"System integrity scan wizard" invaded my computer. HELP!

Go to Start | Search and enter that file name. Search for files/folders on your pc

I can't find this file anywhere. I searched all files:
ssvchn.dll

As for the other files, they are all fine.

I'm not having those IE pop-ups anymore, but it seems Microsoft Internet Explorer has taken over. As I said, I use Firefox, but when I click on any link, it opens IE. Even when I open a photo file, I used to have Nero display the photo, but now it's Windows Picture Viewer.

Also, my clock now shows in military time and the date is Jan, 2088. Weird things have definitely happend!

Marty

Combofix makes changes that will be reverted once we are finished.

I have serious doubts that the following files are ok;

C:\zcxxfilse.exe
c:\windows\windsvc.exe
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
c:\windows\mchost.exe
C:\windll_v354.exe

Executables running from Application Data folders are a sure sign of badness. The same named file also resides in your Windows folder too.
I would like to see the results from the online scans please.

==

Please do the following;

Code:

---

FileLook::
C:\zcxxfilse.exe
c:\windows\windsvc.exe
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
c:\windows\mchost.exe
C:\windll_v354.exe

---

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
· Please post that log.

Just so I understand. I will make a new file on my desktop as CFscript.txt. Then, I will copy and paste the files you posted into that folder. Then, I will drag that folder over combofix.exe and follow the prompts. Is that correct? Do I need to disconnect from the internet first and shut down all protection?

Yes to all. Open notepad and enter those files then save as CFscript.txt.

I ran the scan of combofix with entering the other file pasted over it. It just hung up my computer for 15 hours. I had to stop it because I had to send an important email. It didn't seem right that it hung up for that long. What do you suggest?

Try again in safe mode following these instructions;

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

---


FileLook::
C:\zcxxfilse.exe
c:\windows\windsvc.exe
c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
C:\qjfrlys.exe
c:\windows\mchost.exe
C:\windll_v354.exe

---

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

https://discussions.virtualdr.com/im.../2010/07/1.gif


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt
• A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Combofix again hung up and did nothing for over three hours. It still shows at the beginning that I have Antivir "real time guard" installed and running. Even windows security shows that I have antivirus installed. I used the windows "add or remove" to remove all Antivir files, but obviously, some files are still installed. I found these two files:
Antiviru.evt
Antivirus.evt

Should I delete these? I've looked everywhere for the Antivir files and can't find any. Is this causing Combofix NOT to work properly? I'm sorry this isn't going smoothly.

Marty

It is possible that that is causing it to hang, but I have never seen that before.

I would still like to see the results from the online scans of those files though.

Let's get rid of combofix then download it again to see if that works.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  • https://discussions.virtualdr.com/im.../2009/01/7.png
  
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

I hope I didn't do something wrong, but this is what did. After re-installing, the program still froze for hours, so instead of dragging the entire folder: cfscript.txt, I went into that folder and dragged the text file with all the info you sent into combofix and it worked...I think?! Here's the log file in two parts:

ComboFix 09-01-08.01 - Marty Rosengarten 2009-01-08 21:45:13.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2975 [GMT -5:00]
Running from: c:\documents and settings\Marty Rosengarten\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Marty Rosengarten\Desktop\CFscript.txt\CFscript.txt
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning disabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
FW: *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-07 18:00 . 2009-01-07 18:00 <DIR> d-------- c:\documents and settings\Marty Rosengarten\Application Data\Grisoft
2009-01-07 18:00 . 2007-05-30 07:10 10,872 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2009-01-06 14:14 . 2009-01-06 14:14 685,056 --a------ c:\windows\isRS-000.tmp
2009-01-06 14:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 02:54 . 2009-01-06 02:54 90,112 --a------ C:\zcxxfilse.exe
2009-01-06 02:54 . 2009-01-06 02:54 90,112 -r-hs---- c:\windows\windsvc.exe
2009-01-06 00:40 . 2009-01-06 00:46 108,516,963 --ah----- C:\Maxthon.html
2009-01-06 00:38 . 2009-01-07 00:26 831,421,626 --ah----- C:\Opera.html
2009-01-06 00:37 . 2009-01-06 00:34 344,064 -rahs---- c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe
2009-01-06 00:37 . 2009-01-06 00:38 14,336 --a------ C:\qjfrlys.exe
2009-01-06 00:36 . 2009-01-07 00:26 800,535,260 --ah----- C:\Mozilla.html
2009-01-06 00:35 . 2009-01-06 00:34 344,064 -rahs---- c:\windows\mchost.exe
2009-01-06 00:34 . 2009-01-06 00:34 344,064 --ah----- C:\windll_v354.exe
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client 3.0 Setup Files
2008-12-16 00:53 . 2008-12-16 00:53 <DIR> d-------- c:\program files\SmartFTP Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 02:45 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\skypePM
2009-01-09 02:45 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Skype
2009-01-09 00:42 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-08 21:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 21:31 --------- d-----w c:\program files\Lavasoft
2009-01-06 19:15 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-06 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 23:20 --------- d-----w c:\program files\SpywareBlaster
2009-01-05 22:35 --------- d-----w c:\program files\fotoQuote
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-03 08:02 --------- d-----w c:\program files\CCleaner
2009-01-03 07:58 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2008-12-22 04:32 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\Lasersoft Imaging
2008-12-17 12:58 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\FileZilla
2008-12-16 05:54 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\SmartFTP
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-26 06:09 --------- d-----w c:\program files\RegCure
2008-11-25 08:53 --------- d-----w c:\documents and settings\Marty Rosengarten\Application Data\LumaPix
2008-11-13 04:12 --------- d-----w c:\program files\MSXML 4.0
2008-10-26 17:18 273,264 ----a-w c:\windows\FotoFusionV4 Uninstaller.exe
2008-10-26 03:24 5,423,104 ----a-w c:\windows\system32\tlpsplib10.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2006-10-08 05:39 2,388 -c--a-w c:\program files\uninstalcwp2.log
2006-02-28 01:10 48,472 -c--a-w c:\documents and settings\Marty Rosengarten\Application Data\GDIPFONTCACHEV1.DAT
2005-09-10 00:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-10 00:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-10 00:55 35 -c--a-w c:\program files\SCSSDist.ini
2005-02-22 14:16 1,867 -c--a-w c:\documents and settings\Marty Rosengarten\CountCorners.vbs
2003-11-18 18:37 241,664 ----a-w c:\program files\npmusicn.dll
2002-07-26 21:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-09-18 21:39 56 --sh--r c:\windows\system32\01758A4BD5.sys
2007-01-03 10:12 88 --sha-r c:\windows\system32\83BE6B67B2.sys
2008-09-18 21:39 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\documents and settings\Marty Rosengarten\Application Data\mchost.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e93527b115490081dfd3c43ee722bfc7

C:\qjfrlys.exe -- Unable to find Resource table header.
MD5: 21405dd01269a7700ae6380a9f10fd33


---- C:\windll_v354.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e93527b115490081dfd3c43ee722bfc7


---- c:\windows\mchost.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e93527b115490081dfd3c43ee722bfc7


---- c:\windows\windsvc.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e26a9804057a4cafc7053bc1b1328200


---- C:\zcxxfilse.exe ----
Company:
File Description:
File Version: 1.00
Product Name:
Copyright:
Original file name: Application.exe
MD5: e26a9804057a4cafc7053bc1b1328200


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2008-07-17 2599224]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2008-03-24 218496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2006-04-05 2177256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-15 180269]
"PrettyMay"="c:\program files\PrettyMay\PrettyMay.exe" [2008-04-23 2715648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-10 385024]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"settings"="c:\windows\mchost.exe" [2009-01-06 344064]

c:\documents and settings\Marty Rosengarten\Start Menu\Programs\Startup\
PANTONE(R) colorist.lnk - c:\program files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe [2003-10-28 98304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ColorVisionStartup.lnk - c:\program files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 385024]
MonacoGamma.lnk - c:\program files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe [2005-10-28 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ssvchn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg30.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" /startup
"dlmMgr"="c:\program files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
"Ink Monitor"=c:\program files\EPSON\Ink Monitor\InkMonitor.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"UpdReg"=c:\windows\UpdReg.EXE
"ehTray"=c:\windows\ehome\ehtray.exe
"P17Helper"=Rundll32 P17.dll,P17Helper
"IntelMeM"=c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"CTSysVol"=c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
"WD Button Manager"=WDBtnMgr.exe
"DLA"=c:\windows\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\Marty Rosengarten\\My Documents\\Download Start-up files\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Bridge CS3\\Bridge.exe"=
"c:\\Program Files\\Adobe\\Adobe Device Central CS3\\DeviceCentral.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Utilities\\ExtendScript Toolkit 2\\ExtendScript Toolkit 2.exe"=
"c:\\Program Files\\Adobe\\Adobe Help Center\\ahc.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS2\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop CS3\\Photoshop.exe"=
"c:\\Program Files\\Adobe\\Adobe Stock Photos CS3\\Adobe Stock Photos CS3.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\fotoQuote\\My Product Name\\FotoQuote Pro\\FotoQuote Pro.EXE"=
"c:\\Program Files\\BitPim\\bitpimw.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12283:TCP"= 12283:TCP:BitComet 12283 TCP
"12283:UDP"= 12283:UDP:BitComet 12283 UDP
"14461:TCP"= 14461:TCP:BitComet 14461 TCP
"14461:UDP"= 14461:UDP:BitComet 14461 UDP
"9881:TCP"= 9881:TCP:BitComet 9881 TCP
"9881:UDP"= 9881:UDP:BitComet 9881 UDP
"6346:TCP"= 6346:TCP:Shareaza
"8192:TCP"= 8192:TCP:BitComet 8192 TCP
"8192:UDP"= 8192:UDP:BitComet 8192 UDP
"13946:TCP"= 13946:TCP:BitComet 13946 TCP
"13946:UDP"= 13946:UDP:BitComet 13946 UDP

R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2007-01-24 14976]
S1 bf324a68;bf324a68;c:\windows\system32\drivers\bf324a68.sys --> c:\windows\system32\drivers\bf324a68.sys [?]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2006-06-24 39048]
S4 HPFECP06;HPFECP06;c:\windows\system32\drivers\HPFECP06.SYS --> c:\windows\system32\drivers\HPFECP06.SYS [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{NQQ5L861-82LC-FV28-BC5R-EK164PT2UCAG}]
"c:\windows\mchost.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2009-01-08 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-26 00:06]

2009-01-08 c:\windows\Tasks\xoowsmum.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{56525793-8408-4ED2-8F6C-F195B775570B} - (no file)
Notify-fccyaBUM - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\Firefox\Profiles\ohrfy97m.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Marty Rosengarten\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 21:46:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2397076688-397100244-2678602410-1005\Software\Corel\WordPerfect\12\Power Bar\P*NULL*o*NULL*w*NULL*e*NULL*r*NULL* *NULL*B*NULL*a*NULL*r*NULL* *NULL*L*NULL*a*NULL*s*NULL*t*NULL* *NULL*S*NULL*e*NULL*l*NULL*e*NULL*c*NULL*t*NULL*e*NULL*d*NULL* *NULL*-*NULL* *NULL*(*NULL*t*NULL*a*NULL**NULL*(*NULL*t*NULL*a*NULL**NULL*¨*NULL**NULL*Ý*NULL*s*NULL*Ú*NULL**NULL* ]
"0Decorated035 BT"=hex(80000006):30
"1Staccato222 BT"=hex(80000006):30
"2BernhardMod BT"=hex(80000006):30

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,8c,b1,ce,8b,d4,\
95,3a,df,c8,28,51,af,b0,29,a3,98,47,3e,94,42,f9,05,0c,ac,e2,63,26,f1,3f,c8,\
ff,68,ee,66,39,4d,4c,37,09,68,2e,e8,e1,00,eb,16,2b,de,93,6f,a7,d8,f1,53,5c,\
30,cb,0b,50,36

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,88,07,2e,fb,5f,\
4a,41,65,71,3b,04,66,8b,46,0d,96,b3,a0,99,47,c5,bc,ad,c3,6a,9c,d6,61,af,45,\
84,18,f6,f0,c8,99,32,51,72,0c,46,47,15,b0,92,4b,c7,ef,6f,73,50,f1,63,17,5d,\
00,d1,db,81,e7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,fc,5b,be,ac,47,\
f9,03,be,25,da,ec,7e,55,20,c9,26,35,1b,df,d4,52,a1,2a,66,ff,7c,85,e0,43,d4,\
0e,fe,75,fc,e8,1f,11,c0,5b,16,25,da,ec,7e,55,20,c9,26,f0,51,45,93,a3,34,fb,\
05,2e,3e,e6,7d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,9e,27,bd,7b,80,\
5e,84,23,3e,1e,9e,e0,57,5a,93,61,f1,53,38,89,3e,b6,04,0d,86,8c,21,01,be,91,\
eb,e7,54,a9,dc,6d,7f,38,e7,46,86,8c,21,01,be,91,eb,e7,53,a3,1a,f1,85,f2,e1,\
05,0d,5e,aa,c6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,66,28,36,8a,ba,\
0b,29,59,cd,44,cd,b9,a6,33,6c,cd,c0,bd,dd,83,ce,84,82,54,f5,1d,4d,73,a8,13,\
5c,05,4a,83,6f,ec,ab,30,93,b8,cd,44,cd,b9,a6,33,6c,cd,ec,68,e2,e3,77,d8,a2,\
fe,5a,c9,36,91

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,1b,33,bb,68,ea,\
97,13,b6,b0,18,ed,a7,3f,8d,37,a4,58,a6,19,ef,5f,8c,56,2b,df,20,58,62,78,6b,\
cf,c8,af,e1,e0,2d,4d,fb,f7,66,b0,18,ed,a7,3f,8d,37,a4,d2,a5,da,5f,28,32,b2,\
96,76,3d,da,69

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,6d,f3,4f,be,36,\
3b,dc,5b,31,77,e1,ba,b1,f8,68,02,b6,b0,20,d9,84,2c,22,a4,fb,a7,78,e6,12,2f,\
9a,ea,fc,71,2f,58,fd,2d,b2,24,fb,a7,78,e6,12,2f,9a,ea,62,9c,97,d7,bd,28,00,\
da,10,e7,f2,f7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,07,8a,58,90,67,\
3a,47,32,83,6c,56,8b,a0,85,96,ab,e1,30,9c,50,1f,11,d7,1a,01,3a,48,fc,e8,04,\
4a,f1,5a,27,91,e6,4a,96,ca,c8,83,6c,56,8b,a0,85,96,ab,f2,f8,9a,48,0d,42,f4,\
9e,19,28,ba,ed

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6e,c2,8e,cc,0d,\
08,65,a0,51,fa,6e,91,28,9e,14,cc,68,c4,0f,40,00,79,4c,a7,f6,0f,4e,58,98,5b,\
89,c9,29,7d,90,c0,46,5c,bd,ba,51,fa,6e,91,28,9e,14,cc,a5,83,9e,f5,f7,55,78,\
13,6c,45,d5,9a

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,52,3f,07,df,a9,\
e9,ad,1b,b1,cd,45,5a,a8,c4,f8,b9,b5,35,26,df,7c,ce,7f,eb,3d,ce,ea,26,2d,45,\
aa,78,56,62,fb,03,7d,46,0b,3c,b1,cd,45,5a,a8,c4,f8,b9,ed,83,f8,8a,86,75,9b,\
6b,c7,ac,5d,6f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,74,ea,1b,16,e9,\
a1,bb,42,e3,0e,66,d5,eb,bc,2f,6b,a5,98,55,d9,5b,ef,59,8e,2a,b7,cc,b5,b9,7f,\
41,e7,79,ae,b9,75,b9,fb,aa,ff,e3,0e,66,d5,eb,bc,2f,6b,1f,99,58,0d,6e,61,fc,\
2a,ea,ce,f2,63

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,64,e0,c7,10,f3,\
89,34,52,fa,ea,66,7f,d4,3b,6b,70,82,e4,61,be,6b,d4,36,84,6c,43,2d,1e,aa,22,\
2f,9c,a5,e6,c7,29,5a,df,3f,bc,fa,ea,66,7f,d4,3b,6b,70,71,3b,da,e5,06,73,eb,\
05,1c,d8,30,0f
.
Completion time: 2009-01-08 21:49:48
ComboFix-quarantined-files.txt 2009-01-09 02:48:34

Pre-Run: 96,814,821,376 bytes free
Post-Run: 96,800,747,520 bytes free

425 --- E O F --- 2008-12-22 02:36:50

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:32 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Documents and Settings\Marty Rosengarten\My Documents\Download Start-up files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\mchost.exe",
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\MARTY ROSENGARTEN\Application Data\Mozilla\Profiles\default\azfimivy.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrettyMay] C:\Program Files\PrettyMay\PrettyMay.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [settings] C:\WINDOWS\mchost.exe
O4 - HKCU\..\Policies\Explorer\Run: [settings] C:\WINDOWS\mchost.exe
O4 - Startup: PANTONE(R) colorist.lnk = C:\Program Files\Pantone, Inc\PANTONE(R) colorist\PANTONE(R) colorist.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ssvchn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--
End of file - 13030 bytes

File isRS-000.tmp received on 01.08.2009 04:52:02 (CET)
Current status: finished
Result: 1/38 (2.63%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.08 -
AhnLab-V3 2009.1.8.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.07 -
Authentium 5.1.0.4 2009.01.07 -
Avast 4.8.1281.0 2009.01.07 -
AVG 8.0.0.199 2009.01.07 -
BitDefender 7.2 2009.01.08 -
CAT-QuickHeal 10.00 2009.01.06 -
ClamAV 0.94.1 2009.01.07 -
Comodo 891 2009.01.07 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.06 -
eTrust-Vet 31.6.6296 2009.01.07 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.07 -
F-Secure 8.0.14470.0 2009.01.08 -
Fortinet 3.117.0.0 2009.01.08 -
GData 19 2009.01.08 -
Ikarus T3.1.1.45.0 2009.01.08 -
K7AntiVirus 7.10.581 2009.01.07 -
Kaspersky 7.0.0.125 2009.01.08 -
McAfee 5488 2009.01.07 -
McAfee+Artemis 5488 2009.01.07 -
Microsoft 1.4205 2009.01.07 -
NOD32 3749 2009.01.07 -
Norman 5.99.02 2009.01.07 -
Panda 9.0.0.4 2009.01.08 Suspicious file
PCTools 4.4.2.0 2009.01.07 -
Rising 21.11.30.00 2009.01.08 -
SecureWeb-Gateway 6.7.6 2009.01.07 -
Sophos 4.37.0 2009.01.08 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.08 -
TheHacker 6.3.1.4.212 2009.01.08 -
TrendMicro 8.700.0.1004 2009.01.08 -
VBA32 3.12.8.10 2009.01.07 -
ViRobot 2009.1.7.1548 2009.01.07 -
VirusBuster 4.5.11.0 2009.01.07 -
Additional information
File size: 685056 bytes
MD5...: faa7a3c2f20d54b0a0d6f3437fc11d50
SHA1..: d04c079e558a4493c7ee460ef38a8fa4c043d6fc
SHA256: acb7971737aa8cdec071733700243079620fc72b8779d6a9433304b6725f5424
SHA512: cc70b5354a341d4e4c948af6416ac62a8a8a669529db2a831b318959701520b3
4ed6c95d87ebc9d21d5a870188a2233336677db9f307ac17b77362779e68b591
ssdeep: 12288:v/vksLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqjxy:HvksLWtkrPi
37NzHDA6Yg5dsfoTzsxy
PEiD..: -
TrID..: File type identification
Windows OCX File (86.8%)
Win32 Executable Delphi generic (10.3%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x490b04
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8fd34 0x8fe00 6.59 14845ac96af400d883c79c670404b4d2
DATA 0x91000 0xf70 0x1000 4.30 5b5b5131230aa2d505134437519c9eed
BSS 0x92000 0x13ac 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x94000 0x25a4 0x2600 4.93 e31473a4f3c3c5e310b54a1695d2dc0a
.tls 0x97000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x98000 0x18 0x200 0.20 2576789ccaafa41177b70528c836b8df
.reloc 0x99000 0x850c 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0xa2000 0x13a00 0x13a00 4.92 9aff204abe7ef34a0c023eb372259982

( 17 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: SafeArrayPutElement, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueA, GetUserNameA, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
> kernel32.dll: lstrcmpA, WriteProfileStringA, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualFree, VirtualAlloc, UnmapViewOfFile, TransactNamedPipe, TerminateThread, TerminateProcess, Sleep, SizeofResource, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, RemoveDirectoryA, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexA, MultiByteToWideChar, MulDiv, MoveFileExA, MoveFileA, MapViewOfFile, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExA, LoadLibraryA, IsDBCSLeadByte, IsBadWritePtr, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetTickCount, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetOverlappedResult, GetModuleHandleA, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetCommandLineA, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FlushFileBuffers, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, DeviceIoControl, DeleteFileA, CreateThread, CreateProcessA, CreateNamedPipeA, CreateMutexA, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CompareFileTime, CloseHandle
> mpr.dll: WNetOpenEnumA, WNetGetUniversalNameA, WNetGetConnectionA, WNetEnumResourceA, WNetCloseEnum
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceA, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExtFloodFill, ExcludeClipRect, EnumFontsA, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceA
> user32.dll: WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassInfoW, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcW, CallWindowProcA, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuA, CharPrevA, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemBuffA, AdjustWindowRectEx
> comctl32.dll: ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create, InitCommonControls
> ole32.dll: CoTaskMemFree, CLSIDFromProgID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
> oleaut32.dll: GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
> shell32.dll: ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, ExtractIconA
> shell32.dll: SHChangeNotify, SHBrowseForFolder, SHGetPathFromIDList, SHGetMalloc
> comdlg32.dll: GetSaveFileNameA, GetOpenFileNameA
> ole32.dll: CoDisconnectObject
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )
CWSandbox info: http://research.sunbelt-software.com...d6f3437fc11d50

File zcxxfilse.exe received on 01.08.2009 05:24:06 (CET)
Current status: finished
Result: 1/39 (2.56%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.08 -
AhnLab-V3 2009.1.8.0 2009.01.08 -
AntiVir 7.9.0.45 2009.01.07 -
Authentium 5.1.0.4 2009.01.07 -
Avast 4.8.1281.0 2009.01.07 -
AVG 8.0.0.199 2009.01.07 -
BitDefender 7.2 2009.01.08 -
CAT-QuickHeal 10.00 2009.01.06 -
ClamAV 0.94.1 2009.01.07 -
Comodo 891 2009.01.07 -
DrWeb 4.44.0.09170 2009.01.08 -
eSafe 7.0.17.0 2009.01.06 -
eTrust-Vet 31.6.6296 2009.01.07 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.07 -
F-Secure 8.0.14470.0 2009.01.08 -
Fortinet 3.117.0.0 2009.01.08 -
GData 19 2009.01.08 -
Ikarus T3.1.1.45.0 2009.01.08 -
K7AntiVirus 7.10.581 2009.01.07 -
Kaspersky 7.0.0.125 2009.01.08 -
McAfee 5488 2009.01.07 -
McAfee+Artemis 5488 2009.01.07 -
Microsoft 1.4205 2009.01.07 -
NOD32 3749 2009.01.07 -
Norman 5.99.02 2009.01.07 -
Panda 9.0.0.4 2009.01.08 -
PCTools 4.4.2.0 2009.01.07 -
Prevx1 V2 2009.01.08 Cloaked Malware
Rising 21.11.30.00 2009.01.08 -
SecureWeb-Gateway 6.7.6 2009.01.07 -
Sophos 4.37.0 2009.01.08 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.08 -
TheHacker 6.3.1.4.212 2009.01.08 -
TrendMicro 8.700.0.1004 2009.01.08 -
VBA32 3.12.8.10 2009.01.07 -
ViRobot 2009.1.7.1548 2009.01.07 -
VirusBuster 4.5.11.0 2009.01.07 -
Additional information
File size: 90112 bytes
MD5...: e26a9804057a4cafc7053bc1b1328200
SHA1..: a7de3c0108a2c29d83b920ab2d54b61fb0a9e61b
SHA256: 20adabd42efdbca5848a2a4f2ec9aadee0cf5c114d6b3723f6b36f33804319cd
SHA512: 5ccd650773e2e20618e64dfd56b5431e074fba684a1a82b20874081b6a37393b
c850358b074a8d94726e838902a404719442147a20e015d990b08c342427f083
ssdeep: 1536:LDOZS+39NG7BBg5ilda8XlNoC9GWWfS4jYtus5RWO+0pacAXa/S+k:LDsS+
39NG7BBg5ilda8XzoFWWfS4jYkP
PEiD..: -
TrID..: File type identification
Win32 Executable Microsoft Visual Basic 6 (90.9%)
Win32 Executable Generic (6.1%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4019a8
timedatestamp.....: 0x49372c8c (Thu Dec 04 01:04:12 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb640 0xc000 5.58 28f45b2b54b3e69e928d8226e8b8b95b
.data 0xd000 0xd20 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xe000 0x39c 0x8000 6.98 856cc545c9654fc917a5f47da56b719c

( 1 imports )
> MSVBVM60.DLL: __vbaVarTstGt, __vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, -, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaVarTstLe, -, __vbaAryDestruct, __vbaExitProc, -, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, __vbaVarIndexLoad, __vbaStrFixstr, __vbaVarTstLt, _CIsin, -, __vbaErase, -, __vbaVargVarMove, __vbaVarZero, __vbaChkstk, -, __vbaFileClose, EVENT_SINK_AddRef, -, __vbaGenerateBoundsError, -, __vbaGet3, __vbaStrCmp, __vbaPutOwner3, __vbaAryConstruct2, __vbaObjVar, -, __vbaI2I4, DllFunctionCall, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaStrUI1, __vbaUI1I4, __vbaExceptHandler, -, __vbaStrToUnicode, -, -, -, _adj_fprem, _adj_fdivr_m64, __vbaVarDiv, __vbaI2Str, -, -, __vbaFPException, __vbaInStrVar, -, __vbaUbound, __vbaStrVarVal, __vbaVarCat, -, __vbaI2Var, -, -, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, __vbaInStr, __vbaNew2, __vbaVar2Vec, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, -, __vbaI4Str, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaI4Var, __vbaVarCmpEq, -, __vbaVarAdd, __vbaAryLock, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, -, __vbaFpI4, __vbaLateMemCallLd, -, _CIatan, -, __vbaStrMove, __vbaUI1Str, -, __vbaStrVarCopy, _allmul, _CItan, __vbaAryUnlock, -, _CIexp, __vbaI4ErrVar, __vbaFreeObj, -, __vbaFreeStr, -

( 0 exports )
CWSandbox info: http://research.sunbelt-software.com...053bc1b1328200
Prevx info: http://info.prevx.com/aboutprogramte...8B8300C56829C1