« previous next »
Pages: 1 2 3 [4] 5 6   Go Down

Author Topic: malware: help! i've tried many things!  (Read 47255 times)

0 Members and 1 Guest are viewing this topic.

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #45 on: October 09, 2007, 06:40:18 AM »
Thank you VERY MUCH for your help today.  I am extremely grateful.

Have a good night!
Logged

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: malware: help! i've tried many things!
« Reply #46 on: October 09, 2007, 10:02:45 AM »
Well there is a tool to make it easier.

Anything you can share with the rest of us so we can use it to help others?
Logged
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

mauserme

  • Guest
Re: malware: help! i've tried many things!
« Reply #47 on: October 09, 2007, 07:30:24 PM »
Sorry Frank.  I do share what I can but I was given this one with the understanding that I would not re-distribute it.  If its any consolation, all it does is parse the text to make it more readable and, optionally, filter it through a white list. 


Crafty-kd - lets go back to basics on this.

Open the Control Panel and double click Folder Options.  When that opens click the View tab.  Under Hidden Files and folders make sure “Show Hidden Files and Folders” is checked.  Below that make sure “Hide Extensions for Known File Type” and “Hide Protected Operating System Files” are both unchecked.

Now boot into safe mode, navigate to these files, and rename them as indicated

c:\windows\system32\rqtss.ini  rename to rqtss.old
c:\windows\system32\rqtss.ini2  rename to rqtss.old2
c:\windows\system32%\sstqr.dll  rename to sstqr.old


Boot back to normal mode and open WinPFind3u.  Change the section labeled “Files/Folders Created Within” to 90 days and the section labeled “Files Folders Modified Within” to 90 days.  Then run the scan and post the new log.

Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #48 on: October 09, 2007, 10:53:41 PM »
Okay, I renamed rqtss.ini and rqtss.ini2.  What about rqtss.bak2 and an rqtsstmp.ini?  I renamed those too.  Just in case.

sstqr.dll is being used and won't let me rename it, even in safe mode.

I'm now in safe mode with networking, and rqtss.ini has reappeared, so I've renamed it again and I'm about to reboot and do the WinPFind3u scan again.
« Last Edit: October 09, 2007, 11:17:42 PM by crafty_kd »
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #49 on: October 09, 2007, 11:13:00 PM »
WinPFind3u log:

WinPFind3 logfile created on: 09/10/2007 1:57:40 PM
WinPFind3U by OldTimer - Version 1.0.42   Folder = C:\Documents and Settings\Kimberley\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)
 
1015.37 Mb Total Physical Memory | 640.92 Mb Available Physical Memory | 63.12% Memory free
2.39 Gb Paging File | 2.08 Gb Available in Paging File | 87.24% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90.09 Gb Total Space | 23.78 Gb Free Space | 26.39% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: MAGNETAR
Current User Name: Kimberley
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
1xconfig.exe -> %ProgramFiles%\Intel\Wireless\Bin\1XConfig.exe -> Intel [Ver = 9, 0, 1, 33 | Size = 245760 bytes | Modified Date = 07/09/2004 3:03:40 PM | Attr =    ]
a2service.exe -> %ProgramFiles%\VirusCrap\a-squared Free\a2service.exe -> Emsi Software GmbH [Ver = 3.0.0.345 | Size = 217208 bytes | Modified Date = 31/08/2007 8:24:24 PM | Attr =    ]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr =    ]
apntex.exe -> %ProgramFiles%\Apoint\ApntEx.exe -> Alps Electric Co., Ltd. [Ver = 5.5.1.19 | Size = 45056 bytes | Modified Date = 19/08/2004 1:40:08 PM | Attr =    ]
apoint.exe -> %ProgramFiles%\Apoint\Apoint.exe -> Alps Electric Co., Ltd. [Ver = 5.5.101.141 | Size = 155648 bytes | Modified Date = 13/09/2004 3:33:20 PM | Attr =    ]
ashdisp.exe -> %ProgramFiles%\VirusCrap\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 3:06:10 AM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\VirusCrap\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 3:05:42 AM | Attr =    ]
ashserv.exe -> %ProgramFiles%\VirusCrap\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 3:06:04 AM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\VirusCrap\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 3:04:44 AM | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\VirusCrap\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 2:54:58 AM | Attr =    ]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 29/10/2003 2:06:00 AM | Attr =    ]
dvdlauncher.exe -> %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe -> CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 23/02/2005 3:19:56 PM | Attr =    ]
evteng.exe -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 9, 0, 1, 12 | Size = 86016 bytes | Modified Date = 07/09/2004 3:02:40 PM | Attr =    ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4363 | Size = 77824 bytes | Modified Date = 19/07/2005 10:06:12 PM | Attr =    ]
ifrmewrk.exe -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 9, 0, 1, 19 | Size = 385024 bytes | Modified Date = 30/10/2004 1:59:54 PM | Attr =    ]
igfxpers.exe -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4363 | Size = 114688 bytes | Modified Date = 19/07/2005 10:10:06 PM | Attr =    ]
igfxsrvc.exe -> %System32%\igfxsrvc.exe -> Intel Corporation [Ver = 3.0.0.4363 | Size = 159744 bytes | Modified Date = 19/07/2005 10:06:04 PM | Attr =    ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 14/03/2007 7:05:42 PM | Attr =    ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 81920 bytes | Modified Date = 27/07/2004 3:50:18 PM | Attr =    ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.1.1.5 | Size = 257088 bytes | Modified Date = 14/03/2007 7:05:48 PM | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 25/09/2007 1:11:36 AM | Attr =    ]
nicconfigsvc.exe -> %ProgramFiles%\Dell\NICCONFIGSVC\NICCONFIGSVC.exe -> Dell Inc. [Ver = 1, 0, 0, 1 | Size = 356352 bytes | Modified Date = 09/06/2005 7:53:18 AM | Attr =    ]
pcmservice.exe -> %ProgramFiles%\Dell\Media Experience\PCMService.exe -> CyberLink Corp. [Ver = 1.0.1611  | Size = 290816 bytes | Modified Date = 11/04/2004 7:15:14 PM | Attr =    ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 16/02/2007 10:54:04 AM | Attr =    ]
quickset.exe -> %ProgramFiles%\Dell\QuickSet\quickset.exe ->  [Ver = 0, 5, 5, 0 | Size = 684032 bytes | Modified Date = 01/09/2005 4:24:08 PM | Attr =    ]
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 10:05:26 PM | Attr =    ]
realplay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 30/12/2005 9:29:02 PM | Attr =    ]
regsrvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 9, 0, 1, 10 | Size = 139264 bytes | Modified Date = 07/09/2004 3:02:04 PM | Attr =    ]
s24evmon.exe -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation  [Ver = 9, 0, 1, 41 | Size = 360521 bytes | Modified Date = 07/09/2004 3:05:10 PM | Attr =    ]
tosbtmng1.exe -> %ProgramFiles%\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ->  [Ver =  | Size = 45056 bytes | Modified Date = 22/12/2004 12:42:22 PM | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 04/09/2007 10:47:26 AM | Attr =    ]
wlkeeper.exe -> %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe -> Intel® Corporation [Ver = 9, 0, 1, 14 | Size = 225353 bytes | Modified Date = 07/09/2004 3:12:32 PM | Attr =    ]
zcfgsvc.exe -> %ProgramFiles%\Intel\Wireless\Bin\ZCfgSvc.exe -> Intel Corporation [Ver = 9, 0, 1, 45 | Size = 389120 bytes | Modified Date = 07/09/2004 3:08:02 PM | Attr =    ]
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #50 on: October 09, 2007, 11:13:28 PM »
[Win32 Services - Non-Microsoft Only]
(a2free) a-squared Free Service [Win32_Own | Auto | Running] -> %ProgramFiles%\VirusCrap\a-squared Free\a2service.exe -> Emsi Software GmbH [Ver = 3.0.0.345 | Size = 217208 bytes | Modified Date = 31/08/2007 8:24:24 PM | Attr =    ]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 25/09/2007 9:00:46 AM | Attr =    ]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> Adobe Systems [Ver = 2.67.010 | Size = 72704 bytes | Modified Date = 02/04/2006 3:10:34 PM | Attr =    ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\VirusCrap\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 06/09/2007 2:54:58 AM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\VirusCrap\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 06/09/2007 3:06:04 AM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\VirusCrap\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 06/09/2007 3:05:42 AM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\VirusCrap\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 06/09/2007 3:04:44 AM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 4:00:00 AM | Attr =    ]
(EvtEng) EvtEng [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\EvtEng.exe -> Intel Corporation [Ver = 9, 0, 1, 12 | Size = 86016 bytes | Modified Date = 07/09/2004 3:02:40 PM | Attr =    ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 04/04/2005 1:41:10 AM | Attr =    ]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] ->  -> File not found
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Inc. [Ver = 7.1.1.5 | Size = 500800 bytes | Modified Date = 14/03/2007 7:05:42 PM | Attr =    ]
(NICCONFIGSVC) NICCONFIGSVC [Win32_Own | Auto | Running] -> %ProgramFiles%\Dell\NICCONFIGSVC\NICCONFIGSVC.exe -> Dell Inc. [Ver = 1, 0, 0, 1 | Size = 356352 bytes | Modified Date = 09/06/2005 7:53:18 AM | Attr =    ]
(RegSrvc) RegSrvc [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\RegSrvc.exe -> Intel Corporation [Ver = 9, 0, 1, 10 | Size = 139264 bytes | Modified Date = 07/09/2004 3:02:04 PM | Attr =    ]
(S24EventMonitor) Spectrum24 Event Monitor [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\S24EvMon.exe -> Intel Corporation  [Ver = 9, 0, 1, 41 | Size = 360521 bytes | Modified Date = 07/09/2004 3:05:10 PM | Attr =    ]
(WLANKEEPER) WLANKEEPER [Win32_Own | Auto | Running] -> %ProgramFiles%\Intel\Wireless\Bin\WLKEEPER.exe -> Intel® Corporation [Ver = 9, 0, 1, 14 | Size = 225353 bytes | Modified Date = 07/09/2004 3:12:32 PM | Attr =    ]
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #51 on: October 09, 2007, 11:14:06 PM »
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Apoint -> %ProgramFiles%\Apoint\Apoint.exe -> Alps Electric Co., Ltd. [Ver = 5.5.101.141 | Size = 155648 bytes | Modified Date = 13/09/2004 3:33:20 PM | Attr =    ]
avast! -> %ProgramFiles%\VirusCrap\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 06/09/2007 3:06:10 AM | Attr =    ]
Dell QuickSet -> %ProgramFiles%\Dell\QuickSet\quickset.exe ->  [Ver = 0, 5, 5, 0 | Size = 684032 bytes | Modified Date = 01/09/2005 4:24:08 PM | Attr =    ]
DVDLauncher -> %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe -> CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 23/02/2005 3:19:56 PM | Attr =    ]
igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4363 | Size = 77824 bytes | Modified Date = 19/07/2005 10:06:12 PM | Attr =    ]
igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4363 | Size = 114688 bytes | Modified Date = 19/07/2005 10:10:06 PM | Attr =    ]
igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4363 | Size = 94208 bytes | Modified Date = 19/07/2005 10:09:26 PM | Attr =    ]
IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\iFrmewrk.exe -> Intel Corporation [Ver = 9, 0, 1, 19 | Size = 385024 bytes | Modified Date = 30/10/2004 1:59:54 PM | Attr =    ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 221184 bytes | Modified Date = 27/07/2004 3:50:42 PM | Attr =    ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 81920 bytes | Modified Date = 27/07/2004 3:50:18 PM | Attr =    ]
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Inc. [Ver = 7.1.1.5 | Size = 257088 bytes | Modified Date = 14/03/2007 7:05:48 PM | Attr =    ]
MSKDetectorExe -> %ProgramFiles%\McAfee\SpamKiller\MSKDetct.exe -> McAfee, Inc. [Ver = 7.0.1.6 | Size = 1121792 bytes | Modified Date = 12/08/2005 5:16:44 PM | Attr =    ]
NeroCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 12:50:42 PM | Attr =    ]
PCMService -> %ProgramFiles%\Dell\Media Experience\PCMService.exe -> CyberLink Corp. [Ver = 1.0.1611  | Size = 290816 bytes | Modified Date = 11/04/2004 7:15:14 PM | Attr =    ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5 | Size = 282624 bytes | Modified Date = 16/02/2007 10:54:04 AM | Attr =    ]
RealTray -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 30/12/2005 9:29:02 PM | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 25/09/2007 1:11:36 AM | Attr =    ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
SUPERAntiSpyware -> %ProgramFiles%\VirusCrap\SuperAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 21/06/2007 2:06:28 PM | Attr =    ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Gamma.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 16/03/2005 8:16:50 PM | Attr =    ]
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 10:05:26 PM | Attr =    ]
%AllUsersStartup%\Bluetooth Manager.lnk -> %ProgramFiles%\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ->  [Ver =  | Size = 45056 bytes | Modified Date = 22/12/2004 12:42:22 PM | Attr =    ]
%AllUsersStartup%\Digital Line Detect.lnk -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 29/10/2003 2:06:00 AM | Attr =    ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\VirusCrap\SuperAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 20/12/2006 1:55:48 PM | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\VirusCrap\SuperAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 19/04/2007 1:41:36 PM | Attr =    ]
igfxcui -> %System32%\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4363 | Size = 135168 bytes | Modified Date = 19/07/2005 10:05:16 PM | Attr =    ]
IntelWireless -> %ProgramFiles%\Intel\Wireless\Bin\LgNotify.dll -> Intel Corporation [Ver = 9, 0, 1, 0 | Size = 110592 bytes | Modified Date = 07/09/2004 3:08:06 PM | Attr =    ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #52 on: October 09, 2007, 11:14:33 PM »
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.globeandmail.com/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] ->  ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> File not found
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 31/05/2005 2:04:00 AM | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 25/09/2007 1:11:34 AM | Attr =    ]
{7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{9F4FC606-FAF4-455E-BD89-25E4BD8129F4} [HKLM] -> %System32%\sstqr.dll [Reg Data - Value does not exist] ->  [Ver =  | Size = 325728 bytes | Modified Date = 06/10/2007 4:29:50 PM | Attr =    ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> Reg Data - Key not found [MenuText: Sun Java Console] -> File not found
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.3861 | Size = 67160 bytes | Modified Date = 05/08/2005 3:08:26 PM | Attr =    ]
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel ->  -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{71B36D95-4FB0-4D5F-BBE3-714F9CF67B4F} ->    (Intel(R) PRO/Wireless 2915ABG Network Connection) ->
{932326F7-8F71-45F0-AF82-8A7F3E47BF6D} ->    (1394 Net Adapter) ->
{D72795FF-6CCF-4907-B6CA-431643361D19} ->    (Broadcom 440x 10/100 Integrated Controller) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{14B87622-7E19-4EA8-93B3-97215F77A6BC} -> MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab ->
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ->  - CodeBase = http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab ->
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} -> MSN Photo Upload Tool - CodeBase = http://by137fd.bay137.hotmail.msn.com/resources/MsnPUpld.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -> MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab ->
{B8BE5E93-A60C-4D26-A2DC-220313175592} -> ZoneIntro Class - CodeBase = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab ->
{C3F79A2B-B9B4-4A66-B012-3EE46475B072} -> MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} -> Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab ->
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #53 on: October 09, 2007, 11:15:01 PM »
[Files/Folders - Created Within 90 days]
6c5d95b0f7a967861ce081828f -> %SystemDrive%\6c5d95b0f7a967861ce081828f ->  [Folder | Created Date = 08/10/2007 4:30:08 PM | Attr =    ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 1064763392 bytes | Created Date = 01/01/1601 8:00:00 AM | Attr =  HS]
qoobox -> %SystemDrive%\qoobox ->  [Folder | Created Date = 08/10/2007 3:10:54 PM | Attr =    ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 07/10/2007 10:35:49 PM | Attr =  H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 11:11:13 AM | Attr =  H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 3:24:38 PM | Attr =  H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 3:36:44 PM | Attr =  H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 5:51:31 PM | Attr =  H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 7:55:34 PM | Attr =  H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 7:58:21 PM | Attr =  H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 9:22:36 PM | Attr =  H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm ->  [Ver =  | Size = 268 bytes | Created Date = 08/10/2007 10:20:48 PM | Attr =  H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 07/10/2007 10:35:49 PM | Attr =  H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 11:11:13 AM | Attr =  H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 3:24:37 PM | Attr =  H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 3:36:43 PM | Attr =  H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 5:51:31 PM | Attr =  H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 7:55:34 PM | Attr =  H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 7:58:21 PM | Attr =  H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 9:22:35 PM | Attr =  H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm ->  [Ver =  | Size = 244 bytes | Created Date = 08/10/2007 10:20:48 PM | Attr =  H ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups ->  [Folder | Created Date = 08/10/2007 12:01:15 AM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Created Date = 08/10/2007 4:45:29 PM | Attr =    ]
$NtUninstallKB896344$ -> %SystemRoot%\$NtUninstallKB896344$ ->  [Folder | Created Date = 08/10/2007 4:19:32 PM | Attr =  H ]
$NtUninstallKB904942$ -> %SystemRoot%\$NtUninstallKB904942$ ->  [Folder | Created Date = 08/10/2007 4:29:37 PM | Attr =  H ]
$NtUninstallKB920342$ -> %SystemRoot%\$NtUninstallKB920342$ ->  [Folder | Created Date = 08/10/2007 4:29:50 PM | Attr =  H ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ ->  [Folder | Created Date = 15/08/2007 6:58:51 AM | Attr =  H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ ->  [Folder | Created Date = 28/08/2007 7:59:05 PM | Attr =  H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ ->  [Folder | Created Date = 15/08/2007 6:59:02 AM | Attr =  H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ ->  [Folder | Created Date = 12/07/2007 6:30:10 AM | Attr =  H ]
$NtUninstallKB936782_WMP10$ -> %SystemRoot%\$NtUninstallKB936782_WMP10$ ->  [Folder | Created Date = 15/08/2007 6:56:25 AM | Attr =  H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ ->  [Folder | Created Date = 15/08/2007 6:58:56 AM | Attr =  H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ ->  [Folder | Created Date = 15/08/2007 6:58:46 AM | Attr =  H ]
$NtUninstallWIC$ -> %SystemRoot%\$NtUninstallWIC$ ->  [Folder | Created Date = 08/10/2007 4:30:28 PM | Attr =  H ]
atid.ini -> %SystemRoot%\atid.ini ->  [Ver =  | Size = 29 bytes | Created Date = 13/08/2007 5:39:17 PM | Attr =    ]
catchme.exe -> %SystemRoot%\catchme.exe ->  [Ver =  | Size = 135168 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 08/10/2007 3:09:20 PM | Attr =    ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Created Date = 08/10/2007 2:15:56 PM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Created Date = 08/10/2007 2:15:56 PM | Attr =  H ]
actskin4.ocx -> %System32%\actskin4.ocx ->  [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 08/10/2007 1:29:10 AM | Attr =    ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Created Date = 08/10/2007 1:29:10 AM | Attr =    ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 95608 bytes | Created Date = 08/10/2007 1:29:21 AM | Attr =    ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 08/10/2007 9:10:01 PM | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 08/10/2007 9:10:01 PM | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 08/10/2007 9:10:01 PM | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 08/10/2007 9:10:01 PM | Attr =    ]
libdivx.dll -> %System32%\libdivx.dll -> The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8b | Size = 1044480 bytes | Created Date = 26/07/2007 3:06:12 PM | Attr =    ]
rqtss.ini -> %System32%\rqtss.ini ->  [Ver =  | Size = 8006 bytes | Created Date = 09/10/2007 12:46:46 PM | Attr =  HS]
rqtss.ini2 -> %System32%\rqtss.ini2 ->  [Ver =  | Size = 7270 bytes | Created Date = 08/10/2007 11:52:01 PM | Attr =  HS]
rqtss.old -> %System32%\rqtss.old ->  [Ver =  | Size = 7206 bytes | Created Date = 09/10/2007 11:17:03 AM | Attr =  HS]
rqtss.old2 -> %System32%\rqtss.old2 ->  [Ver =  | Size = 7270 bytes | Created Date = 08/10/2007 11:52:01 PM | Attr =  HS]
rqtssbak2.old -> %System32%\rqtssbak2.old ->  [Ver =  | Size = 6650 bytes | Created Date = 09/10/2007 11:06:53 AM | Attr =  HS]
rqtssini.old -> %System32%\rqtssini.old ->  [Ver =  | Size = 7330 bytes | Created Date = 09/10/2007 12:46:46 PM | Attr =  HS]
rqtsstmp.old -> %System32%\rqtsstmp.old ->  [Ver =  | Size = 31451 bytes | Created Date = 08/10/2007 9:24:21 PM | Attr =  HS]
ssldivx.dll -> %System32%\ssldivx.dll -> The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8b | Size = 200704 bytes | Created Date = 26/07/2007 3:06:12 PM | Attr =    ]
sstqr.dll -> %System32%\sstqr.dll ->  [Ver =  | Size = 325728 bytes | Created Date = 06/10/2007 3:29:35 PM | Attr =    ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr =    ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr =    ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr =    ]
VFind.exe -> %System32%\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 08/10/2007 3:06:55 PM | Attr =    ]
XPSViewer -> %System32%\XPSViewer ->  [Folder | Created Date = 08/10/2007 4:33:50 PM | Attr =    ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 26624 bytes | Created Date = 08/10/2007 1:29:25 AM | Attr =    ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 92848 bytes | Created Date = 08/10/2007 1:29:19 AM | Attr =    ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 94416 bytes | Created Date = 08/10/2007 1:29:19 AM | Attr =    ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 23152 bytes | Created Date = 08/10/2007 1:29:28 AM | Attr =    ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 42912 bytes | Created Date = 08/10/2007 1:29:26 AM | Attr =    ]
AWRTRD.sys -> %System32%\drivers\AWRTRD.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 8320 bytes | Created Date = 07/08/2007 12:58:08 PM | Attr =    ]
NSDriver.sys -> %System32%\drivers\NSDriver.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 9344 bytes | Created Date = 07/08/2007 12:56:58 PM | Attr =    ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Created Date = 08/10/2007 2:18:01 AM | Attr =    ]
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #54 on: October 09, 2007, 11:16:22 PM »
[Files/Folders - Modified Within 90 days]
6c5d95b0f7a967861ce081828f -> %SystemDrive%\6c5d95b0f7a967861ce081828f ->  [Folder | Modified Date = 08/10/2007 5:30:26 PM | Attr =    ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 1064763392 bytes | Modified Date = 09/10/2007 1:55:20 PM | Attr =  HS]
IPH.PH -> %SystemDrive%\IPH.PH ->  [Ver =  | Size = 2252 bytes | Modified Date = 13/08/2007 6:46:10 PM | Attr =  H ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 09/10/2007 1:08:50 AM | Attr = R  ]
qoobox -> %SystemDrive%\qoobox ->  [Folder | Modified Date = 08/10/2007 4:38:00 PM | Attr =    ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 07/10/2007 11:35:50 PM | Attr =  H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 12:11:14 PM | Attr =  H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 4:24:40 PM | Attr =  H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 4:36:46 PM | Attr =  H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 6:51:32 PM | Attr =  H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 8:55:36 PM | Attr =  H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 8:58:22 PM | Attr =  H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 10:22:38 PM | Attr =  H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm ->  [Ver =  | Size = 268 bytes | Modified Date = 08/10/2007 11:20:50 PM | Attr =  H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 07/10/2007 11:35:50 PM | Attr =  H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 12:11:14 PM | Attr =  H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 4:24:40 PM | Attr =  H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 4:36:44 PM | Attr =  H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 6:51:32 PM | Attr =  H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 8:55:36 PM | Attr =  H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 8:58:22 PM | Attr =  H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 10:22:36 PM | Attr =  H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm ->  [Ver =  | Size = 244 bytes | Modified Date = 08/10/2007 11:20:50 PM | Attr =  H ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 08/10/2007 4:07:26 PM | Attr =  HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups ->  [Folder | Modified Date = 08/10/2007 1:01:16 AM | Attr =    ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 09/10/2007 1:56:00 PM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Modified Date = 08/10/2007 5:45:30 PM | Attr =    ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 09/10/2007 12:10:50 PM | Attr =  H ]
$NtUninstallKB896344$ -> %SystemRoot%\$NtUninstallKB896344$ ->  [Folder | Modified Date = 08/10/2007 5:19:36 PM | Attr =  H ]
$NtUninstallKB904942$ -> %SystemRoot%\$NtUninstallKB904942$ ->  [Folder | Modified Date = 08/10/2007 5:29:40 PM | Attr =  H ]
$NtUninstallKB920342$ -> %SystemRoot%\$NtUninstallKB920342$ ->  [Folder | Modified Date = 08/10/2007 5:29:52 PM | Attr =  H ]
$NtUninstallKB921503$ -> %SystemRoot%\$NtUninstallKB921503$ ->  [Folder | Modified Date = 15/08/2007 7:58:52 AM | Attr =  H ]
$NtUninstallKB933360$ -> %SystemRoot%\$NtUninstallKB933360$ ->  [Folder | Modified Date = 28/08/2007 8:59:06 PM | Attr =  H ]
$NtUninstallKB936021$ -> %SystemRoot%\$NtUninstallKB936021$ ->  [Folder | Modified Date = 15/08/2007 7:59:04 AM | Attr =  H ]
$NtUninstallKB936357$ -> %SystemRoot%\$NtUninstallKB936357$ ->  [Folder | Modified Date = 12/07/2007 7:30:12 AM | Attr =  H ]
$NtUninstallKB936782_WMP10$ -> %SystemRoot%\$NtUninstallKB936782_WMP10$ ->  [Folder | Modified Date = 15/08/2007 7:56:28 AM | Attr =  H ]
$NtUninstallKB938828$ -> %SystemRoot%\$NtUninstallKB938828$ ->  [Folder | Modified Date = 15/08/2007 7:58:58 AM | Attr =  H ]
$NtUninstallKB938829$ -> %SystemRoot%\$NtUninstallKB938829$ ->  [Folder | Modified Date = 15/08/2007 7:58:48 AM | Attr =  H ]
$NtUninstallWIC$ -> %SystemRoot%\$NtUninstallWIC$ ->  [Folder | Modified Date = 08/10/2007 5:30:30 PM | Attr =  H ]
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #55 on: October 09, 2007, 11:16:58 PM »
assembly -> %SystemRoot%\assembly ->  [Folder | Modified Date = 08/10/2007 7:11:36 PM | Attr = R S]
atid.ini -> %SystemRoot%\atid.ini ->  [Ver =  | Size = 29 bytes | Modified Date = 13/08/2007 6:39:18 PM | Attr =    ]
AviSplitter.INI -> %SystemRoot%\AviSplitter.INI ->  [Ver =  | Size = 38 bytes | Modified Date = 03/09/2007 2:14:28 PM | Attr =    ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 09/10/2007 1:55:24 PM | Attr =   S]
catchme.exe -> %SystemRoot%\catchme.exe ->  [Ver =  | Size = 135168 bytes | Modified Date = 28/09/2007 9:06:10 AM | Attr =    ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 08/10/2007 4:55:12 PM | Attr =   S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 08/10/2007 8:53:04 PM | Attr =    ]
Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 08/10/2007 5:33:44 PM | Attr = R S]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 24/08/2007 11:13:30 AM | Attr =    ]
imsins.BAK -> %SystemRoot%\imsins.BAK ->  [Ver =  | Size = 1374 bytes | Modified Date = 08/10/2007 5:31:08 PM | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 09/10/2007 12:12:32 PM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 08/10/2007 10:24:28 PM | Attr =  HS]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date = 08/10/2007 7:11:40 PM | Attr =    ]
mozver.dat -> %SystemRoot%\mozver.dat ->  [Ver =  | Size = 3082 bytes | Modified Date = 20/08/2007 11:42:20 PM | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 09/10/2007 1:57:30 PM | Attr =    ]
QTFont.for -> %SystemRoot%\QTFont.for ->  [Ver =  | Size = 1409 bytes | Modified Date = 08/10/2007 3:15:58 PM | Attr =    ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn ->  [Ver =  | Size = 54156 bytes | Modified Date = 08/10/2007 10:23:58 PM | Attr =  H ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Modified Date = 08/10/2007 4:56:16 PM | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 09/10/2007 1:57:48 PM | Attr =    ]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 09/10/2007 1:57:40 PM | Attr =    ]
wininit.ini -> %SystemRoot%\wininit.ini ->  [Ver =  | Size = 223 bytes | Modified Date = 08/10/2007 12:19:28 AM | Attr =    ]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 08/10/2007 5:24:58 PM | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 09/10/2007 1:55:46 PM | Attr =  H ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 06/09/2007 3:09:50 AM | Attr =    ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 95608 bytes | Modified Date = 06/09/2007 3:00:08 AM | Attr =    ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 08/10/2007 10:51:42 PM | Attr =    ]
config -> %System32%\config ->  [Folder | Modified Date = 08/10/2007 4:31:40 PM | Attr =    ]
CONFIG.NT -> %System32%\CONFIG.NT ->  [Ver =  | Size = 2626 bytes | Modified Date = 08/10/2007 2:29:26 AM | Attr =    ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 08/10/2007 5:31:18 PM | Attr = RHS]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 08/10/2007 6:12:58 PM | Attr =    ]
en-US -> %System32%\en-US ->  [Folder | Modified Date = 08/10/2007 5:33:48 PM | Attr =    ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT ->  [Ver =  | Size = 158752 bytes | Modified Date = 08/10/2007 6:08:56 PM | Attr =    ]
FxsTmp -> %System32%\FxsTmp ->  [Folder | Modified Date = 08/10/2007 6:24:32 PM | Attr =    ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 24/09/2007 10:30:28 PM | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 24/09/2007 11:31:42 PM | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 24/09/2007 10:30:30 PM | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 24/09/2007 11:31:42 PM | Attr =    ]
libdivx.dll -> %System32%\libdivx.dll -> The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8b | Size = 1044480 bytes | Modified Date = 26/07/2007 4:06:12 PM | Attr =    ]
perfc009.dat -> %System32%\perfc009.dat ->  [Ver =  | Size = 71198 bytes | Modified Date = 08/10/2007 5:39:34 PM | Attr =    ]
perfh009.dat -> %System32%\perfh009.dat ->  [Ver =  | Size = 438270 bytes | Modified Date = 08/10/2007 5:39:34 PM | Attr =    ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI ->  [Ver =  | Size = 516442 bytes | Modified Date = 08/10/2007 5:39:34 PM | Attr =    ]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 08/10/2007 4:07:26 PM | Attr =    ]
rqtss.ini -> %System32%\rqtss.ini ->  [Ver =  | Size = 8006 bytes | Modified Date = 09/10/2007 1:57:48 PM | Attr =  HS]
rqtss.ini2 -> %System32%\rqtss.ini2 ->  [Ver =  | Size = 7270 bytes | Modified Date = 09/10/2007 12:20:34 PM | Attr =  HS]
rqtss.old -> %System32%\rqtss.old ->  [Ver =  | Size = 7206 bytes | Modified Date = 09/10/2007 12:14:10 PM | Attr =  HS]
rqtss.old2 -> %System32%\rqtss.old2 ->  [Ver =  | Size = 7270 bytes | Modified Date = 09/10/2007 12:18:54 PM | Attr =  HS]
rqtssbak2.old -> %System32%\rqtssbak2.old ->  [Ver =  | Size = 6650 bytes | Modified Date = 09/10/2007 12:06:54 PM | Attr =  HS]
rqtssini.old -> %System32%\rqtssini.old ->  [Ver =  | Size = 7330 bytes | Modified Date = 09/10/2007 1:49:38 PM | Attr =  HS]
rqtsstmp.old -> %System32%\rqtsstmp.old ->  [Ver =  | Size = 31451 bytes | Modified Date = 09/10/2007 12:52:02 AM | Attr =  HS]
spool -> %System32%\spool ->  [Folder | Modified Date = 08/10/2007 5:31:30 PM | Attr =    ]
ssldivx.dll -> %System32%\ssldivx.dll -> The OpenSSL Project, http://www.openssl.org/ [Ver = 0.9.8b | Size = 200704 bytes | Modified Date = 26/07/2007 4:06:12 PM | Attr =    ]
sstqr.dll -> %System32%\sstqr.dll ->  [Ver =  | Size = 325728 bytes | Modified Date = 06/10/2007 4:29:50 PM | Attr =    ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 05/10/2007 10:07:32 AM | Attr =    ]
usmt -> %System32%\usmt ->  [Folder | Modified Date = 08/10/2007 5:19:50 PM | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 09/10/2007 1:56:16 PM | Attr =    ]
XPSViewer -> %System32%\XPSViewer ->  [Folder | Modified Date = 08/10/2007 5:33:52 PM | Attr =    ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 26624 bytes | Modified Date = 06/09/2007 3:00:54 AM | Attr =    ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 92848 bytes | Modified Date = 06/09/2007 3:05:26 AM | Attr =    ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 94416 bytes | Modified Date = 06/09/2007 3:05:10 AM | Attr =    ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 23152 bytes | Modified Date = 06/09/2007 3:03:02 AM | Attr =    ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1043.0 | Size = 42912 bytes | Modified Date = 06/09/2007 3:02:20 AM | Attr =    ]
AWRTRD.sys -> %System32%\drivers\AWRTRD.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 8320 bytes | Modified Date = 07/08/2007 1:58:08 PM | Attr =    ]
etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 08/10/2007 4:34:08 PM | Attr =    ]
NSDriver.sys -> %System32%\drivers\NSDriver.sys -> Lavasoft AB [Ver = 7.0.1.3 | Size = 9344 bytes | Modified Date = 07/08/2007 1:56:58 PM | Attr =    ]
tmcomm.sys -> %System32%\drivers\tmcomm.sys -> Trend Micro Inc. [Ver = 1.6.0.1059 | Size = 102664 bytes | Modified Date = 07/10/2007 2:18:38 PM | Attr =    ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 ,  -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 06/09/2007 3:09:50 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\avisynth.dll -> The Public [Ver = 2, 5, 6, 0 | Size = 308224 bytes | Modified Date = 07/10/2005 10:14:52 AM | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 04/08/2004 4:00:00 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 05/10/2007 10:07:32 AM | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 04/08/2004 4:00:00 AM | Attr =    ]

< End of report >
Logged

mauserme

  • Guest
Re: malware: help! i've tried many things!
« Reply #56 on: October 10, 2007, 03:01:08 AM »
When you tried to rename sstqr.dll were you in safe mode or safe mode with networking?  If it was with networking would you try to rename it again in just the plain vanilla safe mode.
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #57 on: October 10, 2007, 04:00:56 AM »
I tried in vanilla safe mode first, then rebooted into safe mode with networking, posted that message, then tried again (to no avail).
Logged

mauserme

  • Guest
Re: malware: help! i've tried many things!
« Reply #58 on: October 10, 2007, 04:17:38 AM »
OK.

Download GMER to your desktop.
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
Logged

crafty_kd

  • Guest
Re: malware: help! i've tried many things!
« Reply #59 on: October 10, 2007, 04:45:09 AM »
GMER scan log:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-09 19:40:58
Windows 5.1.2600 Service Pack 2


---- User code sections - GMER 1.0.13 ----

.text           C:\Program Files\Mozilla Firefox\firefox.exe[3440] kernel32.dll!MultiByteToWideChar                                     7C809BF8 1 Byte  [ E9 ]
.text           C:\Program Files\Mozilla Firefox\firefox.exe[3440] kernel32.dll!MultiByteToWideChar + 2                                 7C809BFA 3 Bytes  [ EA, 84, 93 ]

---- User IAT/EAT - GMER 1.0.13 ----

IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]  [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!OpenServiceW]      [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress]    [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]     [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress]    [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress]     [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress]   [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]   [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!ControlService]   [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!OpenServiceW]     [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress]   [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!OpenServiceW]     [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!ControlService]   [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]   [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress]   [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\netapi32.dll [ADVAPI32.dll!OpenServiceA]    [6F8A063A] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\netapi32.dll [ADVAPI32.dll!ControlService]  [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\netapi32.dll [ADVAPI32.dll!OpenServiceW]    [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT             C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1652] @ C:\WINDOWS\system32\netapi32.dll [KERNEL32.dll!GetProcAddress]  [5CB77774] C:\WINDOWS\system32\ShimEng.dll
Logged
Pages: 1 2 3 [4] 5 6   Go Up
« previous next »