Hi,

SpyBot tells me I have this Win32.Agent.pz malware but it will not delete the folder it's in.

Here's the HJ & kaspersky reports

Thanks beforehand

Mark

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:05 μμ, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\lvhidsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\PROGRA~1\SYSTRAN\5.0\Premium\SYSTRA~3.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3C448448-C701-4602-9CE4-44A2FF50637B} - C:\Program Files\WindowsUpdate\tezoletucC:\WINDOWS\system32\hu5\qopre83122.exe.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Systran50premi.IEPlugIn - {9A0844DB-84CF-4440-BDB1-1F4F7C4F7FB0} - C:\Program Files\SYSTRAN\5.0\Premium\IEPlugIn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Keylogger Killer] C:\Program Files\Keylogger Killer\KeyloggerKiller.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SoundMan] C:\WINDOWS\system32\SOUNDMAN.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Λήψη όλων με το FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Λήψη με χρήση του FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Open and Translate in Word - res://C:\Program Files\SYSTRAN\5.0\Premium\IEShellExt.dll /10
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{47FE8203-F48D-4030-944A-5AA5B6E7E8BF}: NameServer = 195.170.0.2,195.170.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote HID Service (LvHidSvc) - Philips - C:\WINDOWS\system32\lvhidsvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 9549 bytes



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 12, 2008 5:25:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/05/2008
Kaspersky Anti-Virus database records: 761373
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 177602
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 02:37:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\k\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\k\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\k\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\k\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\k\Local Settings\History\History.IE5\MSHist012008050520080512\index.dat Object is locked skipped
C:\Documents and Settings\k\Local Settings\History\History.IE5\MSHist012008051220080513\index.dat Object is locked skipped
C:\Documents and Settings\k\Local Settings\Temp\EmyOUPU.exe Infected: Trojan-Spy.Win32.Zbot.blx skipped
C:\Documents and Settings\k\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\k\Local Settings\Temp\zbFxpnd.exe Infected: Trojan-Spy.Win32.Zbot.blx skipped
C:\Documents and Settings\k\Local Settings\Temp\~DF2CE4.tmp Object is locked skipped
C:\Documents and Settings\k\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\k\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\k\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\download\todown\SmitfraudFix\SmitfraudFix\IEDFix.exe Infected: Constructor.Win32.Binder.bn skipped
C:\download\todown\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\comsetup.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\FaxSetup.log Object is locked skipped
C:\WINDOWS\iis6.log Object is locked skipped
C:\WINDOWS\ntdtcsetup.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\setupact.log Object is locked skipped
C:\WINDOWS\setuperr.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\spupdsvc.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\404Fix.exe Infected: Constructor.Win32.Binder.bn skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\IEDFix.exe Infected: Constructor.Win32.Binder.bn skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

hi contact7,

we will get a download to run in safe mode:

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)


Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer

* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.


* Open the extracted SDFix folder and double click RunThis.bat to start the script.

* Type Y to begin the cleanup process.

* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

* Press any Key and it will restart the PC.

* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

shelf life

Hi and thanks,

Sdfix managed to delete the malware folder and I'm clean now.

Here's the report.


SDFix: Version 1.182
Run by Administrator on ’¨* 13/05/2008 at 11:32 §£

Microsoft Windows XP [λ΅›¦©ž 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\k\Application Data\Install.dat - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted



Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :

: ADS Found!
explorer.exe: deleted 1477482 bytes in 8 streams.

Checking for remaining Streams

C:\WINDOWS\explorer.exe
No streams found.



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 11:43:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\x98\3�\3‘\3\xb1\3 ?•\3�\3µ\3‘\3�\3ˆ\3‘\3™\3\xbd\3"=str(7):"1\0"
"\xa0\3‘\3�\3“\3\xb1\3‘\3Œ\3�\3\xb3\3\xad\3\xb1\3’\3 ?\x384\3‰\3Š\3”\3�\3�\3•\3 ?1?3?9?4?"=str(7):"1\0002\0"
"\x2018\3“\3�\3\xb3\3—\3‘\3�\3\xbd\3�\3’\3 ?�\3‘\3�\3“\3\xb1\3‘\3Œ\3�\3\xb3\3\xad\3\xb1\3’\3 ?R?A?S?"=str(7):"1\0"
"\x2018\3�\3µ\3•\3ˆ\3µ\3\x2015\3\xb1\3’\3 ?�\3\xb1\3‘\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3"=str(7):"1\0"
"\xa0\3\xb1\3Š\3\xad\3”\3�\3 ?—\3‘\3�\3\xbd\3�\3\x384\3‰\3\xb1\3\xb3\3‘\3\xac\3Œ\3Œ\3\xb1\3”\3�\3’\3 ?M?i?n?i?p?o?r?t?"=str(7):"1\0002\0003\0"
"\xa3\3�\3\xbd\3\x384\3µ\3“\3\xb7\3 ?”\3\xb7\3\xbb\3µ\3œ\3‘\3\xb1\3“\3\xb7\3’\3/?\xb2\3\x2015\3\xbd\3”\3µ\3�\3 ?”\3\xb7\3’\3 ?M?i?c?r?o?s?o?f?t?"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{6BDD1FC5-810F-11D0-BEC7-08002BE2092F}\Descriptions]
"\x2022\3\xbd\3“\3™\3Œ\3\xb1\3”\3™\3Œ\3\xad\3\xbd\3\xb7\3 ?“\3•\3“\3Š\3µ\3•\3\xae\3 ?•\3�\3µ\3‘\3�\3ˆ\3‘\3™\3\xbd\3"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SysmonLog\Log Queries\{c8881254-8919-46a9-ae84-a179ddc599c7}]
"\xa3\3—\3œ\3\xbb\3‰\3�\3 ?\xad\3Œ\3Œ\3µ\3“\3�\3"="@C:\WINDOWS\System32\smlogcfg.dll,-735"
"\xa7\3\xb1\3‘\3\xb1\3Š\3”\3\xb7\3‘\3‰\3“\3”\3‰\3Š\3\xac\3 ?\xb1\3�\3�\3ˆ\3\xae\3Š\3\xb7\3’\3 ?\x384\3µ\3\x384\3�\3Œ\3\xad\3\xbd\3™\3\xbd\3"=dword:00000021
"\x8c\3\xbd\3�\3Œ\3\xb1\3 ?\xb2\3\xac\3“\3\xb7\3’\3 ?\xb1\3‘\3—\3µ\3\x2015\3�\3•\3 ?Š\3\xb1\3”\3\xb1\3\xb3\3‘\3\xb1\3–\3\xae\3’\3 ?\xad\3Œ\3Œ\3µ\3“\3�\3"="@C:\WINDOWS\System32\smlogcfg.dll,-744"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\x98\3�\3‘\3\xb1\3 ?•\3�\3µ\3‘\3�\3ˆ\3‘\3™\3\xbd\3"=str(7):"1\0"
"\xa0\3‘\3�\3“\3\xb1\3‘\3Œ\3�\3\xb3\3\xad\3\xb1\3’\3 ?\x384\3‰\3Š\3”\3�\3�\3•\3 ?1?3?9?4?"=str(7):"1\0002\0"
"\x2018\3“\3�\3\xb3\3—\3‘\3�\3\xbd\3�\3’\3 ?�\3‘\3�\3“\3\xb1\3‘\3Œ\3�\3\xb3\3\xad\3\xb1\3’\3 ?R?A?S?"=str(7):"1\0"
"\x2018\3�\3µ\3•\3ˆ\3µ\3\x2015\3\xb1\3’\3 ?�\3\xb1\3‘\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3"=str(7):"1\0"
"\xa0\3\xb1\3Š\3\xad\3”\3�\3 ?—\3‘\3�\3\xbd\3�\3\x384\3‰\3\xb1\3\xb3\3‘\3\xac\3Œ\3Œ\3\xb1\3”\3�\3’\3 ?M?i?n?i?p?o?r?t?"=str(7):"1\0002\0003\0"
"\xa3\3�\3\xbd\3\x384\3µ\3“\3\xb7\3 ?”\3\xb7\3\xbb\3µ\3œ\3‘\3\xb1\3“\3\xb7\3’\3/?\xb2\3\x2015\3\xbd\3”\3µ\3�\3 ?”\3\xb7\3’\3 ?M?i?c?r?o?s?o?f?t?"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Network\{6BDD1FC5-810F-11D0-BEC7-08002BE2092F}\Descriptions]
"\x2022\3\xbd\3“\3™\3Œ\3\xb1\3”\3™\3Œ\3\xad\3\xbd\3\xb7\3 ?“\3•\3“\3Š\3µ\3•\3\xae\3 ?•\3�\3µ\3‘\3�\3ˆ\3‘\3™\3\xbd\3"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SysmonLog\Log Queries\{c8881254-8919-46a9-ae84-a179ddc599c7}]
"\xa3\3—\3œ\3\xbb\3‰\3�\3 ?\xad\3Œ\3Œ\3µ\3“\3�\3"="@C:\WINDOWS\System32\smlogcfg.dll,-735"
"\xa7\3\xb1\3‘\3\xb1\3Š\3”\3\xb7\3‘\3‰\3“\3”\3‰\3Š\3\xac\3 ?\xb1\3�\3�\3ˆ\3\xae\3Š\3\xb7\3’\3 ?\x384\3µ\3\x384\3�\3Œ\3\xad\3\xbd\3™\3\xbd\3"=dword:00000021
"\x8c\3\xbd\3�\3Œ\3\xb1\3 ?\xb2\3\xac\3“\3\xb7\3’\3 ?\xb1\3‘\3—\3µ\3\x2015\3�\3•\3 ?Š\3\xb1\3”\3\xb1\3\xb3\3‘\3\xb1\3–\3\xae\3’\3 ?\xad\3Œ\3Œ\3µ\3“\3�\3"="@C:\WINDOWS\System32\smlogcfg.dll,-744"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"\x98\3�\3‘\3\xb1\3 ?•\3�\3µ\3‘\3�\3ˆ\3‘\3™\3\xbd\3"=str(7):"1\0"
"\xa0\3‘\3�\3“\3\xb1\3‘\3Œ\3�\3\xb3\3\xad\3\xb1\3’\3 ?\x384\3‰\3Š\3”\3�\3�\3•\3 ?1?3?9?4?"=str(7):"1\0002\0"
"\x2018\3“\3�\3\xb3\3—\3‘\3�\3\xbd\3�\3’\3 ?�\3‘\3�\3“\3\xb1\3‘\3Œ\3�\3\xb3\3\xad\3\xb1\3’\3 ?R?A?S?"=str(7):"1\0"
"\x2018\3�\3µ\3•\3ˆ\3µ\3\x2015\3\xb1\3’\3 ?�\3\xb1\3‘\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3"=str(7):"1\0"
"\xa0\3\xb1\3Š\3\xad\3”\3�\3 ?—\3‘\3�\3\xbd\3�\3\x384\3‰\3\xb1\3\xb3\3‘\3\xac\3Œ\3Œ\3\xb1\3”\3�\3’\3 ?M?i?n?i?p?o?r?t?"=str(7):"1\0002\0003\0"
"\xa3\3�\3\xbd\3\x384\3µ\3“\3\xb7\3 ?”\3\xb7\3\xbb\3µ\3œ\3‘\3\xb1\3“\3\xb7\3’\3/?\xb2\3\x2015\3\xbd\3”\3µ\3�\3 ?”\3\xb7\3’\3 ?M?i?c?r?o?s?o?f?t?"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{6BDD1FC5-810F-11D0-BEC7-08002BE2092F}\Descriptions]
"\x2022\3\xbd\3“\3™\3Œ\3\xb1\3”\3™\3Œ\3\xad\3\xbd\3\xb7\3 ?“\3•\3“\3Š\3µ\3•\3\xae\3 ?•\3�\3µ\3‘\3�\3ˆ\3‘\3™\3\xbd\3"=str(7):"1\0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,13,19,83,48,9a,ec,82,16,bf,30,0e,ca,b2,40,7b,da,bb,..
"hj34z0"=hex:1e,e0,cc,e3,00,6c,18,be,9e,17,6c,ae,2f,f2,4e,18,ed,25,34,20,6f,..
"hj34z1"=hex:8b,e1,cc,21,62,6d,18,79,95,17,6d,77,24,f2,4e,c6,e7,25,34,d5,6e,..
"hj34z2"=hex:98,e1,cc,9a,71,6d,18,c0,86,17,6d,3b,37,f2,4e,b4,f4,25,34,98,7d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries\{c8881254-8919-46a9-ae84-a179ddc599c7}]
"\xa3\3—\3œ\3\xbb\3‰\3�\3 ?\xad\3Œ\3Œ\3µ\3“\3�\3"="@C:\WINDOWS\System32\smlogcfg.dll,-735"
"\xa7\3\xb1\3‘\3\xb1\3Š\3”\3\xb7\3‘\3‰\3“\3”\3‰\3Š\3\xac\3 ?\xb1\3�\3�\3ˆ\3\xae\3Š\3\xb7\3’\3 ?\x384\3µ\3\x384\3�\3Œ\3\xad\3\xbd\3™\3\xbd\3"=dword:00000021
"\x8c\3\xbd\3�\3Œ\3\xb1\3 ?\xb2\3\xac\3“\3\xb7\3’\3 ?\xb1\3‘\3—\3µ\3\x2015\3�\3•\3 ?Š\3\xb1\3”\3\xb1\3\xb3\3‘\3\xb1\3–\3\xae\3’\3 ?\xad\3Œ\3Œ\3µ\3“\3�\3"="@C:\WINDOWS\System32\smlogcfg.dll,-744"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\xa0\3‘\3�\3µ\3�\3‰\3\xbb\3µ\3\xb3\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="",,,,,,,,,,,,,""
"\x9a\3‰\3\xbd\3�\3�\3Œ\3µ\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,""
"\x2020\3“\3�\3‘\3�\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
"\xa7\3\xad\3‘\3‰\3\xb1\3 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\xa7\3\xad\3‘\3‰\3\xb1\3 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"\x201d\3µ\3‰\3\xbd\3œ\3“\3\xb1\3•\3‘\3�\3’\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\xa0\3‘\3�\3\xb7\3\xb3\3�\3�\3Œ\3µ\3\xbd\3�\3 ?Œ\3�\3\xbd\3”\3\xad\3\xbb\3�\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\xa3\3�\3\xbd\3ˆ\3µ\3“\3\xb7\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\x9c\3µ\3\xb3\3\xad\3ˆ\3•\3\xbd\3“\3\xb7\3"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"\xa0\3\xb1\3‘\3\xb1\3\xbb\3\xbb\3\xb1\3\xb3\3\xad\3’\3"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
"\x9c\3�\3‘\3�\3�\3”\3\xb6\3‰\3\xbd\3�\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\x9c\3\xb1\3�\3‘\3\xb1\3 ?W?i?n?d?o?w?s? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\x9c\3\xb1\3�\3‘\3\xb1\3 ?W?i?n?d?o?w?s? ?(?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\x9c\3\xb1\3�\3‘\3\xb1\3 ?W?i?n?d?o?w?s? ?(?�\3�\3\xbb\3�\3 ?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
"\x2018\3\xbd\3”\3µ\3“\3”\3‘\3\xb1\3Œ\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="C:\WINDOWS\cursors\arrow_i.cur,C:\WINDOWS\cursors\help_i.cur,C:\WINDOWS\cursors\wait_i.cur,C:\WINDOWS\cursors\busy_i.cur,C:\WINDOWS\cursors\cross_i.cur,C:\WINDOWS\cursors\beam_i.cur,C:\WINDOWS\cursors\pen_i.cur,C:\WINDOWS\cursors\no_i.cur,C:\WINDOWS\cursors\size4_i.cur,C:\WINDOWS\cursors\size3_i.cur,C:\WINDOWS\cursors\size2_i.cur,C:\WINDOWS\cursors\size1_i.cur,C:\WINDOWS\cursors\move_i.cur,C:\WINDOWS\cursors\up_i.cur"
"\x2018\3\xbd\3”\3µ\3“\3”\3‘\3\xb1\3Œ\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur"
"\x2018\3\xbd\3”\3µ\3“\3”\3‘\3\xb1\3Œ\3Œ\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?�\3�\3\xbb\3�\3 ?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur"
"\xa4\3•\3�\3‰\3Š\3\xac\3 ?W?i?n?d?o?w?s? ?(?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur"
"\xa4\3•\3�\3‰\3Š\3\xac\3 ?W?i?n?d?o?w?s? ?(?�\3�\3\xbb\3�\3 ?Œ\3µ\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"\xa0\3\xb1\3‰\3—\3\xbd\3\x2015\3\x384\3‰\3\xb1\3"="’Ώ·Έ®Ό±Δ±\*±ΉΗ½―΄Ή±"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?L?e?x?m?a?r?k? ?E?1?2?0?n? ?“\3”\3�\3 ?S?T?A?T?I?O?N?1?-?E?F?D?F?E?4?"="winspool,Ne00:"
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?L?e?x?m?a?r?k? ?E?1?2?0?n? ?“\3”\3�\3 ?S?T?A?T?I?O?N?1? ?(?\x2018\3\xbd\3”\3‰\3\xb3\3‘\3\xb1\3–\3\xae\3 ?1?)?"="winspool,Ne01:"
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?L?e?x?m?a?r?k? ?E?1?2?0?n? ?“\3”\3�\3 ?S?T?A?T?I?O?N?1?"="winspool,Ne02:"
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?H?P? ?O?f?f?i?c?e?j?e?t? ?5?6?0?0? ?s?e?r?i?e?s? ?“\3”\3�\3 ?S?T?A?T?I?O?N?2?"="winspool,Ne03:"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?L?e?x?m?a?r?k? ?E?1?2?0?n? ?“\3”\3�\3 ?S?T?A?T?I?O?N?1?-?E?F?D?F?E?4?"="winspool,Ne00:,15,45"
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?L?e?x?m?a?r?k? ?E?1?2?0?n? ?“\3”\3�\3 ?S?T?A?T?I?O?N?1? ?(?\x2018\3\xbd\3”\3‰\3\xb3\3‘\3\xb1\3–\3\xae\3 ?1?)?"="winspool,Ne01:,15,45"
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?L?e?x?m?a?r?k? ?E?1?2?0?n? ?“\3”\3�\3 ?S?T?A?T?I?O?N?1?"="winspool,Ne02:,15,45"
"\x2018\3•\3”\3œ\3Œ\3\xb1\3”\3\xb1\3 ?H?P? ?O?f?f?i?c?e?j?e?t? ?5?6?0?0? ?s?e?r?i?e?s? ?“\3”\3�\3 ?S?T?A?T?I?O?N?2?"="winspool,Ne03:,15,45"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe:*:Enabled:umi"
"C:\\Sierra\\Empire Earth\\Empire Earth.exe"="C:\\Sierra\\Empire Earth\\Empire Earth.exe:*:Disabled:Empire Earth"
"C:\\download\\todown\\Racer v0.5.3 beta 2.1\\racer\\racer.exe"="C:\\download\\todown\\Racer v0.5.3 beta 2.1\\racer\\racer.exe:*:Disabled:racer"
"C:\\download\\Games\\Racer v0.5.3 beta 2.1\\racer\\racer.exe"="C:\\download\\Games\\Racer v0.5.3 beta 2.1\\racer\\racer.exe:*:Disabled:racer"
"C:\\Program Files\\Call of Duty\\CoDMP.exe"="C:\\Program Files\\Call of Duty\\CoDMP.exe:*:Disabled:CoDMP"
"C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 8"
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"="C:\\Program Files\\Autodesk\\backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\backburner\\server.exe"="C:\\Program Files\\Autodesk\\backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\download\\todown\\utorrent\\utorrent.exe"="C:\\download\\todown\\utorrent\\utorrent.exe:*:Enabled:?Torrent"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
"C:\\Program Files\\BearFlix\\bearflix.exe"="C:\\Program Files\\BearFlix\\bearflix.exe:*:Enabled:BearFlix"
"C:\\Program Files\\eMule\\eMule.exe"="C:\\Program Files\\eMule\\eMule.exe:*:Enabled:eMule Plus"
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\pes6.exe"="C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\pes6.exe:*:Disabled:pes6.exe"
"C:\\WINDOWS\\system32\\dmremote.exe"="C:\\WINDOWS\\system32\\dmremote.exe:*:Enabled:dmremote.exe"
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"="C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"
"%windir%\\explorer.exe"="%windir%\\explorer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"="C:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe:*:Enabled:CrazyBump"
"C:\\download\\todown\\vdownloader 0.6\\VDownloader.exe"="C:\\download\\todown\\vdownloader 0.6\\VDownloader.exe:*:Enabled:VDownloader.exe"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 1 Jul 2002 218 A.SH. --- "C:\Program Files\StoneLoops! of Jurassica\coos_iver.sys"
Fri 18 Jan 2008 2,568 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Tue 3 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 23 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sat 21 Oct 2006 444 A..HR --- "C:\Documents and Settings\k\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

hi,

ok good. clean out your temps

Click Start>Run then type %temp%

Hit OK. Delete all the files you can.
click Start>Run then type %windir%\temp
hit ok. delete all the files you can

Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

repeat the online scan, post the result and post one more hjt log please.

shelf life