Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan.fakems removal help

Started by oh211, Feb 01 2011 02:56 PM

This topic is locked
Go to first unread post

6 replies to this topic

#1
oh211

Posted 01 February 2011 - 02:56 PM

New Member

Members
3 posts

Hello
I need help in removing trojan.fakems.

Here is DDS.text

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Boost Mobile at 12:28:54.77 on Tue 02/01/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4360 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\TEMP\mrt672A.tmp\stdrt.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\CITIZEN\Message.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
c:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Browny02\BrYNSvc.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\windows\system32\DllHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\windows\system32\taskeng.exe
C:\windows\splwow64.exe
C:\windows\splwow64.exe
C:\windows\system32\sppsvc.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\Users\Boost Mobile\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173605109416p0315v1i5k4881520s
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173605109416p0315v1i5k4881520s
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173605109416p0315v1i5k4881520s
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: SearchElf 1.1 Toolbar: {00f2c0c6-2194-484e-9064-44e57787867b} - C:\Program Files (x86)\SearchElf_1.1\tbSear.dll
uURLSearchHooks: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - C:\Program Files (x86)\Elf_1\prxtbElf_.dll
mURLSearchHooks: SearchElf 1.1 Toolbar: {00f2c0c6-2194-484e-9064-44e57787867b} - C:\Program Files (x86)\SearchElf_1.1\tbSear.dll
mURLSearchHooks: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - C:\Program Files (x86)\Elf_1\prxtbElf_.dll
BHO: SearchElf 1.1 Toolbar: {00f2c0c6-2194-484e-9064-44e57787867b} - C:\Program Files (x86)\SearchElf_1.1\tbSear.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - C:\Program Files (x86)\Elf_1\prxtbElf_.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: SearchElf 1.1 Toolbar: {00f2c0c6-2194-484e-9064-44e57787867b} - C:\Program Files (x86)\SearchElf_1.1\tbSear.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - C:\Program Files (x86)\Elf_1\prxtbElf_.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickBooks Agent] C:\windows\qbagent.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Message.lnk - C:\CITIZEN\Message.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - C:\Users\Boost Mobile\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: qpay123.com
Trusted Zone: t-mobile.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295214306442
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {FC14D208-0AF3-4BF5-9498-59C09229491B} - hxxps://www.qpay123.com/WQVPS/activeX/PrinterActiveX.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {00F2C0C6-2194-484E-9064-44E57787867B} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {22E03916-85C5-44B0-8DC9-1830C11238D9} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\BOOSTM~1\AppData\Roaming\Mozilla\Firefox\Profiles\0myul5n0.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2269050&SearchSource=13
FF - component: C:\Users\Boost Mobile\AppData\Roaming\Mozilla\Firefox\Profiles\0myul5n0.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\FFExternalAlert.dll
FF - component: C:\Users\Boost Mobile\AppData\Roaming\Mozilla\Firefox\Profiles\0myul5n0.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCore.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-10-27 273488]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-5-27 203264]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-10-27 20560]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-10-27 62032]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-20 40384]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-12 62208]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-8-22 240160]
R3 AE1000;Linksys AE1000 Driver;C:\Windows\System32\drivers\ae1000w7.sys [2010-10-27 1101600]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-8-4 7451648]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-8-4 268288]
R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2010-10-27 245760]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 FLEXnet Licensing Manager;FLEXnet Licensing Manager for Adobe Products;C:\Windows\system\regsrv.exe [2010-11-12 675033]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 135664]
S3 AVer7231_x64;AVerMedia 7231 capture service;C:\Windows\System32\drivers\AVer7231_x64.sys [2009-8-22 1621760]
S3 rtl819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;C:\Windows\System32\drivers\rtl819xp.sys [2009-8-22 607232]
S3 SrvHsfPCI;SrvHsfPCI;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-13 411136]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-10-29 1255736]

=============== Created Last 30 ================

2011-02-01 14:11:00 7844688 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{F1B156D3-130E-48B6-81C1-C45C7CF83DDC}\mpengine.dll
2011-01-31 21:54:35 4961 ----a-w- C:\windows\system\viewed.dll
2011-01-24 18:47:27 373760 ----a-w- C:\windows\System32\Spool\prtprocs\x64\HP1006S.DLL
2011-01-24 18:44:26 64512 ----a-w- C:\windows\System32\HPPLVS.dll
2011-01-24 18:44:26 403968 ----a-w- C:\windows\System32\HP1006LM.DLL
2011-01-18 23:33:35 -------- d-----w- C:\Users\BOOSTM~1\AppData\Local\Research In Motion
2011-01-18 23:32:10 -------- d-----w- C:\PROGRA~3\Research In Motion
2011-01-16 17:29:10 513080 ----a-w- C:\windows\System32\drivers\sptd.sys
2011-01-16 17:27:44 -------- d-----w- C:\Program Files (x86)\LSoft Technologies Inc
2011-01-16 17:16:09 91568 ----a-w- C:\windows\System32\drivers\scdemu.sys
2011-01-16 17:16:09 -------- d-----w- C:\Program Files (x86)\PowerISO
2011-01-16 17:08:16 -------- d-----w- C:\Temp
2011-01-11 19:32:17 -------- d-----w- C:\Users\BOOSTM~1\AppData\Roaming\DVDVideoSoftIEHelpers
2011-01-11 19:32:10 -------- d-----w- C:\Program Files (x86)\DVDVideoSoft
2011-01-11 19:32:10 -------- d-----w- C:\Program Files (x86)\Common Files\DVDVideoSoft
2011-01-11 19:25:48 -------- d-----w- C:\Program Files (x86)\YouTube Downloader
2011-01-09 20:41:19 -------- d-----w- C:\Program Files\CCleaner
2011-01-06 19:19:49 -------- d-----w- C:\Users\BOOSTM~1\AppData\Local\Conduit
2011-01-06 19:19:49 -------- d-----w- C:\Program Files (x86)\Elf_1
2011-01-04 18:01:44 -------- d-----w- C:\Users\BOOSTM~1\AppData\Local\ElevatedDiagnostics

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- C:\windows\avastSS.scr
2011-01-13 08:37:23 62032 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2010-12-20 23:08:40 24152 ----a-w- C:\windows\System32\drivers\mbam.sys
2010-11-13 01:07:45 675033 ----a-w- C:\windows\system\regsrv.exe
2010-11-13 01:07:38 659676 ----a-w- C:\windows\qbagent.exe
2010-11-12 23:53:06 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb

============= FINISH: 12:29:33.58 ===============

I have also attached the attach.txt and ark.txt files.

Attached Files

Attach.txt 8.42K 8 downloads
ark.txt 265bytes 10 downloads

#2
Maniac

Posted 01 February 2011 - 04:00 PM

Forum Deity

Experts
17,047 posts

Gender:Male
Location:Bulgaria, EU

Hello oh211! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed about any changes.

Step 1

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

Step 2

Launch Malwarebytes' Anti-Malware
Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
Go to "-Scanner" tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

Malwarebytes' Anti-Malware log
a new fresh DDS log only

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

#3
oh211

Posted 06 February 2011 - 01:07 PM

New Member

Members
3 posts

oh211, on Feb 1 2011, 02:56 PM, said:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 02/06/2011 at 13:04:42.
Operating System: Windows 7 Home Premium

Processes terminated by Rkill or while it was running:

C:\windows\SysWOW64\InfDefaultInstall.exe
C:\windows\SysWOW64\runonce.exe
C:\windows\SysWOW64\InfDefaultInstall.exe
C:\windows\SysWOW64\runonce.exe

Rkill completed on 02/06/2011 at 13:04:48.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5690

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/6/2011 12:32:31 PM
mbam-log-2011-02-06 (12-32-31).txt

Scan type: Quick scan
Objects scanned: 161100
Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\Windows\Temp\mrt7DF5.tmp\stdrt.exe (Trojan.FakeMS) -> 2792 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\mrt7DF5.tmp\stdrt.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Boost Mobile at 12:34:03.83 on Sun 02/06/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.5887.4223 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\CITIZEN\Message.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
c:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Browny02\BrYNSvc.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\windows\system32\SearchProtocolHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\Users\Boost Mobile\Desktop\Misc\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173605109416p0315v1i5k4881520s
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173605109416p0315v1i5k4881520s
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173605109416p0315v1i5k4881520s
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: SearchElf 1.1 Toolbar: {00f2c0c6-2194-484e-9064-44e57787867b} - C:\Program Files (x86)\SearchElf_1.1\tbSear.dll
mURLSearchHooks: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - C:\Program Files (x86)\Elf_1\prxtbElf_.dll
BHO: SearchElf 1.1 Toolbar: {00f2c0c6-2194-484e-9064-44e57787867b} - C:\Program Files (x86)\SearchElf_1.1\tbSear.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - C:\Program Files (x86)\Elf_1\prxtbElf_.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: SearchElf 1.1 Toolbar: {00f2c0c6-2194-484e-9064-44e57787867b} - C:\Program Files (x86)\SearchElf_1.1\tbSear.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Elf 1 Toolbar: {22e03916-85c5-44b0-8dc9-1830c11238d9} - C:\Program Files (x86)\Elf_1\prxtbElf_.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickBooks Agent] C:\windows\qbagent.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Message.lnk - C:\CITIZEN\Message.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - C:\Users\Boost Mobile\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: qpay123.com
Trusted Zone: t-mobile.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295214306442
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {FC14D208-0AF3-4BF5-9498-59C09229491B} - hxxps://www.qpay123.com/WQVPS/activeX/PrinterActiveX.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {00F2C0C6-2194-484E-9064-44E57787867B} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {22E03916-85C5-44B0-8DC9-1830C11238D9} - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\BOOSTM~1\AppData\Roaming\Mozilla\Firefox\Profiles\0myul5n0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z007&form=ZGAADF&q=
FF - component: C:\Users\Boost Mobile\AppData\Roaming\Mozilla\Firefox\Profiles\0myul5n0.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\FFExternalAlert.dll
FF - component: C:\Users\Boost Mobile\AppData\Roaming\Mozilla\Firefox\Profiles\0myul5n0.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}\components\RadioWMPCore.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - %profile%\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-10-27 273488]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-5-27 203264]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-10-27 20560]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-10-27 62032]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-1-20 40384]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-12 62208]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-8-22 240160]
R3 AE1000;Linksys AE1000 Driver;C:\Windows\System32\drivers\ae1000w7.sys [2010-10-27 1101600]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-8-4 7451648]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-8-4 268288]
R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2010-10-27 245760]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2009-7-13 23040]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 FLEXnet Licensing Manager;FLEXnet Licensing Manager for Adobe Products;C:\Windows\system\regsrv.exe [2010-11-12 675033]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-27 135664]
S3 AVer7231_x64;AVerMedia 7231 capture service;C:\Windows\System32\drivers\AVer7231_x64.sys [2009-8-22 1621760]
S3 rtl819xp;Realtek RTL8190\RTL8192E 802.11n Wireless LAN (Mini-)PCI NIC NT Driver;C:\Windows\System32\drivers\rtl819xp.sys [2009-8-22 607232]
S3 SrvHsfPCI;SrvHsfPCI;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-13 411136]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-10-29 1255736]

=============== Created Last 30 ================

2011-02-04 14:54:21 7844688 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{96F96CBD-38DF-40D9-8826-CEC95B482F48}\mpengine.dll
2011-02-03 20:41:50 -------- d-----w- C:\Program Files (x86)\WhiteSmoke
2011-01-31 21:54:35 4961 ----a-w- C:\windows\system\viewed.dll
2011-01-24 18:47:27 373760 ----a-w- C:\windows\System32\Spool\prtprocs\x64\HP1006S.DLL
2011-01-24 18:44:26 64512 ----a-w- C:\windows\System32\HPPLVS.dll
2011-01-24 18:44:26 403968 ----a-w- C:\windows\System32\HP1006LM.DLL
2011-01-18 23:33:35 -------- d-----w- C:\Users\BOOSTM~1\AppData\Local\Research In Motion
2011-01-18 23:32:10 -------- d-----w- C:\PROGRA~3\Research In Motion
2011-01-16 17:29:10 513080 ----a-w- C:\windows\System32\drivers\sptd.sys
2011-01-16 17:27:44 -------- d-----w- C:\Program Files (x86)\LSoft Technologies Inc
2011-01-16 17:16:09 91568 ----a-w- C:\windows\System32\drivers\scdemu.sys
2011-01-16 17:16:09 -------- d-----w- C:\Program Files (x86)\PowerISO
2011-01-16 17:08:16 -------- d-----w- C:\Temp
2011-01-11 19:32:17 -------- d-----w- C:\Users\BOOSTM~1\AppData\Roaming\DVDVideoSoftIEHelpers
2011-01-11 19:32:10 -------- d-----w- C:\Program Files (x86)\DVDVideoSoft
2011-01-11 19:32:10 -------- d-----w- C:\Program Files (x86)\Common Files\DVDVideoSoft
2011-01-11 19:25:48 -------- d-----w- C:\Program Files (x86)\YouTube Downloader
2011-01-09 20:41:19 -------- d-----w- C:\Program Files\CCleaner

==================== Find3M ====================

2011-01-13 08:47:35 38848 ----a-w- C:\windows\avastSS.scr
2011-01-13 08:37:23 62032 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2010-12-20 23:08:40 24152 ----a-w- C:\windows\System32\drivers\mbam.sys
2010-11-13 01:07:45 675033 ----a-w- C:\windows\system\regsrv.exe
2010-11-13 01:07:38 659676 ----a-w- C:\windows\qbagent.exe
2010-11-12 23:53:06 472808 ----a-w- C:\windows\SysWow64\deployJava1.dll

============= FINISH: 12:34:35.67 ===============

Attached Files

attach2.txt.txt 9.57K 5 downloads

#4
Maniac

Posted 06 February 2011 - 02:02 PM

Forum Deity

Experts
17,047 posts

Gender:Male
Location:Bulgaria, EU

Please visit www.virustotal.com and upload one by one the following files:
C:\windows\system\viewed.dll
C:\windows\system\regsrv.exe
C:\windows\qbagent.exe

Post the resaults in your next reply.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

#5
oh211

Posted 07 February 2011 - 12:19 PM

New Member

Members
3 posts

oh211, on Feb 6 2011, 01:07 PM, said:

AhnLab-V3 2011.02.06.00 2011.02.06 -
AntiVir 7.11.2.88 2011.02.07 -
Antiy-AVL 2.0.3.7 2011.01.28 -
Avast 4.8.1351.0 2011.02.07 -
Avast5 5.0.677.0 2011.02.07 -
AVG 10.0.0.1190 2011.02.07 -
BitDefender 7.2 2011.02.07 -
CAT-QuickHeal 11.00 2011.02.07 -
ClamAV 0.96.4.0 2011.02.07 -
Commtouch 5.2.11.5 2011.02.07 -
Comodo 7607 2011.02.07 -
DrWeb 5.0.2.03300 2011.02.07 -
Emsisoft 5.1.0.2 2011.02.07 -
eSafe 7.0.17.0 2011.02.06 -
eTrust-Vet 36.1.8144 2011.02.07 -
F-Prot 4.6.2.117 2011.02.04 -
F-Secure 9.0.16160.0 2011.02.07 -
Fortinet 4.2.254.0 2011.02.07 -
GData 21 2011.02.07 -
Ikarus T3.1.1.97.0 2011.02.07 -
Jiangmin 13.0.900 2011.02.05 -
K7AntiVirus 9.81.3771 2011.02.07 -
Kaspersky 7.0.0.125 2011.02.07 -
McAfee 5.400.0.1158 2011.02.07 -
McAfee-GW-Edition 2010.1C 2011.02.07 -
Microsoft 1.6502 2011.02.07 -
NOD32 5853 2011.02.07 -
Norman 6.07.03 2011.02.07 -
nProtect 2011-01-27.01 2011.02.02 -
Panda 10.0.3.5 2011.02.07 -
PCTools 7.0.3.5 2011.02.07 -
Prevx 3.0 2011.02.07 -
Rising 23.44.00.08 2011.02.07 -
Sophos 4.61.0 2011.02.07 -
SUPERAntiSpyware 4.40.0.1006 2011.02.07 Rogue.Agent/Gen-Nullo[DLL]
Symantec 20101.3.0.103 2011.02.07 -
TheHacker 6.7.0.1.125 2011.02.07 -
TrendMicro 9.200.0.1012 2011.02.07 -
TrendMicro-HouseCall 9.200.0.1012 2011.02.07 -
VBA32 3.12.14.3 2011.02.07 -
VIPRE 8337 2011.02.07 -
ViRobot 2011.2.7.4297 2011.02.07 -
VirusBuster 13.6.187.0 2011.02.07 -
Additional informationShow all
MD5 : ac812530dc390239e250418fdbaaf4b5
SHA1 : 5a306a03d26093b1fe334e87cbd8f5fc01775b36
SHA256: 25367b54664e1770bcaf349b4e033d819ebe334b5314223f895095e2c630ca97
ssdeep: 96:gNbY73GZlUtxWWf438fcVPwy3utMFf/hwKdwU5yhFBNCvItFfwOH9afssLj9:CW3SzW48EVP
wUuMFnmKdDOBNCgznUsq5
File size : 4961 bytes
First seen: 2011-02-07 17:07:15
Last seen : 2011-02-07 17:07:15
TrID:
Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ExifTool:
file metadata
Error: File format error
FileSize: 4.8 kB

AhnLab-V3 2011.01.27.01 2011.01.27 -
AntiVir 7.11.2.59 2011.02.02 Joke/BadJoke.Formatter.J
Antiy-AVL 2.0.3.7 2011.01.28 Hoax/Win32.BadJoke.gen
Avast 4.8.1351.0 2011.02.02 -
Avast5 5.0.677.0 2011.02.02 -
BitDefender 7.2 2011.02.02 Trojan.Clicker.Agent.ADJ
CAT-QuickHeal 11.00 2011.02.02 Hoax.BadJoke.Formatter.j (Not a Virus)
ClamAV 0.96.4.0 2011.02.02 -
Commtouch 5.2.11.5 2011.02.02 -
Comodo 7568 2011.02.02 UnclassifiedMalware
Emsisoft 5.1.0.2 2011.02.02 Hoax.Win32.BadJoke.Formatter!IK
eTrust-Vet 36.1.8137 2011.02.02 -
F-Prot 4.6.2.117 2011.02.01 -
Fortinet 4.2.254.0 2011.02.02 -
GData 21 2011.02.02 Trojan.Clicker.Agent.ADJ
Ikarus T3.1.1.97.0 2011.02.02 Hoax.Win32.BadJoke.Formatter
Jiangmin 13.0.900 2011.02.02 -
K7AntiVirus 9.81.3725 2011.02.02 Trojan
McAfee 5.400.0.1158 2011.02.02 Artemis!6C4661D4D840
McAfee-GW-Edition 2010.1C 2011.02.02 Artemis!6C4661D4D840
Microsoft 1.6502 2011.02.02 Trojan:Win32/Tikuffed.U
NOD32 5841 2011.02.02 Win32/Agent.QTP
nProtect 2011-01-27.01 2011.02.02 Joke/W32.BadJoke.675033
Panda 10.0.3.5 2011.02.02 Trj/CI.A
PCTools 7.0.3.5 2011.02.02 Virus.DOS.Downloader
Prevx 3.0 2011.02.02 -
Rising 23.43.02.07 2011.02.02 Trojan.Win32.Generic.11E8A58A
Sophos 4.61.0 2011.02.02 Mal/Generic-L
SUPERAntiSpyware 4.40.0.1006 2011.02.02 -
TheHacker 6.7.0.1.123 2011.02.02 -
TrendMicro 9.200.0.1012 2011.02.02 -
VBA32 3.12.14.3 2011.02.02 -
VIPRE 8285 2011.02.02 Trojan.Win32.Generic!BT
ViRobot 2011.2.2.4288 2011.02.02 Hoax.BadJoke.675033
VirusBuster 13.6.178.0 2011.02.02 Trojan.Agent!9epyfnZkVQc
Additional informationShow all
MD5 : 6c4661d4d840f5903381c5dc66382aef
SHA1 : 94fd4657cedf276724c8c66cd4ec6571bfa5ab2c
SHA256: 9cbd2f51a1102b69a78f2522325048c23de53acb33bc333d236567c0fa0505fb
ssdeep: 12288:sxtx6cjhDBPl8/jDxGP7QFV2e+vWabM4aHYNEVe5LRLgjnues8Ya:Mtx6cjhDBPmDkzQ3
2n44uYNEo51LLesA
File size : 675033 bytes
First seen: 2010-02-08 17:19:43
Last seen : 2011-02-02 20:29:52
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
InstallShield setup (42.6%)
Win32 Executable MS Visual C++ (generic) (37.3%)
Win32 Executable Generic (8.4%)
Win32 Dynamic Link Library (generic) (7.5%)
Generic Win/DOS Executable (1.9%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: n/a
description..: Host Application
original name: n/a
internal name: n/a
file version.: 6.0.2900.5512
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x5E10
timedatestamp....: 0x48623C65 (Wed Jun 25 12:39:01 2008)
machinetype......: 0x14C (Intel I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x942A, 0xA000, 6.33, cc186e3b407d8234cfd17dc9962b7925
.rdata, 0xB000, 0xF86, 0x1000, 5.09, 658c23261b80012a995b64832ba351db
.data, 0xC000, 0x4000, 0x4000, 1.53, 2a4e5dc502dce8b3328199f97b582e03
.rsrc, 0x10000, 0x6F28, 0x7000, 5.5, 263ab8f809b69e2f7a7329f6967eac38

[[ 2 import(s) ]]
kernel32.dll: GetTempFileNameA, GetTempPathA, CreateDirectoryA, RemoveDirectoryA, FindClose, FindNextFileA, FindFirstFileA, Sleep, SetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, CreateProcessA, GetModuleFileNameA, GetStringTypeW, GetStringTypeA, IsBadCodePtr, IsBadReadPtr, SetUnhandledExceptionFilter, LoadLibraryA, GetProcAddress, LCMapStringW, LCMapStringA, CreateFileA, GetLastError, ReadFile, WriteFile, SetFilePointer, SetEnvironmentVariableA, GetCurrentDirectoryA, HeapFree, HeapAlloc, DeleteFileA, ExitProcess, TerminateProcess, GetCurrentProcess, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, RtlUnwind, HeapCompact, HeapReAlloc, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetCPInfo, GetACP, GetOEMCP, MultiByteToWideChar
user32.dll: wsprintfA, PeekMessageA, GetMessageA, MsgWaitForMultipleObjects, TranslateMessage, DispatchMessageA, LoadStringA, MessageBoxA

ThreatExpert:
http://www.threatexpert.com/report.aspx?md...381c5dc66382aef
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 40960
CompanyName: Microsoft Corporation
EntryPoint: 0x5e10
FileDescription: Host Application
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 659 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.0.2900.5512
FileVersionNumber: 6.0.2900.5512
ImageVersion: 0.0
InitializedDataSize: 49152
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
PEType: PE32
ProductVersionNumber: 6.0.2900.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:06:25 14:39:01+02:00
UninitializedDataSize: 0

AhnLab-V3 2011.01.18.00 2011.01.17 -
AntiVir 7.11.1.201 2011.01.20 Joke/BadJoke.Formatter.AF
Antiy-AVL 2.0.3.7 2011.01.18 -
Avast 4.8.1351.0 2011.01.20 -
Avast5 5.0.677.0 2011.01.20 -
AVG 10.0.0.1190 2011.01.20 -
BitDefender 7.2 2011.01.20 -
CAT-QuickHeal 11.00 2011.01.20 Hoax.BadJoke.Formatter.af (Not a Virus)
ClamAV 0.96.4.0 2011.01.20 -
Commtouch 5.2.11.5 2011.01.20 -
Comodo 7454 2011.01.20 Heur.Suspicious
DrWeb 5.0.2.03300 2011.01.20 -
Emsisoft 5.1.0.1 2011.01.20 Hoax.Win32.BadJoke.Formatter!IK
eSafe 7.0.17.0 2011.01.20 -
eTrust-Vet 36.1.8113 2011.01.20 -
F-Prot 4.6.2.117 2011.01.20 -
F-Secure 9.0.16160.0 2011.01.20 -
Fortinet 4.2.254.0 2011.01.20 -
GData 21 2011.01.20 -
Ikarus T3.1.1.97.0 2011.01.20 Hoax.Win32.BadJoke.Formatter
Jiangmin 13.0.900 2011.01.20 -
K7AntiVirus 9.77.3603 2011.01.20 -
Kaspersky 7.0.0.125 2011.01.20 Hoax.Win32.BadJoke.Formatter.af
McAfee 5.400.0.1158 2011.01.20 Artemis!0AA5473341B9
McAfee-GW-Edition 2010.1C 2011.01.20 Artemis!0AA5473341B9
Microsoft 1.6402 2011.01.20 Trojan:Win32/Tikuffed.F
NOD32 5804 2011.01.20 -
Norman 6.06.12 2011.01.20 -
nProtect 2011-01-18.01 2011.01.18 Joke/W32.BadJoke.659676
Panda 10.0.2.7 2011.01.20 Trj/CI.A
PCTools 7.0.3.5 2011.01.20 -
Prevx 3.0 2011.01.20 -
Rising 23.41.03.06 2011.01.20 -
Sophos 4.61.0 2011.01.20 -
SUPERAntiSpyware 4.40.0.1006 2011.01.20 -
Symantec 20101.3.0.103 2011.01.20 WS.Reputation.1
TheHacker 6.7.0.1.116 2011.01.18 -
TrendMicro 9.120.0.1004 2011.01.20 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.20 -
VBA32 3.12.14.3 2011.01.20 -
VIPRE 8134 2011.01.20 Trojan.Win32.Generic!SB.0
ViRobot 2011.1.20.4265 2011.01.20 Hoax.BadJoke.659676
VirusBuster 13.6.156.0 2011.01.20 -
Additional informationShow all
MD5 : 0aa5473341b933f096edb84bdb8bf4e6
SHA1 : 230a83b9604fee52b49bf6518ac3f619b935e7bc
SHA256: 00886fb25e2d295b0c89cc01e0dca2224259decbb07b2dec80f76e1b69bff4cc
ssdeep: 12288:sxKMh6cjhDBPl8/jDxHEP7QFV2e+vWabM4aHYNEVe5LRLgnIEpLVub2i:MFh6cjhDBPmD
FEzQ32n44uYNEo51LqRC
File size : 659676 bytes
First seen: 2010-02-22 00:10:52
Last seen : 2011-01-20 21:30:26
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Intuit, Inc
copyright....: © Intuit Inc. All rights reserved.
product......: n/a
description..: QuickBooks 2010 Agent
original name: n/a
internal name: n/a
file version.: 16.0.0.328
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x5E10
timedatestamp....: 0x48623C65 (Wed Jun 25 12:39:01 2008)
machinetype......: 0x14C (Intel I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x942A, 0xA000, 6.33, cc186e3b407d8234cfd17dc9962b7925
.rdata, 0xB000, 0xF86, 0x1000, 5.09, 658c23261b80012a995b64832ba351db
.data, 0xC000, 0x4000, 0x4000, 1.53, 2a4e5dc502dce8b3328199f97b582e03
.rsrc, 0x10000, 0x6F28, 0x7000, 5.24, f7bf1f1415e32fb9ae6bb8d8faabba40

[[ 2 import(s) ]]
kernel32.dll: GetTempFileNameA, GetTempPathA, CreateDirectoryA, RemoveDirectoryA, FindClose, FindNextFileA, FindFirstFileA, Sleep, SetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, CreateProcessA, GetModuleFileNameA, GetStringTypeW, GetStringTypeA, IsBadCodePtr, IsBadReadPtr, SetUnhandledExceptionFilter, LoadLibraryA, GetProcAddress, LCMapStringW, LCMapStringA, CreateFileA, GetLastError, ReadFile, WriteFile, SetFilePointer, SetEnvironmentVariableA, GetCurrentDirectoryA, HeapFree, HeapAlloc, DeleteFileA, ExitProcess, TerminateProcess, GetCurrentProcess, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, RtlUnwind, HeapCompact, HeapReAlloc, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetCPInfo, GetACP, GetOEMCP, MultiByteToWideChar
user32.dll: wsprintfA, PeekMessageA, GetMessageA, MsgWaitForMultipleObjects, TranslateMessage, DispatchMessageA, LoadStringA, MessageBoxA

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 40960
CompanyName: Intuit, Inc
EntryPoint: 0x5e10
FileDescription: QuickBooks 2010 Agent
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 644 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 16.0.0.328
FileVersionNumber: 16.0.0.328
ImageVersion: 0.0
InitializedDataSize: 49152
LanguageCode: English (U.S.)
LegalCopyright: Intuit Inc. All rights reserved.
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
PEType: PE32
ProductVersionNumber: 16.0.0.328
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:06:25 14:39:01+02:00
UninitializedDataSize: 0

#6
Maniac

Posted 07 February 2011 - 01:02 PM

Forum Deity

Experts
17,047 posts

Gender:Male
Location:Bulgaria, EU

Please download the Suspicious File Packer (by Safer Networking Limited) and unzip to your desktop.
Run sfp.exe
Copy the following part of code box into the SFP window:
```
C:\windows\system\regsrv.exe
C:\windows\qbagent.exe
```
Allow SFP to pack the file and then will be generate a CAB archive on your desktop.

Next, please upload this archive here:
http://forums.malwar...hp?showforum=51

But first, read the rules:
http://forums.malwar...showtopic=31067

Let me know.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

#7
LDTate

Posted 13 February 2011 - 07:22 AM

Forum Deity

Moderators
20,091 posts

Gender:Male
Location:Missouri, USA

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Larry Tate
Consumer Support Specialist