Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus threat


  • This topic is locked This topic is locked
14 replies to this topic

#1 reac9

reac9

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 21 June 2010 - 05:02 PM

Running windowns Xp home service pack 2

After running Superantispyware pro. i get this and it keeps coming back. Also when i boot up, InternetEx. promps the window to restore web browser at last page even though I never launched it or it didnt crash. This keeps coming back.

REGISTRY KEYS
HKLM\SOFT\MICROSOFT\WINDOWS NT\CURRENTVERSIO\WINLOGON#USERINIT

I've ran the programs and scanned my pc, I have the logs.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 11:10:03.42 on Mon 06/21/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3063.2476 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
C:\ASUS.SYS\config\DVMExportService.exe
svchost.exe "C:\WINDOWS\system32\AgCPanelSimplifiedChineset.exe"
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\AI Suite\AiNap\AiNap.exe
C:\Program Files\ASUS\AI Suite\QFan3\QFanHelp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2KAXF37Q\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: D: {e6abeec8-03af-3343-9091-8a4420e73b43} - c:\windows\system32\fu57752.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: RadioBar Toolbar: {5b291e6c-9a74-4034-971b-a4b007a0b315} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [qnrrcgik] c:\documents and settings\owner\local settings\application data\garkwc\kxkxsftav.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -b
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli yarewipe.dll
IFEO: ctfmon.exe - c:\windows\system32\ctfmonusw.exe

============= SERVICES / DRIVERS ===============

R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [2010-6-4 9600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-12-16 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 67656]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.02\AsSysCtrlService.exe [2009-11-20 90112]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [2009-2-18 294912]
S2 AudioSrvJavaQuickStarterService;Windows Audio AudioSrvJavaQuickStarterService;c:\windows\system32\agcpanelsimplifiedchineset.exe srv --> c:\windows\system32\AgCPanelSimplifiedChineset.exe srv [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-28 136176]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-20 1684736]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 12872]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-06-21 18:05:23 20 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-06-21 17:30:15 0 d-----w- c:\program files\Trend Micro
2010-06-21 06:59:44 43520 ----a-w- c:\windows\system32\o.dat
2010-06-19 02:02:25 235 --s-a-w- c:\windows\system32\667407612.dat
2010-06-18 01:09:04 0 d-----w- C:\.ruby_faster_require_cache
2010-06-17 17:39:50 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-06-17 07:11:34 30854547 ----a-w- C:\THIGHThereSheIsAgainTheFirsTimEyeing.wmv
2010-06-17 05:25:51 241664 ----a-w- c:\windows\system32\fu57752.dll
2010-06-17 04:59:45 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-06-16 00:22:02 0 d-----w- c:\windows\system32\URTTEMP
2010-06-11 16:43:33 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-06 05:04:37 0 d-----w- c:\program files\Hothouse Creations
2010-06-06 05:01:11 315904 ----a-w- c:\windows\IsUninst.exe
2010-06-06 05:01:07 0 d-----w- c:\documents and settings\owner\WINDOWS
2010-06-04 23:51:40 9600 ----a-w- c:\windows\system32\drivers\ISODisk.sys
2010-06-04 23:51:40 0 d-----w- c:\program files\ISODisk
2010-05-31 17:17:57 0 d-----w- c:\program files\YomaTools

==================== Find3M ====================

2010-06-16 00:43:11 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-16 00:21:34 669184 ----a-w- c:\windows\system32\pbsvc.exe
2010-05-06 10:41:53 9728 ----a-w- c:\windows\system32\ctfmonusw.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 18:40:40 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-27 18:40:40 133616 ------w- c:\windows\system32\pxafs.dll
2010-04-27 18:40:40 126448 ------w- c:\windows\system32\pxinsi64.exe
2010-04-27 18:40:40 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-01 17:14:25 21840 ----atw- c:\windows\system32\SIntfNT.dll
2010-04-01 17:14:25 17212 ----atw- c:\windows\system32\SIntf32.dll
2010-04-01 17:14:25 12067 ----atw- c:\windows\system32\SIntf16.dll
2010-03-27 21:43:35 323584 ----a-w- c:\windows\system32\AUDIOGENIE2.DLL
2006-06-24 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2009-12-26 05:08:33 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-26 02:45:54 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-26 02:45:54 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat
2009-12-26 02:45:54 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-26 02:45:54 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-26 02:45:54 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 11:10:58.12 ===============

I also have a highjackthis log if needed. Thank you guys for taking the time to look through this.

Attached Files



BC AdBot (Login to Remove)

 


#2 reac9

reac9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 June 2010 - 01:25 PM

:killcomp: Im still having this issue and maleware keeps being found by my superantispyware.

Maleware.Trace
Backdoor bot [zbot]
Trojan agent/gen
Trojan agent/gen SDRA

Something called Maleware.Trace with this REGISTRY KEYS
HKLM\SOFT\MICROSOFT\WINDOWS NT\CURRENTVERSIO\WINLOGON#USERINIT

Please help its been a few days since I've posted and I know you're busy but this chit keeps coming back even after its quarentined.

Edited by Orange Blossom, 21 October 2010 - 07:37 PM.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 27 June 2010 - 05:23 PM

Hi reac9,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#4 reac9

reac9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 29 June 2010 - 11:11 PM

Hello and thanks for the response. I have changed nothing but I have been running Superantispyware. The same Trojans I listed keep coming up though there was a new one. I can upload my Superanti. Logs if you like. WHen I open taskmanager i see alot of Iexplorer.exe as well.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 30 June 2010 - 04:25 AM

The computer is heavily infected. We start with taking care of a rootkit and then remove the rest.
  1. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    Note:
    In case malware prevented the mbam-setup.exe file from installing rename it to something.exe

    In case malware prevented it from updating or running using Windows Explorer (right-click start > Explorer) navigate to the following folder: C"\Program Files\Malwarebyte' Anti-Malware
    Locate the file mbam.exe and rename it to clear.exe then double-click to run it.

    In case the Malwarebytes exe gets deleted by the malware (Code 2 error, mbam.exe not found) download a randomized renamed mbam.exe version from here.
    Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder and run the renamed file from there directly instead of using the shortcut.


#6 reac9

reac9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 June 2010 - 02:15 PM

I ran the programs and have uploaded the logs. For the tdsskiller.exe I did have to reboot. The Malewarebytes did prompt saying it could not delete a certain file and I rebooted. I did not have a problem installing either software or running them. Will wait patiently for your response. Thank you again.

Attached Files


Edited by reac9, 30 June 2010 - 02:16 PM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 30 June 2010 - 02:31 PM

Well done. thumbup2.gif

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to remove the infection please go on with the following steps.


Removal Instructions


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#8 reac9

reac9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 June 2010 - 03:01 PM

Here it is and I'm thinking about a reformat. How can I be sure it's completely gone I dont want to do it unless it's neccessary.

Attached Files

  • Attached File  log.txt   20.14KB   3 downloads


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 30 June 2010 - 04:09 PM

I can't say it is necessary. Let's clean some leftovers.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#10 reac9

reac9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 June 2010 - 05:13 PM

Here is the second log. Can someone look at these logs and potentialy gain access or use the information with in for malicious intent if they wanted to?

Attached Files

  • Attached File  log2.txt   16.51KB   3 downloads


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 30 June 2010 - 06:59 PM

We would never ask people to post the sensitive information on the forum. There are rare cases where the user has chosen the real name and family name as the name of the account they are using to log in. In those cased they could be accidentally recognized by other people and they are not anonym any more. In those cased they choose to replace the real name in the logs before posting to the forum.

Click on this link--> virustotal

Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

c:\windows\system32\mspmsnsv.dll

If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#12 reac9

reac9
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 June 2010 - 08:39 PM

Hope this is what you ment by "Copy and paste in next post". grinner.gif

Virus Total scan log


Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.01 -
AhnLab-V3 2010.07.01.00 2010.07.01 -
AntiVir 8.2.4.2 2010.06.30 -
Antiy-AVL 2.0.3.7 2010.06.30 -
Authentium 5.2.0.5 2010.07.01 -
Avast 4.8.1351.0 2010.06.30 -
Avast5 5.0.332.0 2010.06.30 -
AVG 9.0.0.836 2010.07.01 -
BitDefender 7.2 2010.07.01 -
CAT-QuickHeal 11.00 2010.06.30 -
ClamAV 0.96.0.3-git 2010.07.01 -
Comodo 5271 2010.07.01 -
DrWeb 5.0.2.03300 2010.07.01 -
eSafe 7.0.17.0 2010.06.30 -
eTrust-Vet 36.1.7677 2010.06.30 -
F-Prot 4.6.1.107 2010.06.30 -
F-Secure 9.0.15370.0 2010.07.01 -
Fortinet 4.1.133.0 2010.06.30 -
GData 21 2010.07.01 -
Ikarus T3.1.1.84.0 2010.07.01 -
Jiangmin 13.0.900 2010.06.30 -
Kaspersky 7.0.0.125 2010.07.01 -
McAfee 5.400.0.1158 2010.07.01 -
McAfee-GW-Edition 2010.1 2010.06.30 -
Microsoft 1.5902 2010.07.01 -
NOD32 5241 2010.06.30 -
Norman 6.05.10 2010.06.30 -
nProtect 2010-06-30.01 2010.06.30 -
Panda 10.0.2.7 2010.06.30 -
PCTools 7.0.3.5 2010.07.01 -
Prevx 3.0 2010.07.01 -
Rising 22.54.02.04 2010.06.30 -
Sophos 4.54.0 2010.07.01 -
Sunbelt 6529 2010.07.01 -
Symantec 20101.1.0.89 2010.06.30 -
TheHacker 6.5.2.0.305 2010.06.30 -
TrendMicro 9.120.0.1004 2010.06.30 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.01 -
VBA32 3.12.12.5 2010.06.30 -
ViRobot 2010.6.29.3912 2010.06.30 -
VirusBuster 5.0.27.0 2010.06.30 -
Additional information
File size: 27648 bytes
MD5...: 482069cda24aa0e94b1351e30eb3d01f
SHA1..: 56647b777a433bdd4292a89aa435c6cedac62fa1
SHA256: c5238e6da85d6854a119a9687be8448b8483ebd483f7823150cc0b24d321d26f
ssdeep: 768:oQrdsm8SJc6gDL/CSSZVLiWh907VRf+TQ5N:oQrdsm8SJ4DLKjisK/+T8N

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3b70
timedatestamp.....: 0x44ee8b2a (Fri Aug 25 05:31:22 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5217 0x5400 6.44 3f2bb39205757aac1d8ca8237582c5a7
.data 0x7000 0x68c 0x400 5.83 05e48ce95c056451a34b5764dd77504f
.rsrc 0x8000 0x7f8 0x800 3.36 ba636e06c9a8e7909015ab5a691c9cf2
.reloc 0x9000 0x72c 0x800 4.28 43e435e9c86ab0015f2b97cdd4a362e9

( 3 imports )
> msvcrt.dll: _adjust_fdiv, _amsg_exit, _initterm, free, malloc, _XcptFilter, ___U@YAPAXI@Z, ___V@YAXPAX@Z, __2@YAPAXI@Z, memmove, memset, memcpy, __3@YAXPAX@Z, _purecall
> KERNEL32.dll: WideCharToMultiByte, WaitNamedPipeW, CreateFileA, CreateFileW, DeviceIoControl, CompareStringA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, QueryPerformanceCounter, RtlUnwind, InterlockedCompareExchange, InterlockedExchange, GetModuleFileNameA, FormatMessageA, LoadLibraryExA, GetProcAddress, FormatMessageW, FreeLibrary, LeaveCriticalSection, EnterCriticalSection, GetDriveTypeW, GetLastError, CreateEventA, DisconnectNamedPipe, WaitForSingleObject, CancelIo, CloseHandle, SetEvent, ConnectNamedPipe, ReadFile, WriteFile, WaitForMultipleObjects, GetOverlappedResult, ResetEvent, LocalFree, CreateNamedPipeA, LocalAlloc, DeleteCriticalSection, DisableThreadLibraryCalls, InitializeCriticalSection, SetLastError, Sleep, GetTickCount
> ADVAPI32.dll: StartServiceA, TraceMessage, CreateServiceA, RegSetValueExA, RegCreateKeyA, RegQueryValueExW, RegSetValueExW, RegCloseKey, ControlService, DeleteService, RegDeleteKeyA, QueryServiceStatus, GetSecurityInfo, SetSecurityInfo, RegisterServiceCtrlHandlerA, AllocateAndInitializeSid, SetEntriesInAclA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, FreeSid, ImpersonateNamedPipeClient, RevertToSelf, SetServiceStatus, RegisterEventSourceA, ReportEventA, DeregisterEventSource, OpenSCManagerA, OpenServiceA, CloseServiceHandle

( 4 exports )
DllMain, DllRegisterServer, DllUnregisterServer, ServiceMain

RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Windows Media Device Manager
description..: Microsoft Media Device Service Provider
original name: MsPMSNSv.dll
internal name: MsPMSNSv.dll
file version.: 11.0.5705.5043
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 01 July 2010 - 01:02 AM

Yes that is what I meant.

The computer is basically clean from active malware, we want to check the whole system once.
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions. You have:

    Java™ 6 Update 18

  2. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

    A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 05 July 2010 - 04:24 PM

Are you still there?

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:51 PM

Posted 07 July 2010 - 06:43 AM


This thread will now be closed since the issue seems to be resolved.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users