Solved Daily Redirect Virus & Windows Explorer Signature Errors

Broni -

Here is the Security Check log. Others to follow shortly.

Dan

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
Norton 360
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````
 
Daily Redirect Virus & Window Explorer Signature Errors

Hi Broni,

The Kaspersky online scanner found some additional viruses and suspicious files noted below. Do you have to fix or restore an infected dll file when it is quarantined? If so, I am not sure what to do and I am wary of going to any site that advertises fixing dll errors.

Thanks for your help,
Dan

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, September 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 17, 2010 01:27:30
Records in database: 4217353
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
Z:\

Scan statistics:
Objects scanned: 151084
Threats found: 5
Infected objects found: 4
Suspicious objects found: 21
Scan duration: 04:35:55


File name / Threat / Threats count
C:\Program Files\CE Remote Tools\5.01\bin\ccpview.exe Suspicious: Type_Win32 1
C:\Program Files\CE Remote Tools\5.01\bin\ccregedt.exe Suspicious: Type_Win32 1
C:\Program Files\Common Files\Microsoft Shared\VSA\8.0\VsaEnv\mspdbcore.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lfeps13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lffax13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lfgif13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\LFJ2K13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lfmsp13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lfpcd13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\Lfpct13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lfpcx13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\Lfpng13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lfpsd13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lftga13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\lftif13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\Lfwmf13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\LTDIS13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\ltefx13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\ltfil13n.DLL Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\ltimg13n.dll Suspicious: Type_Win32 1
C:\Program Files\InterVideo\WCreator3\ltkrn13n.dll Suspicious: Type_Win32 1
C:\Qoobox\Quarantine\C\WINDOWS\cacletup.dll.vir Infected: Backdoor.Win32.Papras.pw 1
C:\Qoobox\Quarantine\C\WINDOWS\sentui.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.afda 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP864\A0477023.exe Infected: Trojan-Spy.Win32.SpyEyes.ais 1
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP864\A0477024.exe Infected: Trojan-Downloader.Win32.Mufanom.afdh 1

Selected area has been scanned.
 
We need to doublecheck some of those findings.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Program Files\CE Remote Tools\5.01\bin\ccpview.exe
- C:\Program Files\CE Remote Tools\5.01\bin\ccregedt.exe
- C:\Program Files\Common Files\Microsoft Shared\VSA\8.0\VsaEnv\mspdbcore.dll
- C:\Program Files\InterVideo\WCreator3\lfeps13n.dll
- C:\Program Files\InterVideo\WCreator3\lffax13n.dll
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
 
Broni,

Let me know if you prefer the compact table format (or another).

Dan


File name: ccpview.exe
Submission date: 2010-09-17 23:05:31 (UTC)
Current status: finished
Result: 2/ 43 (4.7%)

Antivirus Version Last Update Result
AhnLab-V3 2010.09.18.00 2010.09.17 -
AntiVir 8.2.4.52 2010.09.17 -
Antiy-AVL 2.0.3.7 2010.09.17 -
Authentium 5.2.0.5 2010.09.17 -
Avast 4.8.1351.0 2010.09.17 -
Avast5 5.0.594.0 2010.09.17 -
AVG 9.0.0.851 2010.09.17 -
BitDefender 7.2 2010.09.18 -
CAT-QuickHeal 11.00 2010.09.17 -
ClamAV 0.96.2.0-git 2010.09.17 -
Comodo 6114 2010.09.17 TrojWare.Win32.Trojan.Agent.~UL
DrWeb 5.0.2.03300 2010.09.18 -
Emsisoft 5.0.0.37 2010.09.18 -
eSafe 7.0.17.0 2010.09.17 -
eTrust-Vet 36.1.7862 2010.09.17 -
F-Prot 4.6.1.107 2010.09.17 -
F-Secure 9.0.15370.0 2010.09.17 -
Fortinet 4.1.143.0 2010.09.17 -
GData 21 2010.09.17 -
Ikarus T3.1.1.88.0 2010.09.18 -
Jiangmin 13.0.900 2010.09.17 -
K7AntiVirus 9.63.2542 2010.09.17 -
Kaspersky 7.0.0.125 2010.09.17 Type_Win32
McAfee 5.400.0.1158 2010.09.18 -
McAfee-GW-Edition 2010.1C 2010.09.17 -
Microsoft 1.6201 2010.09.17 -
NOD32 5458 2010.09.17 -
Norman 6.06.06 2010.09.17 -
nProtect 2010-09-17.01 2010.09.17 -
Panda 10.0.2.7 2010.09.17 -
PCTools 7.0.3.5 2010.09.17 -
Prevx 3.0 2010.09.18 -
Rising 22.65.04.01 2010.09.17 -
Sophos 4.57.0 2010.09.17 -
Sunbelt 6889 2010.09.17 -
SUPERAntiSpyware 4.40.0.1006 2010.09.18 -
Symantec 20101.1.1.7 2010.09.18 -
TheHacker 6.7.0.0.022 2010.09.17 -
TrendMicro 9.120.0.1004 2010.09.17 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.18 -
VBA32 3.12.14.0 2010.09.17 -
ViRobot 2010.8.25.4006 2010.09.17 -
VirusBuster 12.65.12.0 2010.09.17 -
Additional informationShow all
MD5 : 75019fe8f7495db344ca3fd3d30db78f
SHA1 : f79f883caf3b1b510dd53776b71ec33fffc070ec
SHA256: 70a61526cb35f9331abf04f70106a8dc2c8d33f3f54256add8e88e3104c13479
ssdeep: 768:k50mHP424UzRliot9R5b72z91jXD1rw+vWGh+g:k50VU/io3R5o91jz1rw5GY
File size : 39565 bytes
First seen: 2010-09-17 23:05:31
Last seen : 2010-09-17 23:05:31
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright (c) Microsoft Corporation 1992-2004. All rights reserved.
product......: CE Remote Tools
description..: Windows CE Remote Process Viewer
original name: CCPVIEW.EXE
internal name: CCPVIEW.EXE
file version.: 5.01.1651
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xC000
timedatestamp....: 0x425AD144 (Mon Apr 11 19:34:28 2005)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x5A74, 0x5C00, 5.85, e0980bf8770200e93869091b9d4f24ca
.data, 0x7000, 0x6B4, 0x400, 2.90, 8659e53b6fc9a234653808a03f2f5333
.rsrc, 0x8000, 0x34D8, 0x3600, 3.61, 86731e193a0ac7405a5db3c826f409b9
.rmnet, 0xC000, 0xE000, 0xD800, 0.00, e62da29ac3a82185101eb38cb426322a

[[ 9 import(s) ]]
KERNEL32.dll: GetStartupInfoW, OutputDebugStringW, GetTickCount, VirtualAlloc, GetSystemInfo, FormatMessageW, LocalFree, GetProcAddress, LoadLibraryA, Sleep, GetOEMCP, GetSystemDefaultLCID, VirtualFree, GetModuleHandleA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, GetModuleFileNameW
MFC42u.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
msvcrt.dll: wcsncpy, wcsrchr, wcscpy, wcslen, _terminate@@YAXXZ, _controlfp, __1type_info@@UAE@XZ, _onexit, __dllonexit, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _wcsicmp, __CxxFrameHandler
GDI32.dll: CreateFontIndirectW
USER32.dll: wsprintfW, GetClientRect, SendMessageW, UpdateWindow, EnableWindow, PostMessageW
ole32.dll: OleInitialize, CoCreateInstance, CLSIDFromProgID
OLEAUT32.dll: -, -
COMCTL32.dll: InitCommonControlsEx
ADVAPI32.dll: RegOpenKeyExA, RegQueryValueExA, RegCloseKey

Symantec reputation:Suspicious.Insight
 
Broni - Here is the second file


File name: ccregedt.exe
Submission date: 2010-09-17 23:30:03 (UTC)
Current status: finished
Result: 2/ 42 (4.8%)
VT Community

Antivirus Version Last Update Result
AhnLab-V3 2010.09.18.00 2010.09.17 -
AntiVir 8.2.4.52 2010.09.17 -
Antiy-AVL 2.0.3.7 2010.09.17 -
Authentium 5.2.0.5 2010.09.17 -
Avast 4.8.1351.0 2010.09.17 -
Avast5 5.0.594.0 2010.09.17 -
AVG 9.0.0.851 2010.09.17 -
BitDefender 7.2 2010.09.18 -
CAT-QuickHeal 11.00 2010.09.17 -
ClamAV 0.96.2.0-git 2010.09.17 -
Comodo 6114 2010.09.17 TrojWare.Win32.Trojan.Agent.~UL
DrWeb 5.0.2.03300 2010.09.18 -
eSafe 7.0.17.0 2010.09.17 -
eTrust-Vet 36.1.7862 2010.09.17 -
F-Prot 4.6.1.107 2010.09.17 -
F-Secure 9.0.15370.0 2010.09.17 -
Fortinet 4.1.143.0 2010.09.17 -
GData 21 2010.09.18 -
Ikarus T3.1.1.88.0 2010.09.18 -
Jiangmin 13.0.900 2010.09.17 -
K7AntiVirus 9.63.2542 2010.09.17 -
Kaspersky 7.0.0.125 2010.09.18 Type_Win32
McAfee 5.400.0.1158 2010.09.18 -
McAfee-GW-Edition 2010.1C 2010.09.17 -
Microsoft 1.6201 2010.09.17 -
NOD32 5458 2010.09.17 -
Norman 6.06.06 2010.09.17 -
nProtect 2010-09-17.01 2010.09.17 -
Panda 10.0.2.7 2010.09.17 -
PCTools 7.0.3.5 2010.09.17 -
Prevx 3.0 2010.09.18 -
Rising 22.65.04.01 2010.09.17 -
Sophos 4.57.0 2010.09.17 -
Sunbelt 6889 2010.09.17 -
SUPERAntiSpyware 4.40.0.1006 2010.09.18 -
Symantec 20101.1.1.7 2010.09.18 -
TheHacker 6.7.0.0.022 2010.09.17 -
TrendMicro 9.120.0.1004 2010.09.17 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.18 -
VBA32 3.12.14.0 2010.09.17 -
ViRobot 2010.8.25.4006 2010.09.17 -
VirusBuster 12.65.12.0 2010.09.17 -
Additional informationShow all
MD5 : 557f3f1384a379eb4996290ac12618f9
SHA1 : 2f2294dd4375cc6e3bca06dfc7d2605b5d757ee4
SHA256: 5bb919baa5a222d930494b4e32af1b125176864da9465ce74381b16c5c90d44f
ssdeep: 3072:FPqlmdoh4j/weymH8tiajMV+onFbkgh1g:eek:mdoqjYvMV+on2
File size : 131213 bytes
First seen: 2010-09-17 23:30:03
Last seen : 2010-09-17 23:30:03
TrID:
Win32 Executable MS Visual C++ (generic) (75.0%)
Win32 Executable Generic (16.9%)
Generic Win/DOS Executable (3.9%)
DOS Executable Generic (3.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright (c) Microsoft Corporation 1992-2004. All rights reserved.
product......: CE Remote Tools
description..: Windows CE Remote Registry Editor
original name: CCREGEDT.EXE
internal name: CCREGEDT.EXE
file version.: 5.01.1651
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2C000
timedatestamp....: 0x425AD146 (Mon Apr 11 19:34:30 2005)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0xF098, 0xF200, 6.12, 829eb67f470262ad61d0e1fd8cf2c232
.data, 0x11000, 0x9150, 0x600, 3.69, 902489af8f78de9fef4c8b2bf3e59921
.rsrc, 0x1B000, 0x103D8, 0x10400, 4.27, dda94ac8355468053b9b87ea0ff4bf80
.rmnet, 0x2C000, 0xE000, 0xD800, 0.00, e62da29ac3a82185101eb38cb426322a

[[ 9 import(s) ]]
KERNEL32.dll: LocalAlloc, SizeofResource, GetTempFileNameW, GetTempPathW, LoadResource, LocalFree, GlobalAlloc, GlobalLock, GlobalUnlock, CreateFileW, WriteFile, GetSystemDefaultLCID, GetLastError, CreateMutexW, GetModuleFileNameW, GetStartupInfoW, OutputDebugStringW, GetTickCount, VirtualFree, VirtualAlloc, GetSystemInfo, FormatMessageW, GetProcAddress, LoadLibraryA, FindResourceW, CloseHandle, GetModuleHandleA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, DeleteFileW
MFC42u.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
msvcrt.dll: __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, __1type_info@@UAE@XZ, __dllonexit, _onexit, wcscpy, wcscmp, wcsncpy, wcstoul, _controlfp, _terminate@@YAXXZ, _initterm, __wgetmainargs, _wcmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, memmove, _snwprintf, _ultow, wcstok, wcscat, wcstombs, _wcsnicmp, _wcsicmp, wcstol, wcsrchr, wcslen, __CxxFrameHandler
ADVAPI32.dll: RegDeleteKeyW, RegQueryValueExA, RegCloseKey, RegDeleteValueW, RegQueryInfoKeyW, RegOpenKeyExW, RegEnumKeyExW, RegEnumValueW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExA
GDI32.dll: ExtTextOutW, SetTextColor, SetBkColor, GetTextMetricsW, SelectObject, CreateFontIndirectW, DeleteObject, GetDeviceCaps
USER32.dll: RemoveMenu, SetWindowTextW, DispatchMessageW, TranslateMessage, IsDialogMessageW, PeekMessageW, DestroyIcon, LoadIconW, GetClientRect, SendMessageW, EnableWindow, LoadMenuW, GetMessagePos, GetSubMenu, SetMenuDefaultItem, GetMenuItemCount, EnableMenuItem, RegisterClipboardFormatW, LoadCursorW, RegisterClassW, DefWindowProcW, GetDC, ReleaseDC, SetScrollInfo, ScrollWindowEx, BeginPaint, EndPaint, GetSysColor, wsprintfW, CreateCaret, ShowCaret, DestroyCaret, SetFocus, SetCapture, SetTimer, KillTimer, ReleaseCapture, GetKeyState, MessageBeep, CharLowerW, InvalidateRect, SetCaretPos, HideCaret, OpenClipboard, UpdateWindow, SetClipboardData, CloseClipboard, GetClipboardData, FindWindowW, GetLastActivePopup, IsIconic, SetForegroundWindow, EmptyClipboard
ole32.dll: CoInitialize, CoCreateInstance, CLSIDFromProgID
OLEAUT32.dll: -, -
COMCTL32.dll: ImageList_ReplaceIcon

Symantec reputation:Suspicious.Insight
 
Broni - Here is the third file

File name: mspdbcore.dll
Submission date: 2010-09-17 23:43:18 (UTC)
Current status: queued (#4) queued analysing finished
Result: 6/ 43 (14.0%)

Antivirus Version Last Update Result
AhnLab-V3 2010.09.18.00 2010.09.17 -
AntiVir 8.2.4.52 2010.09.17 -
Antiy-AVL 2.0.3.7 2010.09.17 -
Authentium 5.2.0.5 2010.09.17 W32/Patched.S.gen!Eldorado
Avast 4.8.1351.0 2010.09.17 -
Avast5 5.0.594.0 2010.09.17 -
AVG 9.0.0.851 2010.09.17 -
BitDefender 7.2 2010.09.18 -
CAT-QuickHeal 11.00 2010.09.17 -
ClamAV 0.96.2.0-git 2010.09.17 -
Comodo 6114 2010.09.17 TrojWare.Win32.Trojan.Agent.~UL
DrWeb 5.0.2.03300 2010.09.18 -
Emsisoft 5.0.0.37 2010.09.18 -
eSafe 7.0.17.0 2010.09.17 -
eTrust-Vet 36.1.7862 2010.09.17 -
F-Prot 4.6.1.107 2010.09.17 W32/Patched.S.gen!Eldorado
F-Secure 9.0.15370.0 2010.09.18 -
Fortinet 4.1.143.0 2010.09.17 -
GData 21 2010.09.18 -
Ikarus T3.1.1.88.0 2010.09.18 -
Jiangmin 13.0.900 2010.09.17 -
K7AntiVirus 9.63.2542 2010.09.17 Trojan
Kaspersky 7.0.0.125 2010.09.18 Type_Win32
McAfee 5.400.0.1158 2010.09.18 -
McAfee-GW-Edition 2010.1C 2010.09.17 -
Microsoft 1.6201 2010.09.17 -
NOD32 5458 2010.09.17 -
Norman 6.06.06 2010.09.17 -
nProtect 2010-09-17.01 2010.09.17 -
Panda 10.0.2.7 2010.09.17 -
PCTools 7.0.3.5 2010.09.18 -
Prevx 3.0 2010.09.18 -
Rising 22.65.04.01 2010.09.17 -
Sophos 4.57.0 2010.09.17 -
Sunbelt 6890 2010.09.18 LooksLike.Win32.InfectedFile!B (v)
SUPERAntiSpyware 4.40.0.1006 2010.09.18 -
Symantec 20101.1.1.7 2010.09.18 -
TheHacker 6.7.0.0.022 2010.09.17 -
TrendMicro 9.120.0.1004 2010.09.17 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.18 -
VBA32 3.12.14.0 2010.09.17 -
ViRobot 2010.8.25.4006 2010.09.17 -
VirusBuster 12.65.12.0 2010.09.17 -
Additional informationShow all
MD5 : 98f82f76f719cdea5918ec5a14497c08
SHA1 : 53c360cdc90effcf9a265a059eef86169c3474a3
SHA256: 50d119a9c8a21f0758519598ead18322c1bbb7668bfed135a49827a29a5ba738
ssdeep: 6144:LeLfwOeISsC0SEf+PfuhOT9n94HntFQWxYTA1y:KswSsC0SEf+Pf9v4HntFQIYky
File size : 257165 bytes
First seen: 2010-09-17 23:43:18
Last seen : 2010-09-17 23:43:18
TrID:
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Visual Studio_ 2005
description..: Microsoft_ Program Database
original name: MSPDBCORE.DLL
internal name: MSPDBCORE.DLL
file version.: 8.00.50727.42 (RTM.050727-4200)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x43000
timedatestamp....: 0x4333ABD0 (Fri Sep 23 07:16:32 2005)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x3B481, 0x3B600, 6.61, cf4876e2813c09137614747a32cd5dec
.data, 0x3D000, 0x17D4, 0x400, 2.35, cf9cc92a9410e936db8d90163915d100
.rsrc, 0x3F000, 0x5F4, 0x600, 4.43, c9952c98e08ea7c902819dbd73e1d9dd
.reloc, 0x40000, 0x2656, 0x2800, 5.52, 42a144c20b987f3caf5f112340dadd1c
.rmnet, 0x43000, 0xE000, 0xD800, 0.00, e62da29ac3a82185101eb38cb426322a

[[ 4 import(s) ]]
MSVCR80.dll: __CppXcptFilter, _unlock, __dllonexit, _lock, _onexit, _adjust_fdiv, _time32, __clean_type_info_names_internal, _crt_debugger_hook, _amsg_exit, _initterm_e, _initterm, _decode_pointer, _encoded_null, _malloc_crt, _encode_pointer, _open_osfhandle, _close, _chsize, _lseeki64, _write, _read, swscanf_s, fwrite, fprintf, wcsncat_s, _wutime64, _time64, fwprintf, wcstoul, strtoul, wcsncmp, strncmp, _ultow_s, _ultoa_s, _vswprintf_c_l, towupper, toupper, iswxdigit, iswdigit, isxdigit, isdigit, wcschr, strrchr, calloc, __unDName, _mbsicmp, malloc, _stricmp, strchr, _vcwprintf, vfwprintf, _fileno, _get_osfhandle, vsprintf_s, _mbscmp, strcat_s, _memicmp, strncpy_s, bsearch, qsort, _wcsicmp, wcsrchr, strstr, __iob_func, fflush, iswascii, wcsstr, strcpy_s, memset, memmove, _wdupenv_s, wcscat_s, ftell, _wcsnicmp, _snwprintf_s, sprintf_s, memcpy, _wcsdup, _wsplitpath_s, free, wcscpy_s, _wmakepath_s, wcsncpy_s, fseek, fread, fclose, _purecall, _wfullpath, _fullpath, _wsopen, _wfsopen, _except_handler4_common, _fsopen, _sopen
KERNEL32.dll: RaiseException, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, InterlockedCompareExchange, Sleep, InterlockedExchange, CreateFileMappingW, DeviceIoControl, DeleteFileA, DeleteFileW, InterlockedDecrement, FlushViewOfFile, CreateFileMappingA, MapViewOfFileEx, CreateFileW, UnmapViewOfFile, HeapDestroy, HeapCreate, GetSystemInfo, GetFileInformationByHandle, GetFileAttributesExW, SetFilePointer, ReadFile, InterlockedIncrement, GetSystemTime, SystemTimeToFileTime, SignalObjectAndWait, ReleaseMutex, GetCurrentThreadId, CreateEventA, CreateThread, CopyFileA, GetFileAttributesA, SetFileAttributesA, CopyFileW, GetFileAttributesW, SetFileAttributesW, CreateWaitableTimerA, SetWaitableTimer, ResetEvent, WaitForSingleObject, TerminateThread, SetEvent, GetSystemTimeAsFileTime, CreateMutexW, CloseHandle, GetFileType, GetConsoleMode, GetVersionExA, VirtualFree, VirtualAlloc, LCMapStringW, LCMapStringA, GetLastError, LoadLibraryA, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, GetCurrentDirectoryW, FreeLibrary, InitializeCriticalSectionAndSpinCount, GetVersion, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleA, GetProcAddress, SetLastError, HeapFree, HeapAlloc, LocalAlloc
ADVAPI32.dll: CryptAcquireContextA, RegCloseKey, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, RegQueryValueExW, CryptGenRandom, CryptReleaseContext, RegOpenKeyExA, RegQueryValueExA
RPCRT4.dll: UuidCreate

[[ 200 export(s) ]]
__0SymTiIter@@QAE@PAUSYMTYPE@@@Z, __0TypeTiIter@@QAE@PAUTYPTYPE@@@Z, _CloseAllTimeoutPDB@PDB@@SAHXZ, _ExportValidateImplementation@PDB@@SAHK@Z, _ExportValidateInterface@PDB@@SAHK@Z, _FCreateSrcHash@SrcHash@@SA_NAAPAU1@W4HID@1@@Z, _FOpen@MREngine@@SGHPAPAU1@PAUMreToPdb@@HH@Z, _FOpen@MREngine@@SGHPAPAU1@PAUPDB@@PAUNameMap@@HH@Z, _FOpen@MREngine@@SGHPAPAU1@PBDAAJQADHH@Z, _FOpenW@MREngine@@SGHPAPAU1@PBGAAJPAGIHH@Z, _MapLeafStToSz@@YAII@Z, _MapSymRecStToSz@@YAII@Z, _Open2W@PDB@@SAHPBGPBDPAJPAGIPAPAU1@@Z, _OpenEx2W@PDB@@SAHPBGPBDJPAJPAGIPAPAU1@@Z, _OpenInStream@PDB@@SAHPAUIStream@@PBDPAJPAGIPAPAU1@@Z, _OpenValidate4@PDB@@SAHPBGPBDPBU_GUID@@KKPAJPAGIPAPAU1@@Z, _OpenValidate5@PDB@@SAHPBG0PAXP6AP6AHXZ1W4POVC@@@ZPAJPAGIPAPAU1@@Z, _QueryImplementationVersionStatic@PDB@@SAKXZ, _QueryInterfaceVersionStatic@PDB@@SAKXZ, _SetErrorHandlerAPI@PDB@@SAHP6APAUIPDBError@@PAU1@@Z@Z, _SetPDBCloseTimeout@PDB@@SAH_K@Z, _ShutDownTimeoutManager@PDB@@SAHXZ, _fConvertSymRecStToSz@@YAHPAEJ0PAJ@Z, _fConvertSymRecStToSz@@YAHPAUSYMTYPE@@@Z, _fConvertSymRecStToSzInPlace@@YAHPAEJ@Z, _fConvertSymRecStToSzWithSig@@YAHPAEJ0PAJ@Z, _fConvertTypeRecStToSz@@YAHPAUTYPTYPE@@@Z, _fConvertTypeRecsStToSz@@YAHPAE0PAJ@Z, _fCreate@WidenTi@@SAHAAPAU1@IH@Z, _fGetSymName@@YAHPAUSYMTYPE@@PAPAD@Z, _fGetSymRecTypName@@YAHPAUSYMTYPE@@PAPAD@Z, _fNameFromSym@@YA_NPAUSYMTYPE@@PAGPAK@Z, _fNameFromType@@YA_NPAUTYPTYPE@@PAGPAK@Z, _next@TypeTiIter@@QAEHXZ, _nextField@TypeTiIter@@QAEHXZ, _open@Bsc@@SAHPADPAPAU1@@Z, _open@Bsc@@SAHPAUPDB@@PAPAU1@@Z, _open@NameMap@@SAHPAUPDB@@HPAPAU1@@Z, _open@StreamImage@@SAHPAUStream@@JPAPAU1@@Z, _openW@Bsc@@SAHPBGPAPAU1@@Z, _pbEndRecordSansPad@TypeTiIter@@QAEPAEXZ, DBIAddLinkInfo, DBIAddPublic, DBIAddSec, DBIAddThunkMap, DBIClose, DBIDeleteMod, DBIDumpMods, DBIDumpSecContribs, DBIDumpSecMap, DBIFStripped, DBIFindTypeServers, DBIGetEnumContrib, DBIOpenDbg, DBIOpenGlobals, DBIOpenMod, DBIOpenPublics, DBIQueryDbgTypes, DBIQueryFileInfo, DBIQueryImplementationVersion, DBIQueryInterfaceVersion, DBIQueryItsmForTi, DBIQueryLazyTypes, DBIQueryLinkInfo, DBIQueryModFromAddr, DBIQueryModFromAddr2, DBIQueryNextItsm, DBIQueryNextMod, DBIQuerySecMap, DBIQuerySupportsEC, DBIQueryTypeServer, DbgAppend, DbgClear, DbgClose, DbgFind, DbgQueryNext, DbgQuerySize, DbgReplaceNext, DbgReset, DbgSkip, EnumContribGet, EnumContribGetCrcs, EnumContribNext, EnumContribRelease, EnumContribReset, GSIClose, GSIHashSym, GSINearestSym, GSINextSym, GSIOffForSym, GSISymForOff, MSFOpenExW, MSFOpenW, ModAddLines, ModAddPublic, ModAddSecContrib, ModAddSymbols, ModAddTypes, ModClose, ModGetPvClient, ModQueryCBFile, ModQueryCBName, ModQueryDBI, ModQueryFile, ModQueryFirstCodeSecContrib, ModQueryImod, ModQueryImplementationVersion, ModQueryInterfaceVersion, ModQueryLines, ModQueryName, ModQueryPdbFile, ModQuerySecContrib, ModQuerySrcFile, ModQuerySupportsEC, ModQuerySymbols, ModQueryTpi, ModReplaceLines, ModSetPvClient, PDBClose, PDBCommit, PDBCopyTo, PDBCopyToW, PDBCopyToW2, PDBCreateDBI, PDBExportValidateImplementation, PDBExportValidateInterface, PDBIsSZPDB, PDBOpen2W, PDBOpenDBI, PDBOpenDBIEx, PDBOpenEx2W, PDBOpenStream, PDBOpenTpi, PDBOpenValidate4, PDBOpenValidate5, PDBQueryAge, PDBQueryImplementationVersion, PDBQueryImplementationVersionStatic, PDBQueryInterfaceVersion, PDBQueryInterfaceVersionStatic, PDBQueryLastError, PDBQueryPDBName, PDBQuerySignature, PDBQuerySignature2, SigForPbCb, StreamAppend, StreamDelete, StreamImageBase, StreamImageNoteRead, StreamImageNoteWrite, StreamImageOpen, StreamImageRelease, StreamImageSize, StreamImageWriteBack, StreamQueryCb, StreamRead, StreamRelease, StreamReplace, StreamTruncate, StreamWrite, SzCanonFilename, TruncStFromSz, TypesAreTypesEqual, TypesClose, TypesCommit, TypesIsTypeServed, TypesQueryCVRecordForTiEx, TypesQueryCb, TypesQueryImplementationVersion, TypesQueryInterfaceVersion, TypesQueryPbCVRecordForTiEx, TypesQueryTiForCVRecordEx, TypesQueryTiForUDTEx, TypesQueryTiMacEx, TypesQueryTiMinEx, TypesSupportQueryTiForUDT, TypesfIs16bitTypePool, _MREBagFAddDep@20, _MREBagFClose@4, _MRECmpClassIsBoring@8, _MRECmpFCloseCompiland@12, _MRECmpFOpenCompiland@16, _MRECmpFPushFile@16, _MRECmpPmrefilePopFile@4, _MREDrvFFilesOutOfDate@8, _MREDrvFRefreshFileSysInfo@4, _MREDrvFRelease@4, _MREDrvFSuccessfulCompile@16, _MREDrvFUpdateTargetFile@12, _MREDrvOneTimeInit@4, _MREDrvYnmFileOutOfDate@8, _MREFClose@8, _MREFDelete@4, _MREFOpen@16, _MREFOpenByName@24, _MREFOpenEx@12, _MREFileFOpenBag@12, _MREQueryMreCmp@12, _MREQueryMreDrv@8, _MREQueryMreUtil@8

Symantec reputation:Suspicious.Insight
 
Broni - Here is the fourth one

File name: lfeps13n.dll
Submission date: 2010-09-17 23:52:57 (UTC)
Current status: queued queued (#7) analysing finished
Result: 2/ 43 (4.7%)

Antivirus Version Last Update Result
AhnLab-V3 2010.09.18.00 2010.09.17 -
AntiVir 8.2.4.52 2010.09.17 -
Antiy-AVL 2.0.3.7 2010.09.17 -
Authentium 5.2.0.5 2010.09.17 -
Avast 4.8.1351.0 2010.09.17 -
Avast5 5.0.594.0 2010.09.17 -
AVG 9.0.0.851 2010.09.17 -
BitDefender 7.2 2010.09.18 -
CAT-QuickHeal 11.00 2010.09.17 -
ClamAV 0.96.2.0-git 2010.09.17 -
Comodo 6114 2010.09.17 TrojWare.Win32.Trojan.Agent.~UL
DrWeb 5.0.2.03300 2010.09.18 -
Emsisoft 5.0.0.37 2010.09.18 -
eSafe 7.0.17.0 2010.09.17 -
eTrust-Vet 36.1.7862 2010.09.17 -
F-Prot 4.6.1.107 2010.09.17 -
F-Secure 9.0.15370.0 2010.09.18 -
Fortinet 4.1.143.0 2010.09.17 -
GData 21 2010.09.18 -
Ikarus T3.1.1.88.0 2010.09.18 -
Jiangmin 13.0.900 2010.09.17 -
K7AntiVirus 9.63.2542 2010.09.17 -
Kaspersky 7.0.0.125 2010.09.18 Type_Win32
McAfee 5.400.0.1158 2010.09.18 -
McAfee-GW-Edition 2010.1C 2010.09.17 -
Microsoft 1.6201 2010.09.17 -
NOD32 5458 2010.09.17 -
Norman 6.06.06 2010.09.17 -
nProtect 2010-09-17.01 2010.09.17 -
Panda 10.0.2.7 2010.09.17 -
PCTools 7.0.3.5 2010.09.18 -
Prevx 3.0 2010.09.18 -
Rising 22.65.04.01 2010.09.17 -
Sophos 4.57.0 2010.09.17 -
Sunbelt 6890 2010.09.18 -
SUPERAntiSpyware 4.40.0.1006 2010.09.18 -
Symantec 20101.1.1.7 2010.09.18 -
TheHacker 6.7.0.0.022 2010.09.17 -
TrendMicro 9.120.0.1004 2010.09.17 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.18 -
VBA32 3.12.14.0 2010.09.17 -
ViRobot 2010.8.25.4006 2010.09.17 -
VirusBuster 12.65.12.0 2010.09.17 -
Additional informationShow all
MD5 : 6dce36f01b65b7c25469efb4c9a5b600
SHA1 : 18fa248e4c9a0d5d573543c231ee6728206c3fe6
SHA256: c91d9d9f7a3d4d50829cddae584a7222f78032b75fd78f22154c71edbf007ae6
ssdeep: 384:ETYaFc2BZiCc9kV4ZO7YuQ8DynZigseDKtJ++uWk5Jw+o9kDbsJgfuYsDD:gdFz7z4ZsQCw
Zilho+ph2Dbogfds
File size : 38029 bytes
First seen: 2010-09-17 23:52:57
Last seen : 2010-09-17 23:52:57
TrID:
Win64 Executable Generic (54.6%)
Win32 Executable MS Visual C++ (generic) (24.0%)
Windows Screen Saver (8.3%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)
sigcheck:
publisher....: LEAD Technologies, Inc.
copyright....: Copyright(c) 1991-2001 LEAD Technologies, Inc.
product......: LEADTOOLS(r) DLL for Win32
description..: LEADTOOLS(r) DLL for Win32
original name: LFEPS13N.DLL
internal name: LFEPS13N
file version.: 13.0.0.001
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xD000
timedatestamp....: 0x3BF5A635 (Fri Nov 16 23:50:13 2001)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x5E5B, 0x6000, 6.51, 023c72704ab38debcff613f6a22c0aee
.rdata, 0x7000, 0x625, 0x800, 3.58, fbc7b0ce7d9cf56b15b66433aef9470d
.data, 0x8000, 0x1618, 0x1400, 2.95, 4c141279c284f3f1d0bd387d9b411f9a
.idata, 0xA000, 0x4B0, 0x600, 4.17, ef93e26146e13e6a6ca4a2de69207946
.rsrc, 0xB000, 0x448, 0x600, 2.66, 651b840b351a624cfb326a323c77bab2
.reloc, 0xC000, 0x650, 0x800, 5.03, 15e85c8968b5addecd5cab2b18551902
.rmnet, 0xD000, 0xE000, 0xD800, 0.00, e62da29ac3a82185101eb38cb426322a

[[ 3 import(s) ]]
KERNEL32.dll: GetModuleHandleA, GetProcAddress, SetErrorMode, lstrcpyA, GetModuleFileNameA, FreeLibrary, lstrcmpA, lstrlenA, VirtualAlloc, VirtualFree, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, WriteFile, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, MultiByteToWideChar, FreeEnvironmentStringsA, GetOEMCP, HeapFree, HeapAlloc, GetCommandLineA, LoadLibraryA, GetVersion, HeapDestroy, HeapCreate, GetACP, SetHandleCount, ExitProcess, TerminateProcess, GetCurrentProcess, GetFileType, GetStdHandle, GetStartupInfoA, GetCPInfo
USER32.dll: wsprintfA
LTKRN13N.dll: -, -, -, -, -, -, -, -, -, -, -, -

[[ 4 export(s) ]]
DllMain, fltInfo, fltLoad, fltSave

Symantec reputation:Suspicious.Insight
 
Broni - Here is the final one.

Thank you,
Dan

File name: lffax13n.dll
Submission date: 2010-09-17 23:53:43 (UTC)
Current status: queued queued analysing finished
Result: 2/ 43 (4.7%)

Antivirus Version Last Update Result
AhnLab-V3 2010.09.18.00 2010.09.17 -
AntiVir 8.2.4.52 2010.09.17 -
Antiy-AVL 2.0.3.7 2010.09.17 -
Authentium 5.2.0.5 2010.09.17 -
Avast 4.8.1351.0 2010.09.17 -
Avast5 5.0.594.0 2010.09.17 -
AVG 9.0.0.851 2010.09.17 -
BitDefender 7.2 2010.09.18 -
CAT-QuickHeal 11.00 2010.09.17 -
ClamAV 0.96.2.0-git 2010.09.17 -
Comodo 6114 2010.09.17 TrojWare.Win32.Trojan.Agent.~UL
DrWeb 5.0.2.03300 2010.09.18 -
Emsisoft 5.0.0.37 2010.09.18 -
eSafe 7.0.17.0 2010.09.17 -
eTrust-Vet 36.1.7862 2010.09.17 -
F-Prot 4.6.1.107 2010.09.17 -
F-Secure 9.0.15370.0 2010.09.18 -
Fortinet 4.1.143.0 2010.09.17 -
GData 21 2010.09.18 -
Ikarus T3.1.1.88.0 2010.09.18 -
Jiangmin 13.0.900 2010.09.17 -
K7AntiVirus 9.63.2542 2010.09.17 -
Kaspersky 7.0.0.125 2010.09.18 Type_Win32
McAfee 5.400.0.1158 2010.09.18 -
McAfee-GW-Edition 2010.1C 2010.09.17 -
Microsoft 1.6201 2010.09.17 -
NOD32 5458 2010.09.17 -
Norman 6.06.06 2010.09.17 -
nProtect 2010-09-17.01 2010.09.17 -
Panda 10.0.2.7 2010.09.17 -
PCTools 7.0.3.5 2010.09.18 -
Prevx 3.0 2010.09.18 -
Rising 22.65.04.01 2010.09.17 -
Sophos 4.57.0 2010.09.17 -
Sunbelt 6890 2010.09.18 -
SUPERAntiSpyware 4.40.0.1006 2010.09.18 -
Symantec 20101.1.1.7 2010.09.18 -
TheHacker 6.7.0.0.022 2010.09.17 -
TrendMicro 9.120.0.1004 2010.09.17 -
TrendMicro-HouseCall 9.120.0.1004 2010.09.18 -
VBA32 3.12.14.0 2010.09.17 -
ViRobot 2010.8.25.4006 2010.09.17 -
VirusBuster 12.65.12.0 2010.09.17 -
Additional informationShow all
MD5 : b0ea65d3f0ff0cbeee9a98f6b4976d5b
SHA1 : 86f6fe1dbae1570a555f04fee9b4b1f523453163
SHA256: f053d38065465228b7afaef712c92f8775cee9911fc31315976a9e81708c24cf
ssdeep: 1536:Q2sKSO8O/p9r0RPICpGhKNtX5MnOB2588888sH:Q2sKtQpGAtpXK88888sH
File size : 74381 bytes
First seen: 2010-09-17 23:53:43
Last seen : 2010-09-17 23:53:43
TrID:
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
sigcheck:
publisher....: LEAD Technologies, Inc.
copyright....: Copyright(c) 1991-2001 LEAD Technologies, Inc.
product......: LEADTOOLS(r) DLL for Win32
description..: LEADTOOLS(r) DLL for Win32
original name: LFFAX13N.DLL
internal name: LFFAX13N
file version.: 13.0.0.001
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x16000
timedatestamp....: 0x3BF5A56A (Fri Nov 16 23:46:50 2001)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x8EC4, 0x9000, 6.56, 4cc3026195f9f74987d69dfedfd1b49d
.rdata, 0xA000, 0x851, 0xA00, 3.60, 3bd00dab547fc0ebe0bdd8030cb62b73
.data, 0xB000, 0x726C, 0x7200, 4.52, bc26ce9480aae2bc8e437c105da5f4fb
.idata, 0x13000, 0x41E, 0x600, 3.86, 47e628565973f4ce75a6ca11ce8345ad
.rsrc, 0x14000, 0x448, 0x600, 2.67, 77759213f02b3c51f63619d3349e8c30
.reloc, 0x15000, 0x490, 0x600, 4.62, d5b73df2d763d2d877c5c485e20830ef
.rmnet, 0x16000, 0xE000, 0xD800, 0.00, e62da29ac3a82185101eb38cb426322a

[[ 3 import(s) ]]
KERNEL32.dll: GetCommandLineA, GetModuleHandleA, GetVersion, WriteFile, WideCharToMultiByte, LoadLibraryA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, FreeEnvironmentStringsA, GetOEMCP, GetCPInfo, GetModuleFileNameA, GetACP, GetStdHandle, GetFileType, GetStartupInfoA, GetCurrentProcess, TerminateProcess, HeapFree, HeapAlloc, RtlUnwind, lstrcpyA, GetProcAddress, SetHandleCount, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, ExitProcess
GDI32.dll: DeleteObject
LTKRN13N.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

[[ 10 export(s) ]]
DllMain, L_LoadRawFax, L_LoadTiledFax, L_SaveRawFax, L_SaveTiledFax, fltInfo, fltLoad, fltLoadBuffer, fltSave, fltSaveBuffer

Symantec reputation:Suspicious.Insight
 
Broni,

I really am not sure when and how these programs were installed on this PC. This PC was used primarily used by my wife (for work) and by my kids (surf the web and download/save music). My nephews were also over for the summer and that's when the redirect problem really started became noticeable.

Dan
 
Good. Uninstall both programs then.

=======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.
 
Broni,

This Lenovo T61 PC was purchased directly from the dealer with the Windows XP Pro software pre-installed.

Dan
 
It doesn't matter. It looks like some files within those programs are infected, so they need to be uninstalled, especially since we don't know, where they came from.
If you want to reinstall them later, make sure you use legitimate source.
 
Broni,

I agree. During the uninstall process of Intervideo a message was displayed that one or more files did not self-register. I need your help as I am not sure how to uninstall the CE Remote Tools as I did not see it listed in the Add or Remove Programs option.

Dan
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL

:Services

:Reg

:Files
C:\Program Files\CE Remote Tools
C:\Program Files\InterVideo
C:\Program Files\Common Files\Microsoft Shared\VSA\8.0\VsaEnv\mspdbcore.dll


:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

Then follow all steps from my reply #38.
 
Broni,

Thanks. Here is the OTL log. I will start on the steps in reply #38.

Dan

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\CE Remote Tools\5.01\target\wce500\x86 folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\sh4 folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\mipsIV_fp folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\mipsIV folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\mipsII_fp folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\mipsII folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\mips16 folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\armV4t folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\armV4i folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500\armV4 folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target\wce500 folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\target folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\sdk\inc folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\sdk folder moved successfully.
C:\Program Files\CE Remote Tools\5.01\bin folder moved successfully.
C:\Program Files\CE Remote Tools\5.01 folder moved successfully.
C:\Program Files\CE Remote Tools folder moved successfully.
File\Folder C:\Program Files\InterVideo not found.
C:\Program Files\Common Files\Microsoft Shared\VSA\8.0\VsaEnv\mspdbcore.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 108955815 bytes
->Temporary Internet Files folder emptied: 49359558 bytes
->Java cache emptied: 133234 bytes
->Flash cache emptied: 27753 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.FANTASNICK
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 115759 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 151.00 mb


[EMPTYFLASH]

User: Admin
->Flash cache emptied: 0 bytes

User: Administrator

User: Administrator.FANTASNICK

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.12.1 log created on 09172010_211819

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF735B.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF73E1.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF7876.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF7914.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF81C4.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF81DE.tmp not found!
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\VRYNN4UM\ads[1].htm moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\69UWZXYN\sh23[1].html moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\69UWZXYN\topic153358-3[1].html moved successfully.
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Broni,

Ran OTL script to reset restore point. On to next step.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Admin
->Temp folder emptied: 510334 bytes
->Temporary Internet Files folder emptied: 5655591 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 753 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.FANTASNICK
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 9685 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb


[EMPTYFLASH]

User: Admin
->Flash cache emptied: 0 bytes

User: Administrator

User: Administrator.FANTASNICK

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.12.1 log created on 09172010_213224

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF1346.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF1368.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF15A2.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF16DC.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF197B.tmp not found!
File\Folder C:\Documents and Settings\Admin\Local Settings\Temp\~DF19A6.tmp not found!
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\MB6WRIID\ads[1].htm moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\MB6WRIID\sh23[1].html moved successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\MB6WRIID\topic153358-2[1].html moved successfully.
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
Broni,

Ran OTL clean.

Manually deleted logs and unused programs from this thread.

Uninstalled the Super Antivirus program, however, a blue screen appeared with a message about a dll file. Reboot occurred before I could read the complete message. The program appears to have been uninstalled.

Failed Windows update as follows:
Security Update for Microsoft Office 2003 (KB2288613)
Update for Microsoft Office Outlook 2003 Junk Email Filter (KB2291595)
Security Update for Microsoft Office Excel 2003 (KB2264403)
Security Update for Microsoft Office Access 2003 (KB981716)
Security Update for Microsoft Office Outlook 2003 (KB980373)
Security Update for Microsoft Office Word 2003 (KB2251399)
Security Update for Microsoft Office Outlook 2003 (KB2293428)

How should I proceed?
 

Similar threads

S
Solved Windows Task Manager crashes after opening
2
Replies
32
Views
10K
Broni
Broni
A
Solved My computer was hit by unknown malware
2
Replies
30
Views
12K
Broni
Broni
learninmypc
Solved Slow to boot up & shut down
Replies
6
Views
4K
Broni
Broni

Latest posts

Back