantine\C\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe.vir
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\Ren ID33.exe.vir
C:\Qoobox\Quarantine\C\WINNT\WINHELP.INI.vir
C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
C:\Qoobox\Quarantine\C\WINNT\system32\CEUTIL.DLL.vir
C:\Qoobox\Quarantine\C\Program Files\Apache Group\Apache2\bin\Apache.exe.vir
C:\Qoobox\Quarantine\C\WINNT\IsUninst.exe.vir
C:\Qoobox\Quarantine\C\WINNT\Web\default.htt.vir
C:\Qoobox\Quarantine\C\WINNT\Speech\vtxtauto.tlb.vir
C:\Qoobox\Quarantine\C\WINNT\Speech\vcauto.tlb.vir
C:\Qoobox\Quarantine\C\WINNT\INRES.DLL.vir
C:\Qoobox\Quarantine\C\WINNT\P17DEF.EXE.vir
C:\Qoobox\Quarantine\C\WINNT\system32\cmuda.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system\SmWizard.exe.vir
C:\Qoobox\Quarantine\C\WINNT\system\cmicnfg.cpl.vir
C:\Qoobox\Quarantine\C\WINNT\system32\cmirmdrv.exe.vir
C:\Qoobox\Quarantine\C\WINNT\system32\ac3filter.cpl.vir
C:\Qoobox\Quarantine\C\WINNT\msagent\agtctl15.tlb.vir
C:\Qoobox\Quarantine\C\WINNT\system32\activeds.tlb.vir
C:\Qoobox\Quarantine\C\WINNT\system32\qmgr.dll.vir
C:\Qoobox\Quarantine\C\WINNT\MIDIDEF.EXE.vir
C:\Qoobox\Quarantine\C\WINNT\system\cmids3d.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system32\Audio3D.dll.vir
C:\Qoobox\Quarantine\C\WINNT\system32\bdeadmin.cpl.vir
C:\Qoobox\Quarantine\C\WINNT\system32\Ac3audio.ax.vir
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\MSIOFF9.OCX.vir
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRVPS.DLL.vir
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE.vir
C:\Qoobox\Quarantine\C\WINNT\system32\COMMTB32.DLL.vir
C:\Qoobox\Quarantine\C\WINNT\system32\CFX32.OCX.vir
Quit::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\DeQuarantine.txt which I will require in your next reply.

If you are up for it and would like to help us out I would like to test that the false positives have been successfully removed. Just so we are clear, it would help us, but is not part of the malware removal for your PC.
If you want to do this please download a fresh copy of ComboFix from here: Link save it to your Desktop and run it. Post the log from Combofix in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 totaldecodes

totaldecodes
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 20 May 2010 - 03:45 PM

Firstly, after ComboFix had first run Firefox didn't work but IE did. After the dequarantine neither browser will now connect. Also during the ComboFix it asked if I wanted to download a new version of ComboFix. I answered yes to this as I thought that was the best option.

Here is the log DeQuarantine.txt.

C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\EnigmaAccess.exe.vir -> C:\Documents and Settings\Jeff Haley\Desktop\EnigmaAccess.exe ( 151552 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\idafree49.exe.vir -> C:\Documents and Settings\Jeff Haley\Desktop\idafree49.exe ( 15689246 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\nvu-1.0-win32-installer-full.exe.vir -> C:\Documents and Settings\Jeff Haley\Desktop\nvu-1.0-win32-installer-full.exe ( 6904036 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\OnyxSetupV2.0.15.0.exe.vir -> C:\Documents and Settings\Jeff Haley\Desktop\OnyxSetupV2.0.15.0.exe ( 15776696 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Desktop\Ren ID33.exe.vir -> C:\Documents and Settings\Jeff Haley\Desktop\Ren ID33.exe ( 443904 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\MRADIO.EXE.pif.vir -> C:\Documents and Settings\Jeff Haley\Recent\MRADIO.EXE.pif ( 2855 bytes )
C:\Qoobox\Quarantine\C\Documents and Settings\Jeff Haley\Recent\WinZip running DOS program.pif.vir -> C:\Documents and Settings\Jeff Haley\Recent\WinZip running DOS program.pif ( 2855 bytes )
C:\Qoobox\Quarantine\C\Program Files\Apache Group\Apache2\bin\Apache.exe.vir -> C:\Program Files\Apache Group\Apache2\bin\Apache.exe ( 20541 bytes )
C:\Qoobox\Quarantine\C\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe.vir -> C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe ( 68096 bytes )
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\MSIOFF9.OCX.vir -> C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSIOFF9.OCX ( 380928 bytes )
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE.vir -> C:\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE ( 44032 bytes )
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRVPS.DLL.vir -> C:\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRVPS.DLL ( 5120 bytes )
C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir -> C:\Program Files\INSTALL.LOG ( 542 bytes )
C:\Qoobox\Quarantine\C\Program Files\LibUSB-Win32\unins000.exe.vir -> C:\Program Files\LibUSB-Win32\unins000.exe ( 695609 bytes )
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\freebl3.dll.vir -> C:\Program Files\Mozilla Firefox\freebl3.dll ( 249856 bytes )
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\nssdbm3.dll.vir -> C:\Program Files\Mozilla Firefox\nssdbm3.dll ( 98304 bytes )
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll.vir -> C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll ( 24673 bytes )
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\softokn3.dll.vir -> C:\Program Files\Mozilla Firefox\softokn3.dll ( 155648 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2DDISK.dll.vir -> C:\WINNT\Crystal\U2DDISK.dll ( 28672 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2DMAPI.dll.vir -> C:\WINNT\Crystal\U2DMAPI.dll ( 40960 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dnotes.dll.vir -> C:\WINNT\Crystal\u2dnotes.dll ( 53248 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dpost.dll.vir -> C:\WINNT\Crystal\u2dpost.dll ( 102400 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\u2dvim.dll.vir -> C:\WINNT\Crystal\u2dvim.dll ( 57344 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FCR.dll.vir -> C:\WINNT\Crystal\U2FCR.dll ( 28672 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FDIF.dll.vir -> C:\WINNT\Crystal\U2FDIF.dll ( 36864 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FHTML.dll.vir -> C:\WINNT\Crystal\U2FHTML.dll ( 45056 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FSEPV.dll.vir -> C:\WINNT\Crystal\U2FSEPV.dll ( 36864 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FTEXT.dll.vir -> C:\WINNT\Crystal\U2FTEXT.dll ( 90112 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FWKS.dll.vir -> C:\WINNT\Crystal\U2FWKS.dll ( 40960 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FWORDW.dll.vir -> C:\WINNT\Crystal\U2FWORDW.dll ( 106496 bytes )
C:\Qoobox\Quarantine\C\WINNT\Crystal\U2FXLS.dll.vir -> C:\WINNT\Crystal\U2FXLS.dll ( 212992 bytes )
C:\Qoobox\Quarantine\C\WINNT\INRES.DLL.vir -> C:\WINNT\INRES.DLL ( 11264 bytes )
C:\Qoobox\Quarantine\C\WINNT\IsUninst.exe.vir -> C:\WINNT\IsUninst.exe ( 306688 bytes )
C:\Qoobox\Quarantine\C\WINNT\iun507.exe.vir -> C:\WINNT\iun507.exe ( 286720 bytes )
C:\Qoobox\Quarantine\C\WINNT\MIDIDEF.EXE.vir -> C:\WINNT\MIDIDEF.EXE ( 49152 bytes )
C:\Qoobox\Quarantine\C\WINNT\msagent\agtctl15.tlb.vir -> C:\WINNT\msagent\agtctl15.tlb ( 17920 bytes )
C:\Qoobox\Quarantine\C\WINNT\P17DEF.EXE.vir -> C:\WINNT\P17DEF.EXE ( 20480 bytes )
C:\Qoobox\Quarantine\C\WINNT\php_mysql.dll.vir -> C:\WINNT\php_mysql.dll ( 49211 bytes )
C:\Qoobox\Quarantine\C\WINNT\Speech\vcauto.tlb.vir -> C:\WINNT\Speech\vcauto.tlb ( 6656 bytes )
C:\Qoobox\Quarantine\C\WINNT\Speech\vtxtauto.tlb.vir -> C:\WINNT\Speech\vtxtauto.tlb ( 6144 bytes )
C:\Qoobox\Quarantine\C\WINNT\system\cmicnfg.cpl.vir -> C:\WINNT\system\cmicnfg.cpl ( 2301952 bytes )
C:\Qoobox\Quarantine\C\WINNT\system\cmids3d.dll.vir -> C:\WINNT\system\cmids3d.dll ( 917504 bytes )
C:\Qoobox\Quarantine\C\WINNT\system\SmWizard.exe.vir -> C:\WINNT\system\SmWizard.exe ( 1454080 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\A3d.dll.vir -> C:\WINNT\system32\A3d.dll ( 65536 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\Ac3audio.ax.vir -> C:\WINNT\system32\Ac3audio.ax ( 294912 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\ac3filter.cpl.vir -> C:\WINNT\system32\ac3filter.cpl ( 180224 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\activeds.tlb.vir -> C:\WINNT\system32\activeds.tlb ( 107520 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\ATL70.DLL.vir -> C:\WINNT\system32\ATL70.DLL ( 84992 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\Audio3D.dll.vir -> C:\WINNT\system32\Audio3D.dll ( 712704 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\bdeadmin.cpl.vir -> C:\WINNT\system32\bdeadmin.cpl ( 183808 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\CEUTIL.DLL.vir -> C:\WINNT\system32\CEUTIL.DLL ( 53325 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\CFX32.OCX.vir -> C:\WINNT\system32\CFX32.OCX ( 307200 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\cmirmdrv.exe.vir -> C:\WINNT\system32\cmirmdrv.exe ( 233472 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\cmuda.dll.vir -> C:\WINNT\system32\cmuda.dll ( 118784 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\COMMTB32.DLL.vir -> C:\WINNT\system32\COMMTB32.DLL ( 57344 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\crpe32.dll.vir -> C:\WINNT\system32\crpe32.dll ( 4587577 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\qmgr.dll.vir -> C:\WINNT\system32\qmgr.dll ( 244224 bytes )
C:\Qoobox\Quarantine\C\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe.vir -> C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe ( 200704 bytes )
C:\Qoobox\Quarantine\C\WINNT\unins000.exe.vir -> C:\WINNT\unins000.exe ( 691545 bytes )
C:\Qoobox\Quarantine\C\WINNT\uninst.exe.vir -> C:\WINNT\uninst.exe ( 298496 bytes )
C:\Qoobox\Quarantine\C\WINNT\Web\default.htt.vir -> C:\WINNT\Web\default.htt ( 5296 bytes )
C:\Qoobox\Quarantine\C\WINNT\WINHELP.INI.vir -> C:\WINNT\WINHELP.INI ( 178 bytes )






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users