Thread: ETrust EZ Antivirus hit - eqnclassa.dll
View Single Post
Old 07-06-2008, 07:49 PM   #7 (permalink)
cosmos123
Registered User
 
Join Date: Jun 2008
Posts: 4
OS: Win XP SP2


Re: ETrust EZ Antivirus hit - eqnclassa.dll
Hello -

Latest results

ComboFix 08-07-04.6 - Owner 2008-07-06 15:25:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.218 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\eqnclassa.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-03 19:46 . 2008-07-03 19:46 <DIR> d-------- C:\Deckard
2008-06-28 15:39 . 2008-06-28 16:27 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-27 18:24 . 2008-06-27 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-27 13:29 . 2008-06-27 14:16 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-27 13:29 . 2008-06-27 13:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Simply Super Software
2008-06-27 13:29 . 2008-06-27 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-27 13:29 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-27 13:29 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-27 13:29 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-27 13:29 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-27 13:29 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-20 20:52 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-20 20:52 . 2006-03-03 18:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-06-20 20:52 . 2006-03-03 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-20 20:52 . 2006-03-03 18:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-06-20 20:52 . 2008-06-27 18:24 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-20 12:53 . 2008-07-06 15:01 <DIR> d-------- C:\myweb
2008-06-20 11:13 . 2008-06-20 11:39 <DIR> d-------- C:\Music
2008-06-19 07:14 . 2008-06-19 07:14 <DIR> d-------- C:\qrnt
2008-06-19 06:55 . 2008-06-20 21:18 <DIR> d-------- C:\Program Files\Exterminate It!
2008-06-18 17:55 . 2008-06-18 18:00 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-06-15 18:07 . 2008-06-15 18:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OLYMPUS
2008-06-15 18:06 . 2008-06-15 18:06 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2008-06-15 18:06 . 2008-06-15 18:06 <DIR> d-------- C:\Program Files\OLYMPUS
2008-06-15 16:30 . 2008-04-14 06:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-15 16:30 . 2008-04-14 06:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 13:57 . 2008-06-07 13:57 <DIR> d-------- C:\WINDOWS\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 19:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-03 11:57 1,868,983 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-30 01:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2008-06-28 20:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 15:35 --------- d-----w C:\Program Files\Starry Night Pro 4
2008-06-18 22:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-17 00:24 3,804,672 ----a-w C:\WINDOWS\Internet Logs\xDB15.tmp
2008-06-17 00:24 2,804,736 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-06-15 23:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-05 01:15 --------- d-----w C:\Program Files\iTunes
2008-06-05 01:14 --------- d-----w C:\Program Files\iPod
2008-06-05 01:11 --------- d-----w C:\Program Files\Bonjour
2008-06-05 01:10 --------- d-----w C:\Program Files\QuickTime
2008-06-05 01:06 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-05 01:06 --------- d-----w C:\Program Files\Apple Software Update
2008-06-05 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-02 22:59 76,296 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-05-30 22:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-30 22:50 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-05-30 22:09 --------- d-----w C:\Program Files\Reference Assemblies
2008-05-30 22:09 --------- d-----w C:\Program Files\MSBuild
2008-05-30 21:59 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-24 18:51 --------- d-----w C:\Program Files\Napster
2008-05-24 18:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-05-24 16:34 3,024,384 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-05-24 16:34 2,622,976 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-05-17 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-17 02:00 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-05-17 01:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\TrojanHunter
2008-05-17 00:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\gboivpfj
2008-05-16 23:22 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-16 23:22 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\gboivpfj
2008-05-09 23:38 836,608 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-05-09 23:36 2,569,216 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 19:00 3,782,144 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-05-07 19:00 2,569,216 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-27 18:26 196,608 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-04-27 18:26 1,015,808 ----a-w C:\WINDOWS\system32\libeay32.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2006-11-04 14:49 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\NetworkService\Application Data\gboivpfj ----

2008-06-17 07:44 95669 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\xpti.dat
2008-06-17 07:44 4096 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\formhistory.sqlite
2008-06-17 07:44 367 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\prefs.js
2008-06-17 07:44 3088 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\formhistory.sqlite-journal
2008-06-17 07:44 207 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\compatibility.ini
2008-06-17 07:44 126626 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\compreg.dat
2008-06-17 07:44 0 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\parent.lock
2008-05-30 12:10 169 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\localstore.rdf
2008-05-16 18:25 65536 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\cert8.db
2008-05-16 18:25 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\permissions.sqlite
2008-05-16 18:25 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\cookies.sqlite
2008-05-16 18:25 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\secmod.db
2008-05-16 18:25 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\key3.db
2008-05-16 18:25 126976 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\Profiles\930snaos.default\places.sqlite
2008-05-16 18:22 111 --a------ C:\Documents and Settings\NetworkService\Application Data\gboivpfj\profiles.ini

---- Directory of C:\Documents and Settings\Owner\Application Data\gboivpfj ----

2008-06-17 07:44 417 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\prefs.js
2008-06-17 07:44 126976 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\places.sqlite
2008-06-17 07:44 0 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\places.sqlite-journal
2008-06-17 07:31 95669 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\xpti.dat
2008-06-17 07:31 207 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\compatibility.ini
2008-06-17 07:31 126626 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\compreg.dat
2008-06-10 08:08 4079 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\pluginreg.dat
2008-06-01 18:12 569 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\localstore.rdf
2008-05-22 14:10 4096 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\formhistory.sqlite
2008-05-16 19:04 65536 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\cert8.db
2008-05-16 19:04 2048 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\permissions.sqlite
2008-05-16 19:04 2048 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\cookies.sqlite
2008-05-16 19:04 16384 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\secmod.db
2008-05-16 19:04 16384 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\Profiles\jq8iwv7t.default\key3.db
2008-05-16 19:04 111 --a------ C:\Documents and Settings\Owner\Application Data\gboivpfj\profiles.ini


((((((((((((((((((((((((((((( snapshot@2008-07-05_18.10.14.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-05 22:15:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-06 20:37:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-07-06 19:59:51 11,776 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\myweb\dd7dca13\36f64ff1\App_Web_pibc8ygh.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1D17ABE-2591-4870-B108-1BED7B5A2A4B}]
c:\windows\system32\eqnclassa.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 06:01 32768]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 16:52 737370]
"QOELOADER"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe" [2006-09-04 13:46 6656]
"CaAvTray"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe" [2006-09-04 13:46 230952]
"CAVRID"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [2006-09-04 13:46 185896]
"VTTimer"="VTTimer.exe" [2005-03-08 07:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 08:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-14 18:29 88203 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuzzmwjq]
eqnclassa.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-25 22:30 50776 C:\Program Files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 20:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 07:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-09-25 19:52 50736 C:\Program Files\Common Files\AOL\1141427966\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
--a------ 2004-04-05 16:33 99480 C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
--a------ 2008-06-03 20:33 878672 C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"RDSessMgr"=3 (0x3)
"CiSvc"=3 (0x3)
"ImapiService"=3 (0x3)
"helpsvc"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1141427966\\EE\\aolsoftware.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 mglpewgn;mglpewgn;C:\WINDOWS\system32\drivers\mglpewgn.sys [2004-08-04 14:00]
S2 xkgvuusd;Remote Access Auto Connection Controller;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xkgvuusd

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 15:39:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\iSafe.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
.
**************************************************************************
.
Completion time: 2008-07-06 15:45:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-06 20:44:17
ComboFix2.txt 2008-07-05 23:12:38

Pre-Run: 40,340,074,496 bytes free
Post-Run: 40,252,182,528 bytes free

242 --- E O F --- 2008-06-15 21:45:48


Scan results attached.

Thanks

Cosmos.
Attached Files
File Type: txt ActiveScansSmart.txt (4.4 KB, 1 views)
cosmos123 is offline   Reply With Quote