Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Infected Install

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New Infected Install

Unread postby blaze » July 1st, 2010, 11:48 am

I just did a fresh install of XP SP2. Copied some of my old documents from my external HD. Although i never use to get this on my old comptuer with the same Anti Virus, documents and SP2.

Everytime i log into after a boot, the screen freezes. Sometimes i get the desktop sometimes i dont. Either way, the cursor freezes and nothing can be clicked.

I booted with safe mode ran avira anti virus and got infections like TR/Agent.HF.30' [trojan], TR/ATRAPS.Gen2' [trojan], 35[1].exe, XIGD.tmp, GGL12.tmp...some files the AV is able to delete and some get access denied. Either way when i reboot in safe mode, and run the scan again. All infections reappear.

----------HIJACK THIS LOG-----------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:50:50 PM, on 7/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Temp\wpv041277975692.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\78636.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\78636.exe
C:\WINDOWS\Temp\wpv701277975838.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\197.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS\system32\38ab69.exe
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Firewall Client Management.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{877DAA8B-A153-45DA-AE47-1ECAEDDEAD1A}: NameServer = 128.1.100.1,128.1.100.2
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 5491 bytes



------------uninstall log---------
Acrobat.com
Acrobat.com
Adobe Acrobat 5.0
Adobe AIR
Adobe AIR
Adobe Reader 9
Agere Systems HDA Modem
Alt-N ComAgent
Avira AntiVir Personal - Free Antivirus
Broadcom 802.11 Wireless LAN Adapter
HP Integrated Module with Bluetooth wireless technology
IDT Audio
Intel(R) Graphics Media Accelerator Driver
LiveUpdate 3.3 (Symantec Corporation)
Macrium Reflect - Free Edition
Marvell Miniport Driver
Microsoft Firewall Client
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Nero 6 Enterprise Edition
Network Print Monitor for Windows 2000/XP
Symantec Endpoint Protection
Windows Installer 3.1 (KB893803)
WinRAR archiver
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am
Advertisement
Register to Remove

Re: New Infected Install

Unread postby deltalima » July 4th, 2010, 7:13 am

Hi blaze,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

multiple Anti Virus programs

  • It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
    Symantec Endpoint Protection
    Avira AntiVir Personal - Free Antivirus
  • Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
  • Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  • Please remove one of them.

Next

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

CKScanner

  • Please download CKScanner from here to your Desktop.
Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New Infected Install

Unread postby blaze » July 4th, 2010, 7:36 am

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-7KK92-W7M8F-7JYMT
Windows Product Key Hash: 88ehqsac7jsW/qEQBiYTDvo0rrk=
Windows Product ID: 76488-641-2114947-23400
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
ID: {C7AAA97E-1006-42AF-92CC-5650CBD8E0F0}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
Microsoft Office Visio Professional 2007 - 100 Genuine
Microsoft Office Project Professional 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{C7AAA97E-1006-42AF-92CC-5650CBD8E0F0}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-7JYMT</PKey><PID>76488-641-2114947-23400</PID><PIDType>1</PIDType><SID>S-1-5-21-1417001333-413027322-839522115</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>Compaq 610</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>68PVU Ver. F.0D</Version><SMBIOSVersion major="2" minor="4"/><Date>20091217000000.000000+000</Date></BIOS><HWID>1D6C3E3F0184207B</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>West Asia Standard Time(GMT+05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>18BA0DAE223A586</Val><Hash>afl2fqoaUE7a+VF1n5u8XaInnX4=</Hash><Pid>89409-707-2788485-65518</Pid><PidType>14</PidType></Product><Product GUID="{90120000-0051-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2007</Name><Ver>12</Ver><Val>437005356259D86</Val><Hash>G5Qjl2nuHEjAmcG9TDdU8SHIOkc=</Hash><Pid>89405-707-0356806-63612</Pid><PidType>14</PidType></Product><Product GUID="{91120000-003B-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Project Professional 2007</Name><Ver>12</Ver><Val>48746008CA53EC0</Val><Hash>5Ex7e5Py/9BP5XauLYWOyRtukdI=</Hash><Pid>84889-864-4186414-63796</Pid><PidType>8</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="3A" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="53" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: A5CC:Compaq Computer Corporation|128BA:Compaq Computer Corporation|1FFEA:Compaq Computer Corporation|12863:Compaq Computer Corporation|12863:Compaq Computer Corporation|1FFEA:Hewlett-Packard Company|12863:Hewlett-Packard Company
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A




CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am

Re: New Infected Install

Unread postby deltalima » July 4th, 2010, 7:43 am

Hi blaze,

Did you remove one of the antivirus programs?

TFC

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Malwarebytes Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and select then follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New Infected Install

Unread postby blaze » July 4th, 2010, 8:04 am

Yes i did uninstall symantec from my machine.
Ran the TFC executable and then MalwareByte's Anti Malware.
After i cleaned the infections and rebooted with MalwareBytes, my Avira picked up those processes again after the reboot.

Here is the log for the AntiMalware:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4274

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/4/2010 5:05:01 PM
mbam-log-2010-07-04 (17-05-01).txt

Scan type: Quick scan
Objects scanned: 126550
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\Temp\wpv651277975692.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\Documents and Settings\The Networks\Local Settings\Temp\83958.exe (Packed.Krap) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft(r) system manager (Backdoor.IRCBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Temp\wpv651277975692.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\The Networks\Local Settings\Temp\83958.exe (Packed.Krap) -> Delete on reboot.
C:\WINDOWS\system32\userini.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\The Networks\Local Settings\Temp\~TMA.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\The Networks\Local Settings\Temporary Internet Files\Content.IE5\WTQVGTU7\default[1].exe (Packed.Krap) -> Quarantined and deleted successfully.
C:\Documents and Settings\The Networks\Local Settings\Temporary Internet Files\Content.IE5\WTQVGTU7\update[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvcrt2.dll (Malware.Traces) -> Quarantined and deleted successfully.
C:\Documents and Settings\The Networks\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorer.exe:userini.exe (Rootkit.ADS) -> Quarantined and deleted successfully.
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am

Re: New Infected Install

Unread postby deltalima » July 4th, 2010, 8:21 am

Hi blaze,

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Please also post the Avira log for the recent detections.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New Infected Install

Unread postby blaze » July 4th, 2010, 8:39 am

OTL logfile created on: 7/4/2010 5:31:20 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\The Networks\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.00 Gb Total Space | 36.24 Gb Free Space | 72.48% Space Free | Partition Type: NTFS
Drive D: | 415.75 Gb Total Space | 413.38 Gb Free Space | 99.43% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SHMA-D3CBE2BE50
Current User Name: The Networks
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\The Networks\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (Avira GmbH)
PRC - C:\Program Files\Macrium\Reflect\ReflectService.exe ()
PRC - c:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
PRC - C:\WINDOWS\system32\AESTFltr.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe (Broadcom Corporation.)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\LSI SoftModem\agrsmsvc.exe (Agere Systems)
PRC - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
PRC - C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe (Microsoft (R) Corporation)
PRC - C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe (Microsoft (R) Corporation)
PRC - C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\The Networks\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\BtMmHook.dll (Broadcom Corporation.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (AntiVirScheduler) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (Avira GmbH)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (Avira GmbH)
SRV - (ReflectService) -- C:\Program Files\Macrium\Reflect\ReflectService.exe ()
SRV - (STacSV) -- c:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
SRV - (AgereModemAudio) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe (Agere Systems)
SRV - (FwcAgent) -- C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe (Microsoft (R) Corporation)
SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (avipbb) -- C:\WINDOWS\system32\drivers\avipbb.sys (Avira GmbH)
DRV - (avgntflt) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys (Avira GmbH)
DRV - (avgio) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys (Avira GmbH)
DRV - (RTL8192se) -- C:\WINDOWS\system32\drivers\rtl8192se.sys (Realtek Semiconductor Corporation )
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (NETw5x32) Intel(R) -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (pssnap) -- C:\WINDOWS\system32\DRIVERS\pssnap.sys (Macrium Software)
DRV - (ssmdrv) -- C:\WINDOWS\system32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys (Windows (R) Server 2003 DDK provider)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1417001333-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1417001333-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1417001333-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-1417001333-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = PROXY02:7080



O1 HOSTS File: ([2006/02/28 17:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe (Microsoft (R) Corporation)
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKU\S-1-5-21-1417001333-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft (R) Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft (R) Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft (R) Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft (R) Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Microsoft Firewall Client 2004\FwcWsp.dll (Microsoft (R) Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.15.1 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\The Networks\Application Data\yftza.exe) - C:\Documents and Settings\The Networks\Application Data\yftza.exe ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/19 07:45:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{ca677df1-4b62-11df-8b80-18a905df0acc}\Shell\AutoRun\command - "" = F:\MARAJAH\karajana.exe -- File not found
O33 - MountPoints2\{ca677df1-4b62-11df-8b80-18a905df0acc}\Shell\open\command - "" = F:\MARAJAH\karajana.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/07/04 17:30:30 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\The Networks\Desktop\OTL.exe
[2010/07/04 16:56:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Networks\Application Data\Malwarebytes
[2010/07/04 16:56:36 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/04 16:56:35 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/04 16:56:35 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/07/04 16:56:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/04 16:54:36 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\The Networks\Desktop\mbam-setup.exe
[2010/07/04 16:51:06 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\The Networks\Desktop\TFC.exe
[2010/07/04 16:34:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/07/04 16:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/07/04 16:31:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010/07/04 16:29:15 | 002,031,992 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\The Networks\Desktop\MGADiag.exe
[2010/07/04 16:27:23 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/07/01 19:14:26 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/07/01 19:07:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Networks\Local Settings\Application Data\Temp
[2010/07/01 19:07:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Networks\Local Settings\Application Data\Google
[2010/07/01 19:06:06 | 000,000,000 | --SD | C] -- C:\Documents and Settings\The Networks\UserData
[2010/07/01 17:55:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Firewall Client 2004
[2010/07/01 17:53:31 | 000,045,376 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/07/01 17:53:31 | 000,028,352 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/07/01 17:53:31 | 000,022,336 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/07/01 17:53:29 | 000,075,096 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/07/01 17:53:28 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/07/01 17:53:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/07/01 16:50:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\The Networks\Local Settings\Application Data\Ahead
[2010/07/01 16:49:00 | 000,000,000 | -HSD | C] -- C:\RECYCLER

========== Files - Modified Within 30 Days ==========

[2010/07/04 17:30:30 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\The Networks\Desktop\OTL.exe
[2010/07/04 17:11:33 | 000,360,888 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/04 17:11:33 | 000,057,220 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/04 17:11:32 | 000,423,660 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/04 17:07:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/04 17:07:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/04 17:07:01 | 3212,103,680 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/04 17:06:32 | 001,048,576 | -H-- | M] () -- C:\Documents and Settings\The Networks\NTUSER.DAT
[2010/07/04 17:06:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\The Networks\ntuser.ini
[2010/07/04 17:06:05 | 006,405,384 | -H-- | M] () -- C:\Documents and Settings\The Networks\Local Settings\Application Data\IconCache.db
[2010/07/04 16:56:38 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/04 16:54:36 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\The Networks\Desktop\mbam-setup.exe
[2010/07/04 16:51:06 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\The Networks\Desktop\TFC.exe
[2010/07/04 16:34:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/04 16:29:32 | 000,451,584 | ---- | M] () -- C:\Documents and Settings\The Networks\Desktop\CKScanner.exe
[2010/07/04 16:29:15 | 002,031,992 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\The Networks\Desktop\MGADiag.exe
[2010/07/01 19:16:06 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2010/07/01 19:07:10 | 000,132,608 | RHS- | M] () -- C:\Documents and Settings\The Networks\Application Data\yftza.exe
[2010/07/01 17:59:57 | 000,075,096 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/07/01 17:55:25 | 000,001,999 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk
[2010/07/01 17:44:04 | 771,993,767 | ---- | M] () -- C:\Documents and Settings\The Networks\My Documents\TempImage.nrg

========== Files Created - No Company Name ==========

[2010/07/04 16:56:38 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/04 16:29:19 | 000,451,584 | ---- | C] () -- C:\Documents and Settings\The Networks\Desktop\CKScanner.exe
[2010/07/03 20:16:41 | 3212,103,680 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/01 19:07:11 | 000,132,608 | RHS- | C] () -- C:\Documents and Settings\The Networks\Application Data\yftza.exe
[2010/07/01 17:55:25 | 000,001,999 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Firewall Client Management.lnk
[2010/07/01 16:52:50 | 771,993,767 | ---- | C] () -- C:\Documents and Settings\The Networks\My Documents\TempImage.nrg
[2010/04/19 08:45:56 | 000,000,162 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/04/19 08:25:29 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2010/04/19 08:25:27 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2010/04/19 08:04:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2010/04/19 08:03:27 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2010/04/19 08:03:27 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2010/04/19 08:03:11 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2010/04/19 08:03:11 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2010/04/19 08:03:09 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2008/12/11 14:22:10 | 002,854,976 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2006/02/28 17:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/02/28 17:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2005/02/17 11:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 11:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 12:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
< End of report >

*********************************************************
OTL Extras logfile created on: 7/4/2010 5:31:20 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Documents and Settings\The Networks\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 50.00 Gb Total Space | 36.24 Gb Free Space | 72.48% Space Free | Partition Type: NTFS
Drive D: | 415.75 Gb Total Space | 413.38 Gb Free Space | 99.43% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SHMA-D3CBE2BE50
Current User Name: The Networks
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}" = Microsoft Firewall Client
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = HP Integrated Module with Bluetooth wireless technology
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00B4-0409-0000-0000000FF1CE}" = Microsoft Office Project MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
"{986389BF-2AE7-4C4D-B284-519BA869EDD1}" = Macrium Reflect - Free Edition
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"Alt-N ComAgent" = Alt-N ComAgent
"AntiVir PersonalEdition Classic" = Avira AntiVir Personal - Free Antivirus
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Marvell Miniport Driver" = Marvell Miniport Driver
"Nero - Burning Rom!UninstallKey" = Nero 6 Enterprise Edition
"PRJPROR" = Microsoft Office Project Professional 2007
"PROPLUS" = Microsoft Office Professional Plus 2007
"PSNPMONV1" = Network Print Monitor for Windows 2000/XP
"VISPRO" = Microsoft Office Visio Professional 2007
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/1/2010 1:03:56 PM | Computer Name = SHMA-D3CBE2BE50 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module mshtml.dll, version 6.0.2900.2853, fault address 0x000d836f.

Error - 7/2/2010 1:52:11 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 7/2/2010 1:52:12 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 7/2/2010 4:41:00 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 7/2/2010 4:41:00 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 7/2/2010 4:41:01 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 7/2/2010 4:41:01 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Symantec AntiVirus | ID = 16711731
Description =

Error - 7/4/2010 7:28:26 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Application Error | ID = 1000
Description = Faulting application Rtvscan.exe, version 11.0.3001.2198, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.

Error - 7/4/2010 7:30:50 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Automatic LiveUpdate Scheduler | ID = 101
Description =

Error - 7/4/2010 7:51:49 AM | Computer Name = SHMA-D3CBE2BE50 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

[ System Events ]
Error - 7/4/2010 7:28:31 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7031
Description = The Symantec Endpoint Protection service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in 10000
milliseconds: Restart the service.

Error - 7/4/2010 7:54:55 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7034
Description = The Audio Service service terminated unexpectedly. It has done this
1 time(s).

Error - 7/4/2010 7:54:55 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7034
Description = The Avira AntiVir Personal - Free Antivirus Scheduler service terminated
unexpectedly. It has done this 1 time(s).

Error - 7/4/2010 7:54:55 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7034
Description = The Agere Modem Call Progress Audio service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/4/2010 7:54:56 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7034
Description = The Avira AntiVir Personal - Free Antivirus Guard service terminated
unexpectedly. It has done this 1 time(s).

Error - 7/4/2010 7:54:56 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7031
Description = The IIS Admin service terminated unexpectedly. It has done this 1
time(s). The following corrective action will be taken in 1 milliseconds: Run
the configured recovery program.

Error - 7/4/2010 7:54:56 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7034
Description = The Simple Mail Transfer Protocol (SMTP) service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/4/2010 7:54:56 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7034
Description = The World Wide Web Publishing service terminated unexpectedly. It
has done this 1 time(s).

Error - 7/4/2010 7:54:56 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7034
Description = The Macrium Reflect Image Mounting Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 7/4/2010 7:54:56 AM | Computer Name = SHMA-D3CBE2BE50 | Source = Service Control Manager | ID = 7031
Description = The Bluetooth Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.


< End of report >


*********************************************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-04 17:39:43
Windows 5.1.2600 Service Pack 2
Running: GMER Rootkit Scanner.exe; Driver: C:\DOCUME~1\THENET~1\LOCALS~1\Temp\afloiaog.sys


---- System - GMER 1.0.15 ----

SSDT BA6861FC ZwCreateThread
SSDT BA6861E8 ZwOpenProcess
SSDT BA6861ED ZwOpenThread
SSDT BA6861F7 ZwTerminateProcess
SSDT BA6861F2 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D1C 8050391C 4 Bytes CALL 910AA182
? uvyedsc.sys The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----

*********************************************************

AVIRA EVENTS

Exported events:

7/4/2010 17:08 [Guard] Malware found
Virus or unwanted program 'BDS/Bredolab.fjx [backdoor]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temporary Internet Files\Content.IE5\096F4HIB\update[1].exe.
Action performed: Delete file

7/4/2010 17:08 [Guard] Malware found
Virus or unwanted program 'BDS/Bredolab.fjx [backdoor]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temp\3247.exe.
Action performed: Delete file

7/4/2010 17:07 [Guard] Malware found
Virus or unwanted program 'TR/Agent.HF.30 [trojan]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temp\2619161.exe.
Action performed: Delete file

7/4/2010 17:07 [Guard] Malware found
Virus or unwanted program 'TR/Agent.HF.30 [trojan]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temporary Internet Files\Content.IE5\096F4HIB\default[1].exe.
Action performed: Delete file

7/4/2010 17:07 [Guard] Service started
Service started.
Version of service: 8.0.1.30
Version of Engine: 8.2.4.2
Version of VDF: 7.10.8.247

7/4/2010 17:07 [Scheduler] Service started
The service was started.
Version of service 8.0.0.17

7/4/2010 16:34 [Guard] Malware found
Virus or unwanted program 'BDS/Bredolab.fjx [backdoor]'
detected in file 'C:\WINDOWS\system32\wbem\grpconv.exe.
Action performed: Allow access

7/4/2010 16:33 [Guard] Malware found
Virus or unwanted program 'BDS/Bredolab.fjx [backdoor]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temp\~TM27FB4A.TMP.
Action performed: Allow access

7/4/2010 16:33 [Guard] Malware found
Virus or unwanted program 'BDS/Bredolab.fjx [backdoor]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temp\875152.exe.
Action performed: Allow access

7/4/2010 16:33 [Guard] Malware found
Virus or unwanted program 'TR/Agent.HF.30 [trojan]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temp\3467830.exe.
Action performed: Deny access

7/4/2010 16:33 [Guard] Malware found
Virus or unwanted program 'BDS/Bredolab.fjx [backdoor]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temp\875152.exe.
Action performed: Allow access

7/4/2010 16:33 [Guard] Malware found
Virus or unwanted program 'BDS/Bredolab.fjx [backdoor]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temporary Internet Files\Content.IE5\XW39K5MY\update[1].exe.
Action performed: Allow access

7/4/2010 16:33 [Guard] Malware found
Virus or unwanted program 'TR/Agent.HF.30 [trojan]'
detected in file 'C:\Documents and Settings\The Networks\Local
Settings\Temp\3467830.exe.
Action performed: Allow access

*********************************************************
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am

Re: New Infected Install

Unread postby deltalima » July 4th, 2010, 9:08 am

Hi blaze,

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.

Please run another scan with Malwarebytes and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New Infected Install

Unread postby blaze » July 4th, 2010, 9:56 am

When i did the orignal scan with rootkitunhooker it asked me if i wanted to do a Scan of C. Since i was not clear on that instruction, hence the first log is without the Scan for C and the Second is with Scan for C drive.

Also each time malware bytes identified a threat my Avira did so aswell, simillar for when i deleted the threats after the malwarebytes scan results.



RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0xB97A7000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6279168 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF2E8000 C:\WINDOWS\System32\igxpdx32.DLL 3837952 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xBF058000 C:\WINDOWS\System32\igxpdv32.DLL 2686976 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1839104 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1839104 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA921B000 C:\WINDOWS\system32\drivers\sthda.sys 1490944 bytes (IDT, Inc., IDT PC Audio)
0xB953C000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 987136 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xB9E48000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB96C1000 C:\WINDOWS\system32\DRIVERS\rtl8192se.sys 565248 bytes (Realtek Semiconductor Corporation , Realtek RTL81892E PCI-SE NDIS5.1 miniport driver)
0xA8F5C000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA908A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA8201000 C:\WINDOWS\system32\DRIVERS\srv.sys 339968 bytes (Microsoft Corporation, Server driver)
0xB9678000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 299008 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0xA7F68000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 212992 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB94AF000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xB94E3000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA86C8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E1B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8FF3000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA7D94000 C:\WINDOWS\system32\drivers\kmixer.sys 172032 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA9062000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB974B000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB9655000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB9770000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xA901F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA91F9000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xA9041000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806E2000 ACPI_HAL 134400 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEC000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA913D000 C:\WINDOWS\system32\drivers\AESTAud.sys 114688 bytes (Andrea Electronics Corporation, Andrea Audio Driver)
0xB9E00000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8F1F000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9ED5000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9525000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA8B32000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA836C000 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys 81920 bytes (Avira GmbH, Avira Minifilter Driver)
0xA8F37000 C:\WINDOWS\System32\Drivers\usbvideo.sys 81920 bytes (Microsoft Corporation, USB Video Class Driver)
0xB9793000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA90E2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xA8F4B000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 69632 bytes (Avira GmbH, Avira Driver for RootKit Detection)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9514000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA2A8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA248000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA8C27000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA238000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA188000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA198000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA288000 C:\WINDOWS\System32\Drivers\btwusb.sys 40960 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xBA218000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA208000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA278000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA0A8000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA258000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA8528000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA268000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA400000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA420000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA338000 pssnap.sys 28672 bytes (Macrium Software, Backup image protection)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xBA3F0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3F8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA448000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA568000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA58C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA8DBB000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB948F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA570000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA558000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA56C000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5C8000 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xBA5C0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5CA000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5BE000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5C2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5C4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5BA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA786000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6AB000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7C4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006DC5E, Type: Inline - RelativeJump 0x80544C5E-->80544C65 [ntkrnlpa.exe]
[3604]wpv951277975692.exe-->gdi32.dll-->CreateCompatibleDC, Type: IAT modification 0x004040C0-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->DeleteObject, Type: IAT modification 0x004040A8-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->ExtTextOutA, Type: IAT modification 0x004040C8-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetBkColor, Type: IAT modification 0x004040BC-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetDeviceCaps, Type: IAT modification 0x004040B4-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetObjectA, Type: IAT modification 0x004040A0-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetPixel, Type: IAT modification 0x004040A4-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetTextColor, Type: IAT modification 0x004040B8-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->LineTo, Type: IAT modification 0x004040AC-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->PatBlt, Type: IAT modification 0x004040C4-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->SelectObject, Type: IAT modification 0x004040CC-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->SetPixel, Type: IAT modification 0x004040B0-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x00404008-->00000000 [wpv951277975692.exe]
[3604]wpv951277975692.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x0040400C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00404000-->00000000 [wpv951277975692.exe]
[3604]wpv951277975692.exe-->kernel32.dll-->GetStdHandle, Type: IAT modification 0x0040401C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00404004-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x00404014-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->lstrlenA, Type: IAT modification 0x00404020-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->Sleep, Type: IAT modification 0x00404010-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->BeginPaint, Type: IAT modification 0x00404064-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->CreateWindowExA, Type: IAT modification 0x0040402C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->DefWindowProcA, Type: IAT modification 0x00404030-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->DialogBoxParamA, Type: IAT modification 0x00404050-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->DispatchMessageA, Type: IAT modification 0x00404054-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->EndDialog, Type: IAT modification 0x0040405C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->EndPaint, Type: IAT modification 0x00404044-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetClientRect, Type: IAT modification 0x0040403C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetFocus, Type: IAT modification 0x00404058-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetSysColor, Type: IAT modification 0x00404038-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetWindowRect, Type: IAT modification 0x0040406C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->LoadIconA, Type: IAT modification 0x00404048-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->MessageBoxA, Type: IAT modification 0x00404028-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->PostQuitMessage, Type: IAT modification 0x00404060-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->ScreenToClient, Type: IAT modification 0x00404034-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->SetFocus, Type: IAT modification 0x0040404C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->SetWindowTextA, Type: IAT modification 0x00404068-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->TranslateMessage, Type: IAT modification 0x00404040-->00000000 [unknown_code_page]

/************************************************

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0xB97A7000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6279168 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xBF2E8000 C:\WINDOWS\System32\igxpdx32.DLL 3837952 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xBF058000 C:\WINDOWS\System32\igxpdv32.DLL 2686976 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1839104 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1839104 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xA921B000 C:\WINDOWS\system32\drivers\sthda.sys 1490944 bytes (IDT, Inc., IDT PC Audio)
0xB953C000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 987136 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xB9E48000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB96C1000 C:\WINDOWS\system32\DRIVERS\rtl8192se.sys 565248 bytes (Realtek Semiconductor Corporation , Realtek RTL81892E PCI-SE NDIS5.1 miniport driver)
0xA8F5C000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xA908A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA8201000 C:\WINDOWS\system32\DRIVERS\srv.sys 339968 bytes (Microsoft Corporation, Server driver)
0xB9678000 C:\WINDOWS\system32\DRIVERS\yk51x86.sys 299008 bytes (Marvell, Miniport Driver for Marvell Yukon Ethernet Controller.)
0xA7F68000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 212992 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB94AF000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xB94E3000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA86C8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E1B000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8FF3000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA7D94000 C:\WINDOWS\system32\drivers\kmixer.sys 172032 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA9062000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB974B000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB9655000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB9770000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xA901F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA91F9000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xA9041000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806E2000 ACPI_HAL 134400 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEC000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xA913D000 C:\WINDOWS\system32\drivers\AESTAud.sys 114688 bytes (Andrea Electronics Corporation, Andrea Audio Driver)
0xB9E00000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8F1F000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9ED5000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9525000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA8B32000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA836C000 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys 81920 bytes (Avira GmbH, Avira Minifilter Driver)
0xA8F37000 C:\WINDOWS\System32\Drivers\usbvideo.sys 81920 bytes (Microsoft Corporation, USB Video Class Driver)
0xB9793000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA90E2000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xA8F4B000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 69632 bytes (Avira GmbH, Avira Driver for RootKit Detection)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9514000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA2A8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA248000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA8C27000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA238000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA188000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA198000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA288000 C:\WINDOWS\System32\Drivers\btwusb.sys 40960 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xBA218000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA208000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA278000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA0A8000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA258000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA8E87000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA268000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA400000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA420000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA338000 pssnap.sys 28672 bytes (Macrium Software, Backup image protection)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xBA3F0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3F8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA448000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA568000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA58C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA8DBB000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB948F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA570000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA558000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA56C000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5C8000 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xBA5C0000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5CA000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5BE000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5C2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5C4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5BA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA786000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6AB000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7C4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006DC5E, Type: Inline - RelativeJump 0x80544C5E-->80544C65 [ntkrnlpa.exe]
[3604]wpv951277975692.exe-->gdi32.dll-->CreateCompatibleDC, Type: IAT modification 0x004040C0-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->DeleteObject, Type: IAT modification 0x004040A8-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->ExtTextOutA, Type: IAT modification 0x004040C8-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetBkColor, Type: IAT modification 0x004040BC-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetDeviceCaps, Type: IAT modification 0x004040B4-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetObjectA, Type: IAT modification 0x004040A0-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetPixel, Type: IAT modification 0x004040A4-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->GetTextColor, Type: IAT modification 0x004040B8-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->LineTo, Type: IAT modification 0x004040AC-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->PatBlt, Type: IAT modification 0x004040C4-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->SelectObject, Type: IAT modification 0x004040CC-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->gdi32.dll-->SetPixel, Type: IAT modification 0x004040B0-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x00404008-->00000000 [wpv951277975692.exe]
[3604]wpv951277975692.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x0040400C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x00404000-->00000000 [wpv951277975692.exe]
[3604]wpv951277975692.exe-->kernel32.dll-->GetStdHandle, Type: IAT modification 0x0040401C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00404004-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x00404014-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->lstrlenA, Type: IAT modification 0x00404020-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->kernel32.dll-->Sleep, Type: IAT modification 0x00404010-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->BeginPaint, Type: IAT modification 0x00404064-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->CreateWindowExA, Type: IAT modification 0x0040402C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->DefWindowProcA, Type: IAT modification 0x00404030-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->DialogBoxParamA, Type: IAT modification 0x00404050-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->DispatchMessageA, Type: IAT modification 0x00404054-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->EndDialog, Type: IAT modification 0x0040405C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->EndPaint, Type: IAT modification 0x00404044-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetClientRect, Type: IAT modification 0x0040403C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetFocus, Type: IAT modification 0x00404058-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetSysColor, Type: IAT modification 0x00404038-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->GetWindowRect, Type: IAT modification 0x0040406C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->LoadIconA, Type: IAT modification 0x00404048-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->MessageBoxA, Type: IAT modification 0x00404028-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->PostQuitMessage, Type: IAT modification 0x00404060-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->ScreenToClient, Type: IAT modification 0x00404034-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->SetFocus, Type: IAT modification 0x0040404C-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->SetWindowTextA, Type: IAT modification 0x00404068-->00000000 [unknown_code_page]
[3604]wpv951277975692.exe-->user32.dll-->TranslateMessage, Type: IAT modification 0x00404040-->00000000 [unknown_code_page]



/************************************************
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4274

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/4/2010 6:56:08 PM
mbam-log-2010-07-04 (18-56-08).txt

Scan type: Quick scan
Objects scanned: 127072
Time elapsed: 8 minute(s), 44 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\Temp\wpv951277975692.exe (Trojan.Dropper) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userini (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userini (Trojan.Dropper) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\wpv951277975692.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\explorer.exe:userini.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\system32\wbem\grpconv.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\The Networks\Local Settings\Temp\875.exe (Packed.Krap) -> No action taken.
C:\Documents and Settings\The Networks\Local Settings\Temp\~TM4.tmp (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\The Networks\Local Settings\Temporary Internet Files\Content.IE5\W5M30LE3\default[1].exe (Packed.Krap) -> No action taken.
C:\Documents and Settings\The Networks\Local Settings\Temporary Internet Files\Content.IE5\W5M30LE3\update[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\The Networks\Application Data\wiaservg.log (Malware.Trace) -> No action taken.
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am

Re: New Infected Install

Unread postby deltalima » July 4th, 2010, 10:00 am

Hi blaze,

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
C:\Documents and Settings\The Networks\Application Data\yftza.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New Infected Install

Unread postby blaze » July 4th, 2010, 10:07 am

Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.03 Email-Worm.Win32.Iksmas!IK
AhnLab-V3 2010.07.03.00 2010.07.03 Win-Trojan/Bredolab.132608
AntiVir 8.2.4.2 2010.07.02 -
Antiy-AVL 2.0.3.7 2010.07.02 -
Authentium 5.2.0.5 2010.07.03 -
Avast 4.8.1351.0 2010.07.03 -
Avast5 5.0.332.0 2010.07.03 -
AVG 9.0.0.836 2010.07.03 SHeur3.AGRX
BitDefender 7.2 2010.07.03 -
CAT-QuickHeal 11.00 2010.06.30 (Suspicious) - DNAScan
ClamAV 0.96.0.3-git 2010.07.03 -
Comodo 5305 2010.07.03 Heur.Suspicious
DrWeb 5.0.2.03300 2010.07.03 Win32.HLLW.Autoruner.22584
eSafe 7.0.17.0 2010.06.30 -
eTrust-Vet 36.1.7684 2010.07.03 -
F-Prot 4.6.1.107 2010.07.03 -
F-Secure 9.0.15370.0 2010.07.03 -
Fortinet 4.1.133.0 2010.07.03 -
GData 21 2010.07.03 -
Ikarus T3.1.1.84.0 2010.07.03 Email-Worm.Win32.Iksmas
Jiangmin 13.0.900 2010.07.03 -
Kaspersky 7.0.0.125 2010.07.03 Email-Worm.Win32.Iksmas.hsv
McAfee 5.400.0.1158 2010.07.03 Artemis!FF5D463DF904
McAfee-GW-Edition 2010.1 2010.07.02 Artemis!FF5D463DF904
Microsoft 1.5902 2010.07.03 -
NOD32 5248 2010.07.03 a variant of Win32/Kryptik.FGZ
Norman 6.05.10 2010.07.03 -
nProtect 2010-07-03.02 2010.07.03 -
Panda 10.0.2.7 2010.07.03 Bck/Bredolab.AZ
PCTools 7.0.3.5 2010.07.02 Malware.Pilleuz
Prevx 3.0 2010.07.03 High Risk Cloaked Malware
Rising 22.54.04.04 2010.07.02 Trojan.Win32.Generic.521A5EA2
Sophos 4.54.0 2010.07.03 -
Sunbelt 6540 2010.07.03 Trojan.Win32.Generic!BT
Symantec 20101.1.0.89 2010.07.03 W32.Pilleuz
TheHacker 6.5.2.1.307 2010.07.01 -
TrendMicro 9.120.0.1004 2010.07.03 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.03 -
VBA32 3.12.12.5 2010.07.02 -
ViRobot 2010.7.3.3920 2010.07.03 I-Worm.Win32.S.Iksmas.132608
VirusBuster 5.0.27.0 2010.07.03 -
Additional information
File size: 132608 bytes
MD5 : ff5d463df904b30f07e83fe38caae5d2
SHA1 : c11428e0029a188ad373e5fb4c54c0674f256c98
SHA256: f617c65a533570ecb4f2f86e31b7fedf5e6228b29429004b5a6cdcef37e596e9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x108A
timedatestamp.....: 0x4C03F4B5 (Mon May 31 19:41:09 2010)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x25B3 0x2600 3.07 f2f50e09fd3093ba84aef9d3b65f8d0a
.rdata 0x4000 0x3DF 0x400 2.68 b6765d48ab78ec5b04dcb9129a8c7136
.data 0x5000 0x14F4 0x400 1.46 0e92addd59cc0882a5ed197cdca2ff80
.rsrc 0x7000 0x34ACB 0x1D400 7.63 9eeb7a2428bd608efbf69a78e9abcf1e

( 2 imports )

> gdi32.dll: GetBkColor, CreateSolidBrush, CreateCompatibleDC, PatBlt, CreateFontIndirectA, GetDeviceCaps, GetStockObject, GetTextColor, SelectObject
> kernel32.dll: GetProcAddress, LoadLibraryA, CloseHandle, GetModuleHandleA, lstrcatA, LocalFree, FreeLibrary, GetStdHandle

( 0 exports )

TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Symantec reputation: Suspicious.Insight http://www.symantec.com/security_respon ... 23-0550-99
ssdeep: 3072:xcXAyA9IENsfIuCoP+3rbFZh/l11ARYfarfu:xcw/ziIaErP11ARY
sigcheck: publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Prevx Info: http://info.prevx.com/aboutprogramtext. ... 00481027E8
PEiD : -
RDS : NSRL Reference Data Set
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am

Re: New Infected Install

Unread postby deltalima » July 4th, 2010, 10:12 am

Hi blaze,

Run Combofix

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file. Please post the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New Infected Install

Unread postby blaze » July 4th, 2010, 10:29 am

ComboFix 10-07-03.06 - The Networks 07/04/2010 19:30:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3063.2666 [GMT 5:00]
Running from: c:\documents and settings\The Networks\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
ADS - explorer.exe: deleted 56832 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\yftza.exe
c:\documents and settings\The Networks\Application Data\wiaservg.log
c:\documents and settings\The Networks\Application Data\yftza.exe
c:\windows\system32\Cache
c:\windows\system32\msvcrt2.dll
c:\windows\system32\wbem\grpconv.exe

c:\windows\system32\grpconv.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-04 14:04 . 2010-07-04 14:04 60416 ----a-w- c:\windows\system32\be37d2.exe
2010-07-04 11:56 . 2010-07-04 11:56 -------- d-----w- c:\documents and settings\The Networks\Application Data\Malwarebytes
2010-07-04 11:56 . 2010-04-29 10:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-04 11:56 . 2010-07-04 11:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 11:56 . 2010-07-04 11:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-04 11:56 . 2010-04-29 10:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-04 11:34 . 2010-07-04 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-02 08:23 . 2010-07-02 08:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-01 14:17 . 2010-07-01 14:17 -------- d-s---w- c:\documents and settings\Administrator\UserData
2010-07-01 14:07 . 2010-07-01 14:07 -------- d-----w- c:\documents and settings\The Networks\Local Settings\Application Data\Temp
2010-07-01 14:07 . 2010-07-04 11:32 -------- d-----w- c:\documents and settings\The Networks\Local Settings\Application Data\Google
2010-07-01 14:06 . 2010-07-01 14:06 -------- d-s---w- c:\documents and settings\The Networks\UserData
2010-07-01 12:55 . 2010-07-01 12:55 -------- d-----w- c:\program files\Microsoft Firewall Client 2004
2010-07-01 12:53 . 2008-05-09 08:15 45376 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-07-01 12:53 . 2008-01-21 13:11 22336 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-07-01 12:53 . 2010-07-01 12:59 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-07-01 12:53 . 2010-07-01 12:53 -------- d-----w- c:\program files\Avira
2010-07-01 12:53 . 2010-07-01 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-01 11:50 . 2010-07-01 11:50 -------- d-----w- c:\documents and settings\The Networks\Local Settings\Application Data\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-04 14:05 . 2006-02-28 12:00 1032192 ----a-w- c:\windows\explorer.exe
2010-07-04 12:07 . 2010-04-19 03:36 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-04 11:30 . 2010-04-19 03:36 -------- d-----w- c:\program files\Symantec
2010-07-04 11:30 . 2010-04-19 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-19 04:47 . 2010-04-19 04:47 43646 ----a-r- c:\documents and settings\The Networks\Application Data\Microsoft\Installer\{986389BF-2AE7-4C4D-B284-519BA869EDD1}\_81A4006ABC1B62DCE5F5CA.exe
2010-04-19 04:47 . 2010-04-19 04:47 29926 ----a-r- c:\documents and settings\The Networks\Application Data\Microsoft\Installer\{986389BF-2AE7-4C4D-B284-519BA869EDD1}\_455EF241629E11584EA727.exe
2010-04-19 04:47 . 2010-04-19 04:47 43646 ----a-r- c:\documents and settings\The Networks\Application Data\Microsoft\Installer\{986389BF-2AE7-4C4D-B284-519BA869EDD1}\_EF7BC6DDBE20B4C1311492.exe
2010-04-19 04:47 . 2010-04-19 04:47 43646 ----a-r- c:\documents and settings\The Networks\Application Data\Microsoft\Installer\{986389BF-2AE7-4C4D-B284-519BA869EDD1}\_D707CE1C009F1381803C2C.exe
2010-04-19 04:47 . 2010-04-19 04:47 43646 ----a-r- c:\documents and settings\The Networks\Application Data\Microsoft\Installer\{986389BF-2AE7-4C4D-B284-519BA869EDD1}\_21F3885A18D238E15AAE81.exe
2010-04-19 04:47 . 2010-04-19 04:47 109534 ----a-r- c:\documents and settings\The Networks\Application Data\Microsoft\Installer\{986389BF-2AE7-4C4D-B284-519BA869EDD1}\_6FEFF9B68218417F98F549.exe
2010-04-19 03:52 . 2010-04-19 03:02 68456 ----a-w- c:\documents and settings\The Networks\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 02:45 . 2010-04-19 02:45 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-19 02:42 . 2010-04-19 02:42 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Microsoft(R) System Manager"="c:\windows\system32\be37d2.exe" [2010-07-04 60416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2010-4-19 49254]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-12-11 604776]
Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-9 117568]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 9:32 AM 15328]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [8/25/2009 12:16 PM 220128]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/19/2010 8:17 AM 113536]
R3 RTL8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [9/30/2009 10:46 PM 561280]
S2 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [12/9/2006 7:04 PM 128832]
S2 vdqjzvxxrxtzbfz;\??\c:\docume~1;\??\c:\docume~1\THENET~1\LOCALS~1\Temp\zrppjnrqtekqfek.sys --> c:\docume~1\THENET~1\LOCALS~1\Temp\zrppjnrqtekqfek.sys [?]
S2 xpehoavidf;\??\c:\doc;\??\c:\docume~1\THENET~1\LOCALS~1\Temp\ltzmchawebyrth.sys --> c:\docume~1\THENET~1\LOCALS~1\Temp\ltzmchawebyrth.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = PROXY02:7080
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll
TCP: {877DAA8B-A153-45DA-AE47-1ECAEDDEAD1A} = 128.1.100.1,128.1.100.2
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-userini - c:\windows\explorer.exe:userini.exe
HKLM-Run-userini - c:\windows\explorer.exe:userini.exe
HKLM-Explorer_Run-userini - c:\windows\explorer.exe:userini.exe
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-04 19:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-04 19:33:57
ComboFix-quarantined-files.txt 2010-07-04 14:33

Pre-Run: 38,830,129,152 bytes free
Post-Run: 38,794,846,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BB6FCD77FFDC22649A2AE19CBF086218
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am

Re: New Infected Install

Unread postby deltalima » July 4th, 2010, 10:38 am

Hi blaze,

Please run TFC again.

Please run another scan with Malwarebytes and remove any infected items found then reboot the computer and post the log from Malwarebyes and let me know if Avira detects anything.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: New Infected Install

Unread postby blaze » July 4th, 2010, 12:16 pm

Only one infection found.


Exported events:

7/4/2010 20:18 [Updater] Update successfully completed
Update performed successfully from http://dl2.avgate.net.
No new files available.

7/4/2010 20:18 [Scheduler] Job started
The job "Daily Update"
was started successfully.

7/4/2010 20:13 [Scanner] Scan
Scan ended [The scan has been done completely.].
Number of files: 107617
Number of folders: 1839
Number of malware: 1
Number of errors: 2

7/4/2010 20:07 [Scanner] Malware found
The file 'C:\System Volume
Information\_restore{FF6C3561-0486-47AB-970F-0B95DE636BDE}\RP1\A0000082.exe'
contained a virus or unwanted program 'TR/Agent.HF.30' [trojan]
Action(s) taken:
The file was moved to '4c60a3c5.qua'!

7/4/2010 20:00 [Scheduler] Job started
The job "Complete system scan"
was started successfully.
blaze
Active Member
 
Posts: 10
Joined: July 1st, 2010, 11:34 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 496 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware