Author Topic: Please help Avast found this trojan file cp1041.nls  (Read 27311 times)

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #90 on: January 17, 2008, 10:58:09 PM »
[Files/Folders - Created Within 90 days]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 1/16/2008 5:38:07 PM | Attr =    ]
Great Smoky Real Estate - Images -> %SystemDrive%\Great Smoky Real Estate - Images ->  [Folder | Created Date = 11/21/2007 10:58:06 AM | Attr =    ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 1/16/2008 5:38:19 PM | Attr =    ]
_rpcs -> %SystemDrive%\_rpcs ->  [Folder | Created Date = 1/3/2008 9:56:59 PM | Attr =    ]
$NtUninstallKB937894$ -> %SystemRoot%\$NtUninstallKB937894$ ->  [Folder | Created Date = 12/13/2007 3:07:54 AM | Attr =  H ]
$NtUninstallKB941568$ -> %SystemRoot%\$NtUninstallKB941568$ ->  [Folder | Created Date = 12/13/2007 3:06:03 AM | Attr =  H ]
$NtUninstallKB941569$ -> %SystemRoot%\$NtUninstallKB941569$ ->  [Folder | Created Date = 12/13/2007 3:06:25 AM | Attr =  H ]
$NtUninstallKB941644$ -> %SystemRoot%\$NtUninstallKB941644$ ->  [Folder | Created Date = 1/9/2008 1:29:51 AM | Attr =  H ]
$NtUninstallKB942615$ -> %SystemRoot%\$NtUninstallKB942615$ ->  [Folder | Created Date = 12/13/2007 3:05:34 AM | Attr =  H ]
$NtUninstallKB942763$ -> %SystemRoot%\$NtUninstallKB942763$ ->  [Folder | Created Date = 12/13/2007 3:06:30 AM | Attr =  H ]
$NtUninstallKB942840$ -> %SystemRoot%\$NtUninstallKB942840$ ->  [Folder | Created Date = 12/13/2007 3:07:48 AM | Attr =  H ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ ->  [Folder | Created Date = 11/15/2007 3:06:00 AM | Attr =  H ]
$NtUninstallKB943485$ -> %SystemRoot%\$NtUninstallKB943485$ ->  [Folder | Created Date = 1/9/2008 1:29:45 AM | Attr =  H ]
$NtUninstallKB944653$ -> %SystemRoot%\$NtUninstallKB944653$ ->  [Folder | Created Date = 12/13/2007 3:03:44 AM | Attr =  H ]
$NtUninstallKB946627$ -> %SystemRoot%\$NtUninstallKB946627$ ->  [Folder | Created Date = 12/20/2007 10:56:14 PM | Attr =  H ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 1/16/2008 5:38:35 PM | Attr =    ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 1/16/2008 5:38:17 PM | Attr =    ]
PSI3_Operation.ini -> %SystemRoot%\PSI3_Operation.ini ->  [Ver =  | Size = 876 bytes | Created Date = 1/10/2008 3:12:02 PM | Attr =    ]
SWWATER.INI -> %SystemRoot%\SWWATER.INI ->  [Ver =  | Size = 314 bytes | Created Date = 1/4/2008 2:30:57 PM | Attr =    ]
_delis43.ini -> %SystemRoot%\_delis43.ini ->  [Ver =  | Size = 290 bytes | Created Date = 1/14/2008 10:24:00 PM | Attr =    ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job ->  [Ver =  | Size = 330 bytes | Created Date = 1/14/2008 6:49:42 PM | Attr =  H ]
CommXPCtrl.ocx -> %System32%\CommXPCtrl.ocx -> Samsung Electronics [Ver = 1.00 | Size = 69632 bytes | Created Date = 1/10/2008 3:28:15 PM | Attr =    ]
FileupCtl.ocx -> %System32%\FileupCtl.ocx -> Hyegi [Ver = 1.00.0014 | Size = 49152 bytes | Created Date = 1/10/2008 3:13:51 PM | Attr =    ]
FPSPR70.ocx -> %System32%\FPSPR70.ocx -> FarPoint Technologies, Inc. [Ver = 7.0.15 | Size = 1909936 bytes | Created Date = 1/10/2008 3:12:54 PM | Attr =    ]
GSBN.ocx -> %System32%\GSBN.ocx -> ??SDS [Ver = 1.01.0151 | Size = 241664 bytes | Created Date = 1/10/2008 3:13:46 PM | Attr =    ]
Magentic Screensaver.scr -> %System32%\Magentic Screensaver.scr -> IncrediMail LTD. [Ver = 1, 3, 1, 0547 | Size = 745547 bytes | Created Date = 12/26/2007 7:22:58 PM | Attr =    ]
Odbcjet.cnt -> %System32%\Odbcjet.cnt ->  [Ver =  | Size = 6902 bytes | Created Date = 1/10/2008 3:28:19 PM | Attr =    ]
Odbcjet.hlp -> %System32%\Odbcjet.hlp ->  [Ver =  | Size = 170865 bytes | Created Date = 1/10/2008 3:28:19 PM | Attr =    ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Created Date = 1/16/2008 5:38:17 PM | Attr =    ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 1/16/2008 5:38:17 PM | Attr =    ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 1/16/2008 5:38:17 PM | Attr =    ]
VFind.exe -> %System32%\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 1/16/2008 5:38:17 PM | Attr =    ]
Vsflex7L.ocx -> %System32%\Vsflex7L.ocx -> VideoSoft [Ver = 7, 0, 0, 67 | Size = 421891 bytes | Created Date = 1/10/2008 3:28:21 PM | Attr =    ]
VSPRINT7.ocx -> %System32%\VSPRINT7.ocx -> VideoSoft [Ver = 7, 0, 0, 6 | Size = 331776 bytes | Created Date = 1/10/2008 3:28:22 PM | Attr =    ]
quartz.dll -> %System32%\dllcache\quartz.dll ->  [Ver =  | Size = 1287680 bytes | Created Date = 10/29/2007 5:35:13 PM | Attr =    ]
AvgArCln.sys -> %System32%\drivers\AvgArCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 1/17/2008 6:03:53 PM | Attr =    ]
ikfilesec.sys -> %System32%\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1038 built by: WinDDK | Size = 41864 bytes | Created Date = 1/17/2008 6:00:24 PM | Attr =    ]
iksysflt.sys -> %System32%\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Created Date = 1/17/2008 6:00:24 PM | Attr =    ]
iksyssec.sys -> %System32%\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1031 | Size = 81288 bytes | Created Date = 1/17/2008 6:00:24 PM | Attr =    ]
kcom.sys -> %System32%\drivers\kcom.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1008 | Size = 29576 bytes | Created Date = 1/17/2008 6:00:24 PM | Attr =    ]
TfKbMon.sys -> %System32%\drivers\TfKbMon.sys -> PC Tools [Ver = 3.7.9.20 | Size = 12608 bytes | Created Date = 12/2/2007 11:28:33 AM | Attr =    ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1052 | Size = 102800 bytes | Created Date = 1/17/2008 6:22:29 PM | Attr =    ]

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #91 on: January 17, 2008, 10:59:03 PM »
[Files/Folders - Modified Within 90 days]
Alcorn Property Services.office.QBW -> %SystemDrive%\Alcorn Property Services.office.QBW ->  [Ver =  | Size = 15159296 bytes | Modified Date = 12/28/2007 4:49:04 PM | Attr = R  ]
Alcorn Property Services.office.QBW.ND -> %SystemDrive%\Alcorn Property Services.office.QBW.ND ->  [Ver =  | Size = 341 bytes | Modified Date = 12/28/2007 4:49:04 PM | Attr =    ]
Alcorn Property Services.office.QBW.TLG -> %SystemDrive%\Alcorn Property Services.office.QBW.TLG ->  [Ver =  | Size = 196608 bytes | Modified Date = 12/28/2007 4:49:04 PM | Attr = R  ]
Alcorn Property Services.QBW -> %SystemDrive%\Alcorn Property Services.QBW ->  [Ver =  | Size = 16105472 bytes | Modified Date = 1/15/2008 11:24:34 PM | Attr = R  ]
Alcorn Property Services.QBW.ND -> %SystemDrive%\Alcorn Property Services.QBW.ND ->  [Ver =  | Size = 334 bytes | Modified Date = 1/15/2008 11:24:34 PM | Attr =    ]
Alcorn Property Services.QBW.TLG -> %SystemDrive%\Alcorn Property Services.QBW.TLG ->  [Ver =  | Size = 589824 bytes | Modified Date = 1/15/2008 11:24:32 PM | Attr = R  ]
APS Payroll.qba.QBW -> %SystemDrive%\APS Payroll.qba.QBW ->  [Ver =  | Size = 15699968 bytes | Modified Date = 12/14/2007 12:37:44 PM | Attr = R  ]
APS Payroll.qba.QBW.ND -> %SystemDrive%\APS Payroll.qba.QBW.ND ->  [Ver =  | Size = 325 bytes | Modified Date = 12/14/2007 12:37:44 PM | Attr =    ]
APS Payroll.qba.QBW.TLG -> %SystemDrive%\APS Payroll.qba.QBW.TLG ->  [Ver =  | Size = 983040 bytes | Modified Date = 12/14/2007 12:37:44 PM | Attr = R  ]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 209 bytes | Modified Date = 1/16/2008 1:41:10 PM | Attr = RHS]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 1/17/2008 11:35:14 PM | Attr =    ]
Config.Msi -> %SystemDrive%\Config.Msi ->  [Folder | Modified Date = 1/17/2008 5:45:16 PM | Attr =    ]
Great Smoky Real Estate - Images -> %SystemDrive%\Great Smoky Real Estate - Images ->  [Folder | Modified Date = 11/21/2007 10:58:08 AM | Attr =    ]
Great Smoky Real Estate Tax Forms -> %SystemDrive%\Great Smoky Real Estate Tax Forms ->  [Folder | Modified Date = 1/14/2008 12:43:04 PM | Attr =    ]
Great Smoky Real Estate.QBW -> %SystemDrive%\Great Smoky Real Estate.QBW ->  [Ver =  | Size = 7860224 bytes | Modified Date = 1/15/2008 2:49:10 PM | Attr = R  ]
Great Smoky Real Estate.QBW.ND -> %SystemDrive%\Great Smoky Real Estate.QBW.ND ->  [Ver =  | Size = 333 bytes | Modified Date = 1/15/2008 2:49:10 PM | Attr =    ]
Great Smoky Real Estate.QBW.TLG -> %SystemDrive%\Great Smoky Real Estate.QBW.TLG ->  [Ver =  | Size = 458752 bytes | Modified Date = 1/15/2008 2:49:10 PM | Attr = R  ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 1/17/2008 10:41:16 PM | Attr = R  ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 1/17/2008 11:34:36 PM | Attr =    ]
RECYCLER -> %SystemDrive%\RECYCLER ->  [Folder | Modified Date = 1/14/2008 10:17:50 PM | Attr =  HS]
Rfwin -> %SystemDrive%\Rfwin ->  [Folder | Modified Date = 1/14/2008 8:06:04 PM | Attr =    ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 1/16/2008 5:38:20 PM | Attr =  HS]
temp -> %SystemDrive%\temp ->  [Folder | Modified Date = 1/18/2008 5:56:54 PM | Attr =  H ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 1/18/2008 7:49:04 AM | Attr =    ]
_rpcs -> %SystemDrive%\_rpcs ->  [Folder | Modified Date = 1/3/2008 10:24:24 PM | Attr =    ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 1/8/2008 8:38:52 PM | Attr =  H ]
$NtUninstallKB937894$ -> %SystemRoot%\$NtUninstallKB937894$ ->  [Folder | Modified Date = 12/13/2007 3:07:56 AM | Attr =  H ]
$NtUninstallKB941568$ -> %SystemRoot%\$NtUninstallKB941568$ ->  [Folder | Modified Date = 12/13/2007 3:06:04 AM | Attr =  H ]
$NtUninstallKB941569$ -> %SystemRoot%\$NtUninstallKB941569$ ->  [Folder | Modified Date = 12/13/2007 3:06:28 AM | Attr =  H ]
$NtUninstallKB941644$ -> %SystemRoot%\$NtUninstallKB941644$ ->  [Folder | Modified Date = 1/9/2008 1:29:52 AM | Attr =  H ]
$NtUninstallKB942615$ -> %SystemRoot%\$NtUninstallKB942615$ ->  [Folder | Modified Date = 12/13/2007 3:05:42 AM | Attr =  H ]
$NtUninstallKB942763$ -> %SystemRoot%\$NtUninstallKB942763$ ->  [Folder | Modified Date = 12/13/2007 3:06:32 AM | Attr =  H ]
$NtUninstallKB942840$ -> %SystemRoot%\$NtUninstallKB942840$ ->  [Folder | Modified Date = 12/13/2007 3:07:50 AM | Attr =  H ]
$NtUninstallKB943460$ -> %SystemRoot%\$NtUninstallKB943460$ ->  [Folder | Modified Date = 11/15/2007 3:06:02 AM | Attr =  H ]
$NtUninstallKB943485$ -> %SystemRoot%\$NtUninstallKB943485$ ->  [Folder | Modified Date = 1/9/2008 1:29:46 AM | Attr =  H ]
$NtUninstallKB944653$ -> %SystemRoot%\$NtUninstallKB944653$ ->  [Folder | Modified Date = 12/13/2007 3:03:46 AM | Attr =  H ]
$NtUninstallKB946627$ -> %SystemRoot%\$NtUninstallKB946627$ ->  [Folder | Modified Date = 12/20/2007 10:56:16 PM | Attr =  H ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 1/18/2008 7:48:54 AM | Attr =   S]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 1/17/2008 11:31:00 PM | Attr =   S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 1/17/2008 5:42:18 PM | Attr =    ]
Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 12/7/2007 11:54:06 AM | Attr = R S]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 1/14/2008 6:46:34 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 1/17/2008 5:45:16 PM | Attr =  HS]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 1/14/2008 11:51:12 PM | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 1/18/2008 5:57:52 PM | Attr =    ]
PSI3_Operation.ini -> %SystemRoot%\PSI3_Operation.ini ->  [Ver =  | Size = 876 bytes | Modified Date = 1/10/2008 3:26:10 PM | Attr =    ]
pss -> %SystemRoot%\pss ->  [Folder | Modified Date = 1/16/2008 4:12:02 PM | Attr =    ]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 1/18/2008 7:49:22 AM | Attr =    ]
SWWATER.INI -> %SystemRoot%\SWWATER.INI ->  [Ver =  | Size = 314 bytes | Modified Date = 1/4/2008 2:30:58 PM | Attr =    ]
system -> %SystemRoot%\system ->  [Folder | Modified Date = 1/17/2008 10:27:42 PM | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 243 bytes | Modified Date = 1/17/2008 11:34:18 PM | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 1/17/2008 10:27:42 PM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 1/18/2008 7:52:04 AM | Attr =   S]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 1/18/2008 5:57:48 PM | Attr =    ]
twain_32 -> %SystemRoot%\twain_32 ->  [Folder | Modified Date = 12/22/2007 6:44:12 PM | Attr =    ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 734 bytes | Modified Date = 1/17/2008 8:36:28 PM | Attr =    ]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 12/20/2007 8:56:04 PM | Attr =    ]
_delis43.ini -> %SystemRoot%\_delis43.ini ->  [Ver =  | Size = 290 bytes | Modified Date = 1/14/2008 10:24:02 PM | Attr =    ]
MP Scheduled Scan.job -> %SystemRoot%\tasks\MP Scheduled Scan.job ->  [Ver =  | Size = 330 bytes | Modified Date = 1/18/2008 7:52:04 AM | Attr =  H ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 1/18/2008 7:48:58 AM | Attr =  H ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Modified Date = 12/4/2007 8:04:28 AM | Attr =    ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 95608 bytes | Modified Date = 12/4/2007 7:54:04 AM | Attr =    ]
CatRoot -> %System32%\CatRoot ->  [Folder | Modified Date = 1/4/2008 2:09:02 PM | Attr =    ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 1/16/2008 2:54:00 PM | Attr =    ]
config -> %System32%\config ->  [Folder | Modified Date = 1/3/2008 10:25:32 PM | Attr =    ]
CONFIG.NT -> %System32%\CONFIG.NT ->  [Ver =  | Size = 2626 bytes | Modified Date = 1/16/2008 5:19:10 PM | Attr =    ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 1/9/2008 1:29:54 AM | Attr = RHS]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 1/18/2008 7:49:12 AM | Attr =    ]
FileupCtl.ocx -> %System32%\FileupCtl.ocx -> Hyegi [Ver = 1.00.0014 | Size = 49152 bytes | Modified Date = 1/10/2008 3:13:52 PM | Attr =    ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT ->  [Ver =  | Size = 462024 bytes | Modified Date = 12/7/2007 11:57:00 AM | Attr =    ]

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #92 on: January 17, 2008, 10:59:36 PM »
 Inc. [Ver = 7.0.15 | Size = 1909936 bytes | Modified Date = 1/10/2008 3:13:30 PM | Attr =    ]
GSBN.ocx -> %System32%\GSBN.ocx -> ??SDS [Ver = 1.01.0151 | Size = 241664 bytes | Modified Date = 1/10/2008 3:13:48 PM | Attr =    ]
nvapps.xml -> %System32%\nvapps.xml ->  [Ver =  | Size = 30277 bytes | Modified Date = 1/18/2008 7:49:00 AM | Attr =    ]
perfc009.dat -> %System32%\perfc009.dat ->  [Ver =  | Size = 53608 bytes | Modified Date = 1/17/2008 6:01:32 PM | Attr =    ]
perfh009.dat -> %System32%\perfh009.dat ->  [Ver =  | Size = 383254 bytes | Modified Date = 1/17/2008 6:01:32 PM | Attr =    ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI ->  [Ver =  | Size = 443380 bytes | Modified Date = 1/17/2008 6:01:32 PM | Attr =    ]
quartz.dll -> %System32%\quartz.dll ->  [Ver =  | Size = 1287680 bytes | Modified Date = 10/29/2007 5:35:14 PM | Attr =    ]
ReinstallBackups -> %System32%\ReinstallBackups ->  [Folder | Modified Date = 12/12/2007 5:16:32 PM | Attr =    ]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 1/16/2008 5:38:20 PM | Attr =    ]
wbem -> %System32%\wbem ->  [Folder | Modified Date = 1/3/2008 10:25:18 PM | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 1170 bytes | Modified Date = 1/18/2008 7:49:30 AM | Attr =    ]
quartz.dll -> %System32%\dllcache\quartz.dll ->  [Ver =  | Size = 1287680 bytes | Modified Date = 10/29/2007 5:35:14 PM | Attr =    ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Modified Date = 12/4/2007 9:49:02 AM | Attr =    ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 93264 bytes | Modified Date = 12/4/2007 9:56:02 AM | Attr =    ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 94544 bytes | Modified Date = 12/4/2007 9:55:46 AM | Attr =    ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Modified Date = 12/4/2007 9:53:40 AM | Attr =    ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Modified Date = 12/4/2007 9:51:52 AM | Attr =    ]
ikfilesec.sys -> %System32%\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1038 built by: WinDDK | Size = 41864 bytes | Modified Date = 12/10/2007 2:53:28 PM | Attr =    ]
iksysflt.sys -> %System32%\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Modified Date = 12/10/2007 2:53:28 PM | Attr =    ]
iksyssec.sys -> %System32%\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1031 | Size = 81288 bytes | Modified Date = 12/10/2007 2:53:28 PM | Attr =    ]
kcom.sys -> %System32%\drivers\kcom.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1008 | Size = 29576 bytes | Modified Date = 12/10/2007 2:53:30 PM | Attr =    ]
secdrv.sys -> %System32%\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 11/13/2007 5:25:54 AM | Attr =    ]
TfKbMon.sys -> %System32%\drivers\TfKbMon.sys -> PC Tools [Ver = 3.7.9.20 | Size = 12608 bytes | Modified Date = 11/12/2007 5:03:14 PM | Attr =    ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1052 | Size = 102800 bytes | Modified Date = 1/17/2008 6:22:30 PM | Attr =    ]
hosts.ics -> %System32%\drivers\etc\hosts.ics ->  [Ver =  | Size = 432 bytes | Modified Date = 1/4/2008 2:09:04 PM | Attr =    ]

[File String Scan - Non-Microsoft Only]
WSUD ,  -> %SystemDrive%\Alcorn Property Services.office.QBW ->  [Ver =  | Size = 15159296 bytes | Modified Date = 12/28/2007 4:49:04 PM | Attr = R  ]
UPX! , UPX0 ,  -> %SystemRoot%\unwash.exe ->  [Ver =  | Size = 43008 bytes | Modified Date = 8/15/2002 3:07:02 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Modified Date = 12/4/2007 8:04:28 AM | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 8/10/2004 2:00:00 PM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 8/10/2004 2:00:00 PM | Attr =    ]
WSUD , UPX0 ,  -> %System32%\dllcache\hwxjpn.dll ->  [Ver =  | Size = 13463552 bytes | Modified Date = 8/10/2004 2:00:00 PM | Attr =    ]

< End of report >

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #93 on: January 17, 2008, 11:00:35 PM »
I'll check back after while.  Thanks so much! :D

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #94 on: January 17, 2008, 11:39:51 PM »
Hi, it's going to take awhle to read this log, uuh work again seems to interfere.


In the meantime,  please use the search function in windows explorer to find all copies of this file

NDIS.SYS

You will have to set your folder options like this:

At the top of windows explorer, click tools, folder options, click the
view tab

 check Show hidden files and folders
 uncheck "Hide extensions for known file types" box
 uncheck "Hide protecting operating system files" box

Set the search are to c:\


Make a note of each ones path, then submit them to www.virustotal.com  and wait for the results.

Let me know the results of each, no matter what it is. The results could range from nothing detected to 0 bytes recieved to infected with whatever.

There will probably be 3-4 instances of the file, make sure to test them all. Please let me know how many you found and there locations.

Thanks

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #95 on: January 18, 2008, 06:04:11 AM »
Hi,  jbalcorn

I'm having trouble reading that log on this small screen, Ill be on my own computer in a couple of hours.

I did some searching around and found the most common cause of the detection you are having is an infected C:\WINDOWS\SYSTEM32DRIVERS\NDIS.SYS file.

That's why I asked you to find the files, we have to confirm that there is in fact an infection there and that there is a clean copy to replace it with.

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #96 on: January 18, 2008, 08:03:12 AM »
Nothing of much interest in the WPF3 log. Let's procede with the above.

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #97 on: January 18, 2008, 03:01:42 PM »
Went I did the search it only found one but when I browsed in the file to upload it I found another one and sent it and this is what it said the file name was ndis(2).sys that that this is what it said when I uploaded it
File has already been analysed:
MD5: 558635d3af1c7546d26067d5d9b6959e
Date: 01.13.2008 19:31:41 (CET) [>4D]
Results: 0/32
Permalink: analisis/aca45600ddc84f99502aa344d080a3f7
I sent it again by the reanalize button and here is what it said. 
File ndis_2_.sys received on 01.18.2008 16:50:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 25.
Estimated start time is between 79 and 113 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5210 2008.01.17 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2805 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 182912 bytes
MD5: 558635d3af1c7546d26067d5d9b6959e
SHA1: de08d6d587fe19ce3c61a1cf3773158df212dbe8
PEiD: -


I found another one that was just ndis.sys but when I tried to upload it this is what came up.
0 bytes size received / Se ha recibido un archivo vacio

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #98 on: January 18, 2008, 03:07:32 PM »
This was the system32 folder that you found it them in?

I'd suggest that 0 bytes one is infected and that the ndis_2_.sys is clean. Let me see if I can find out if the are the same file. If the are then it should just be a matter of renaming.

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #99 on: January 18, 2008, 03:11:40 PM »
Yes it was the system 32 folder.
When I click on the properties tab on the two files the ndis.sys says it is size is 274 KB
and the ndis_2_.sys says it is 178 KB
« Last Edit: January 18, 2008, 03:15:50 PM by jbalcorn »

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #100 on: January 18, 2008, 03:29:48 PM »
These are the usual locations for this file
these are backup locations

C:/I386
C:/Windows/ServicePackFiles/i386
C:/Windows/$NtServicePackUninstall$
C:/Windows/$NtUninstallKB826942$


The file should run from Location: C:/WINDOWS/SYSTEM32/DRIVERS

The md5 number for the clean file is the same as the one you test clean (ndis_2_.sys )

Please check the other locations for the file in a renamed form, including the  C:/WINDOWS/SYSTEM32/DRIVERS location.

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #101 on: January 18, 2008, 04:09:27 PM »
I found this file in the I386 folder. 
The other ones you mentioned I did a search but it didn't come up with anything found on any of these
C:/Windows/ServicePackFiles/i386
C:/Windows/$NtServicePackUninstall$
C:/Windows/$NtUninstallKB826942$

File NDIS.SY_ received on 01.18.2008 17:48:42 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 41 and 59 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 90321 bytes
MD5: 6c301b042682240589d9dfcb0f07d444
SHA1: c2c8a928a5d9d10b157f9ceb19753ab61e3bdbcd
PEiD: -

Offline oldman

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 4165
  • Some days..... MOS...this bug's for you
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #102 on: January 18, 2008, 04:16:43 PM »
Did you find 1, even a renamed copy in the :/WINDOWS/SYSTEM32/DRIVERS?

Gotta go to the dentist right now, but will be back soon with a plan.  ;D

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #103 on: January 18, 2008, 04:24:51 PM »
I don't if this is one of these files but it was similar so I tested it and here's the results.  I have a few more to check
File NDISNPP.DL_ received on 01.18.2008 18:12:35 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 27704 bytes
MD5: 9b9d5bb34b220157d10dcd722d7f7d43
SHA1: 117e1405eb6b8f7a04162997cf1d0786f1c40389
PEiD: -

Offline jbalcorn

  • Jr. Member
  • **
  • Posts: 97
    • Personal Message (Offline)
Re: Please help Avast found this trojan file cp1041.nls
« Reply #104 on: January 18, 2008, 04:28:57 PM »
File NDISNPP.DL_ received on 01.18.2008 18:25:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.11 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.18 -
AVG 7.5.0.516 2008.01.18 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.18 -
ClamAV 0.91.2 2008.01.18 -
DrWeb 4.44.0.09170 2008.01.18 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5468 2008.01.18 -
Ewido 4.0 2008.01.18 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.18 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2806 2008.01.18 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.18 -
Prevx1 V2 2008.01.18 -
Rising 20.27.42.00 2008.01.18 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.18 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 27704 bytes
MD5: 9b9d5bb34b220157d10dcd722d7f7d43
SHA1: 117e1405eb6b8f7a04162997cf1d0786f1c40389
PEiD: -

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now