PDA

View Full Version : Virtumonde Removal


And Why
2008-06-07, 04:44
Arrgh,

I'm sure seeing a lot of people having difficulties with this pesky Virtumonde issue. It's a wacky one for sure. I will clean my system in safe mode, and then do a scan on system restart, and bang! biff! pow! i feel like a bad guy in 1960's batman serial getting slapped silly. :red:

Anywho, i have attached a Hijack this log. I am thanking you profusely in advance for any and all expert advice on how to once and for all remove this annoyance.

Please let me know if i need to provide any more info.
thx

Edit:
Copy pasted log into topic as per: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) ;)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:25 PM, on 6/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\And-Y\Desktop\New Folder\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {548bfe65-cd47-a62b-0314-ec72b0c39137} - {73193c0b-27ce-4130-b26a-74dc56efb845} - C:\WINDOWS\system32\tkqsmgma.dll
O2 - BHO: (no name) - {D66E33A5-D383-41DF-82C8-9E5650185CE4} - C:\WINDOWS\system32\urqQjjkH.dll (file missing)
O2 - BHO: (no name) - {DDCB4272-2905-455D-9FC4-57C8707EE017} - C:\WINDOWS\system32\ddcCSkJD.dll (file missing)
O2 - BHO: (no name) - {F53BAFE5-CE7A-4E95-95AC-A3912EFD3739} - C:\WINDOWS\system32\byXQKbyX.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [2c18f635] rundll32.exe "C:\WINDOWS\system32\scqmlclx.dll",b
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [BM2f2bc5a9] Rundll32.exe "C:\WINDOWS\system32\duaitpal.dll",s
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212368716109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF24EDAA-5EE7-4DC9-8EA5-32AFF2739470}: NameServer = 64.59.184.13,64.59.184.15
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: byXQKbyX - C:\WINDOWS\SYSTEM32\byXQKbyX.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 7767 bytes
Shaba
2008-06-08, 11:11
Hi And Why

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report
And Why
2008-06-08, 20:56
Here's the log files you have requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:41 PM, on 6/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\CF22161.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\And-Y\Desktop\New Folder\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {548bfe65-cd47-a62b-0314-ec72b0c39137} - {73193c0b-27ce-4130-b26a-74dc56efb845} - C:\WINDOWS\system32\tkqsmgma.dll (file missing)
O2 - BHO: (no name) - {D66E33A5-D383-41DF-82C8-9E5650185CE4} - C:\WINDOWS\system32\urqQjjkH.dll (file missing)
O2 - BHO: (no name) - {DDCB4272-2905-455D-9FC4-57C8707EE017} - C:\WINDOWS\system32\ddcCSkJD.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [2c18f635] rundll32.exe "C:\WINDOWS\system32\scqmlclx.dll",b
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\duaitpal.dll",s
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF22161.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212368716109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF24EDAA-5EE7-4DC9-8EA5-32AFF2739470}: NameServer = 64.59.184.13,64.59.184.15
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: byXQKbyX - byXQKbyX.dll (file missing)
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

--
End of file - 7801 bytes


ComboFix 08-06-07.3 - And-Y 2008-06-08 12:39:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1357 [GMT -6:00]
Running from: C:\Documents and Settings\And-Y\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM2f2bc5a9.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXQKbyX.dll
C:\WINDOWS\system32\DJkSCcdd.ini
C:\WINDOWS\system32\DJkSCcdd.ini2
C:\WINDOWS\system32\duaitpal.dll
C:\WINDOWS\system32\eqiixowv.dll
C:\WINDOWS\system32\HkjjQqru.ini
C:\WINDOWS\system32\HkjjQqru.ini2
C:\WINDOWS\system32\kvwombrr.dll
C:\WINDOWS\system32\lnyecnfk.dll
C:\WINDOWS\system32\rrbmowvk.ini
C:\WINDOWS\system32\scqmlclx.dll
C:\WINDOWS\system32\tkqsmgma.dll
C:\WINDOWS\system32\VyGNmUtv.ini
C:\WINDOWS\system32\VyGNmUtv.ini2
C:\WINDOWS\system32\xlclmqcs.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-07 19:37 . 2008-06-07 19:37 <DIR> d-------- C:\Documents and Settings\And-Y\Application Data\vlc
2008-06-06 20:34 . 2008-06-06 20:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 20:34 . 2008-06-06 20:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-06 14:23 . 2008-06-06 14:23 <DIR> d-------- C:\Documents and Settings\And-Y\Application Data\Agnitum
2008-06-06 14:02 . 2008-06-07 01:00 <DIR> d-------- C:\WINDOWS\system32\Filt
2008-06-06 14:02 . 2008-06-06 14:02 <DIR> d-------- C:\Program Files\Agnitum
2008-06-06 14:02 . 2008-06-06 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Agnitum
2008-06-06 14:02 . 2007-10-17 11:59 434,336 --a------ C:\WINDOWS\system32\drivers\SandBox.sys
2008-06-06 14:02 . 2007-10-16 16:17 197,264 --a------ C:\WINDOWS\system32\drivers\afw.sys
2008-06-06 14:02 . 2007-10-22 16:49 49 --a------ C:\WINDOWS\transp.gif
2008-06-03 00:52 . 2008-06-03 00:52 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-02 21:16 . 2008-06-06 19:02 614 --a------ C:\WINDOWS\wininit.ini
2008-06-02 20:12 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-02 20:12 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-06-02 20:10 . 2008-06-02 20:10 <DIR> d-------- C:\Program Files\ESET
2008-06-02 20:10 . 2008-06-02 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-06-02 20:09 . 2008-06-06 20:50 <DIR> d-------- C:\Documents and Settings\And-Y\Contacts
2008-06-02 19:46 . 2008-06-02 19:46 268 --ah----- C:\sqmdata03.sqm
2008-06-02 19:46 . 2008-06-02 19:46 244 --ah----- C:\sqmnoopt03.sqm
2008-06-01 23:13 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-01 23:13 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-01 23:13 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-01 20:05 . 2008-06-06 16:46 <DIR> d-------- C:\Program Files\Real Alternative
2008-06-01 20:05 . 2008-06-01 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-01 20:05 . 2008-03-28 21:07 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-06-01 20:05 . 2008-03-28 21:07 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-06-01 20:04 . 2008-06-06 16:46 <DIR> d-------- C:\Program Files\QuickTime Alternative
2008-06-01 20:00 . 2008-06-01 20:00 <DIR> d-------- C:\Program Files\VideoLAN
2008-06-01 19:59 . 2008-06-01 20:00 <DIR> d-------- C:\Program Files\Winamp
2008-06-01 19:59 . 2008-06-01 20:03 <DIR> d-------- C:\Documents and Settings\And-Y\Application Data\Winamp
2008-06-01 19:43 . 2008-06-01 19:43 268 --ah----- C:\sqmdata02.sqm
2008-06-01 19:43 . 2008-06-01 19:43 244 --ah----- C:\sqmnoopt02.sqm
2008-06-01 19:29 . 2008-06-01 19:29 268 --ah----- C:\sqmdata01.sqm
2008-06-01 19:29 . 2008-06-01 19:29 244 --ah----- C:\sqmnoopt01.sqm
2008-06-01 19:23 . 2008-06-01 19:23 268 --ah----- C:\sqmdata00.sqm
2008-06-01 19:23 . 2008-06-01 19:23 244 --ah----- C:\sqmnoopt00.sqm
2008-06-01 19:18 . 2008-06-01 19:18 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-01 19:17 . 2008-06-01 19:17 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-01 19:17 . 2008-06-01 19:18 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-01 19:14 . 2008-06-01 19:14 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-06-01 19:07 . 2008-06-01 19:28 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-06-01 19:07 . 2008-06-02 19:11 <DIR> d-------- C:\Program Files\Windows Live
2008-06-01 19:07 . 2008-06-02 19:10 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-01 19:07 . 2008-06-01 19:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-01 19:07 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-01 19:07 . 2008-06-01 19:28 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-06-01 19:06 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-06-01 19:06 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-06-01 19:06 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-06-01 19:06 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-01 19:06 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-06-01 19:05 . 2008-06-01 19:05 <DIR> d--hs---- C:\Documents and Settings\And-Y\UserData
2008-06-01 18:47 . 2008-06-01 18:47 <DIR> d-------- C:\Perfect World
2008-06-01 18:47 . 2008-03-20 13:19 258,352 -ra------ C:\WINDOWS\system32\unicows.dll
2008-06-01 18:19 . 2008-06-01 18:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-01 18:10 . 2008-06-01 18:10 <DIR> d-------- C:\Program Files\D-Link
2008-06-01 18:10 . 2008-06-01 18:10 <DIR> d-------- C:\Program Files\ANI
2008-06-01 17:56 . 2008-06-01 17:56 <DIR> d-------- C:\Program Files\Pinnacle
2008-06-01 17:56 . 2004-07-12 16:27 487,936 --a------ C:\WINDOWS\system\Rmbe3260.dll
2008-06-01 17:56 . 2004-07-12 16:27 352,768 --a------ C:\WINDOWS\system\pngu3263.dll
2008-06-01 17:56 . 2004-07-12 16:27 273,408 --a------ C:\WINDOWS\system\Pncrt.dll
2008-06-01 17:56 . 2004-07-12 16:27 131,072 --a------ C:\WINDOWS\system\Pneng50.dll
2008-06-01 17:56 . 2004-07-12 16:27 130,560 --a------ C:\WINDOWS\system\Pnc3250.dll
2008-06-01 17:56 . 2004-07-12 16:27 87,040 --a------ C:\WINDOWS\system\Ra32sipr.dll
2008-06-01 17:56 . 2004-07-12 16:27 85,504 --a------ C:\WINDOWS\system\Encdnet.dll
2008-06-01 17:56 . 2004-07-12 16:27 81,920 --a------ C:\WINDOWS\system\Ra3214_4.dll
2008-06-01 17:56 . 2004-07-12 16:27 72,704 --a------ C:\WINDOWS\system\Ra3228_8.dll
2008-06-01 17:56 . 2004-07-12 16:27 61,952 --a------ C:\WINDOWS\system\Decdnet.dll
2008-06-01 17:56 . 2004-07-12 16:27 21,504 --a------ C:\WINDOWS\system\Ra32dnet.dll
2008-06-01 17:55 . 2008-06-01 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-01 17:54 . 2008-06-01 18:00 <DIR> d-------- C:\Program Files\Syncrosoft
2008-06-01 17:54 . 2005-07-05 18:25 700,416 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2008-06-01 17:54 . 2004-05-10 15:58 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2008-06-01 17:54 . 2003-07-31 20:28 147,425 --a------ C:\WINDOWS\system32\SYNSOACC-Aide.chm
2008-06-01 17:54 . 2003-05-26 15:29 120,468 --a------ C:\WINDOWS\system32\SYNSOACC-Hilfe.chm
2008-06-01 17:54 . 2003-05-26 15:29 114,279 --a------ C:\WINDOWS\system32\SYNSOACC-Help.chm
2008-06-01 17:54 . 2002-11-25 08:36 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2008-06-01 17:54 . 2001-04-09 05:03 17,784 --a------ C:\WINDOWS\system32\drivers\NSynas32.sys
2008-06-01 17:54 . 2002-11-25 05:46 16,896 --a------ C:\WINDOWS\system32\drivers\SynasUSB.sys
2008-06-01 17:44 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-01 17:42 . 2008-06-01 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-01 17:41 . 2008-06-01 17:41 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 17:38 . 2008-06-01 17:46 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-01 17:36 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-06-01 17:36 . 2008-06-01 17:36 376 --a------ C:\WINDOWS\ODBC.INI
2008-06-01 17:35 . 2008-06-01 17:36 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-01 17:35 . 2008-06-01 17:35 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-01 17:21 . 2008-06-01 17:21 <DIR> d-------- C:\Documents and Settings\And-Y\Application Data\Propellerhead Software
2008-06-01 17:21 . 2008-06-01 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-06-01 17:21 . 2008-06-01 17:21 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-06-01 17:21 . 2008-06-01 17:21 225,280 --a------ C:\WINDOWS\system32\ReWire.dll
2008-06-01 17:20 . 2008-06-01 17:20 <DIR> d-------- C:\Program Files\Propellerhead
2008-06-01 17:18 . 2008-06-01 17:53 <DIR> d-------- C:\Program Files\Native Instruments
2008-06-01 17:08 . 2008-06-01 17:08 4,932,148 --a------ C:\WINDOWS\{00000006-00000000-00000000-00001102-00000004-40011102}.CDF
2008-06-01 17:07 . 2008-06-08 12:42 1,164 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000006-00000000-00000000-00001102-00000004-40011102}.rfx
2008-06-01 17:07 . 2008-06-08 12:42 1,164 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000006-00000000-00000000-00001102-00000004-40011102}.rfx
2008-06-01 17:07 . 2008-06-08 12:42 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000006-00000000-00000000-00001102-00000004-40011102}.dat
2008-06-01 17:07 . 2008-06-08 12:42 384 --a------ C:\WINDOWS\system32\DVCState-{00000006-00000000-00000000-00001102-00000004-40011102}.dat
2008-06-01 17:07 . 2008-06-08 12:42 64 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000006-00000000-00000000-00001102-00000004-40011102}.rfx
2008-06-01 17:07 . 2008-06-08 12:42 64 --a------ C:\WINDOWS\system32\BMXState-{00000006-00000000-00000000-00001102-00000004-40011102}.rfx
2008-06-01 17:06 . 2000-05-22 02:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-06-01 17:06 . 1999-10-10 20:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-06-01 17:05 . 2008-06-01 17:56 <DIR> d-------- C:\Program Files\Steinberg
2008-06-01 17:05 . 2008-06-01 18:11 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-06-01 17:05 . 2008-06-01 17:06 <DIR> d-------- C:\Program Files\Creative Professional
2008-06-01 17:05 . 2008-06-01 17:05 <DIR> d-------- C:\Program Files\Creative
2008-06-01 17:05 . 2008-06-01 17:05 <DIR> d-------- C:\Documents and Settings\And-Y\Application Data\EmuPatchMixDSP
2008-06-01 17:04 . 2008-06-01 17:04 <DIR> d-------- C:\WINDOWS\system32\Data
2008-06-01 17:04 . 2008-06-01 17:04 <DIR> d-------- C:\Documents and Settings\And-Y\Application Data\Creative
2008-06-01 17:03 . 2008-06-01 18:09 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-06-01 16:48 . 2008-06-06 18:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 16:48 . 2008-06-06 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 16:46 . 2008-06-08 12:45 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-06-01 16:40 . 2002-07-17 11:20 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-06-01 16:40 . 2002-07-17 10:53 16,877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-06-01 16:40 . 2002-07-17 18:22 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-06-01 16:40 . 2002-07-17 18:22 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-06-01 16:38 . 2004-03-09 00:00 1,081,616 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-01 16:33 . 2008-06-01 16:33 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-06-01 16:33 . 2005-04-25 10:43 159,616 --a------ C:\WINDOWS\system32\drivers\Vax347b.sys
2008-06-01 16:33 . 2004-04-30 09:33 5,248 --a------ C:\WINDOWS\system32\drivers\Vax347s.sys
2008-06-01 16:23 . 2008-06-01 16:23 <DIR> d-------- C:\Program Files\Common Files\postureAgent
2008-06-01 16:23 . 2007-06-27 22:18 912,152 -ra------ C:\WINDOWS\system32\mesoludlg.exe
2008-06-01 16:21 . 2007-06-27 22:19 254,872 -ra------ C:\WINDOWS\system32\drivers\e1e5132.sys
2008-06-01 16:21 . 2007-06-27 22:19 179,048 -ra------ C:\WINDOWS\system32\e1000msg.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 11:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 06:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-14 06:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-14 06:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-14 06:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-14 06:15 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-14 06:15 6,272 ----a-w C:\WINDOWS\system32\drivers\splitter.sys
2008-04-14 06:15 59,520 ----a-w C:\WINDOWS\system32\drivers\usbhub.sys
2008-04-14 06:15 56,576 ----a-w C:\WINDOWS\system32\drivers\swmidi.sys
2008-04-14 06:15 52,864 ----a-w C:\WINDOWS\system32\drivers\DMusic.sys
2008-04-14 06:15 49,408 ----a-w C:\WINDOWS\system32\drivers\stream.sys
2008-04-14 06:15 30,208 ----a-w C:\WINDOWS\system32\drivers\usbehci.sys
2008-04-14 06:15 20,608 ----a-w C:\WINDOWS\system32\drivers\usbuhci.sys
2008-04-14 06:15 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
2008-04-14 06:15 172,416 ----a-w C:\WINDOWS\system32\drivers\kmixer.sys
2008-04-14 06:15 143,872 ----a-w C:\WINDOWS\system32\drivers\usbport.sys
2008-04-14 06:10 96,512 ----a-w C:\WINDOWS\system32\drivers\atapi.sys
2008-04-14 06:10 24,960 ----a-w C:\WINDOWS\system32\drivers\pciidex.sys
2008-04-14 06:09 7,552 ----a-w C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-04-14 06:09 5,376 ----a-w C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-04-14 06:09 4,992 ----a-w C:\WINDOWS\system32\drivers\MSPQM.sys
2008-04-14 06:06 68,224 ----a-w C:\WINDOWS\system32\drivers\pci.sys
2008-04-14 06:06 37,248 ----a-w C:\WINDOWS\system32\drivers\isapnp.sys
2008-04-14 06:02 196,224 ----a-w C:\WINDOWS\system32\drivers\rdpdr.sys
2008-04-14 05:40 1,296,669 ----a-r C:\WINDOWS\SET3.tmp
2008-04-14 05:34 16,535 ----a-r C:\WINDOWS\SET8.tmp
2008-04-14 05:34 1,088,840 ----a-r C:\WINDOWS\SET4.tmp
2008-04-14 04:09 142,592 ----a-w C:\WINDOWS\system32\drivers\aec.sys
2008-04-14 03:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 03:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 03:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 03:41 451,072 ----a-w C:\WINDOWS\AppPatch\AcLayers.dll
2008-04-14 03:41 39,424 ----a-w C:\WINDOWS\AppPatch\AcAdProc.dll
2008-04-14 03:41 245,248 ----a-w C:\WINDOWS\AppPatch\AcSpecfc.dll
2008-04-14 03:41 141,312 ----a-w C:\WINDOWS\AppPatch\AcLua.dll
2008-04-14 03:41 116,224 ----a-w C:\WINDOWS\AppPatch\AcXtrnal.dll
2008-04-14 03:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\AcGenral.dll
2008-04-14 00:10 57,600 ----a-w C:\WINDOWS\system32\drivers\redbook.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 22:25 202,624 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
2008-04-13 22:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 22:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 22:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 22:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 22:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 22:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 22:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 22:16 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 22:16 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-13 22:15 36,864 ----a-w C:\WINDOWS\system32\drivers\hidclass.sys
2008-04-13 22:15 32,128 ----a-w C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-13 22:15 24,960 ----a-w C:\WINDOWS\system32\drivers\hidparse.sys
2008-04-13 22:15 10,368 ----a-w C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-13 22:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 22:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 22:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 22:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 22:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 22:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-13 22:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 22:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 22:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 22:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 22:09 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-13 22:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-13 22:06 79,232 ----a-w C:\WINDOWS\system32\drivers\sdbus.sys
2008-04-13 22:06 73,472 ----a-w C:\WINDOWS\system32\drivers\sr.sys
2008-04-13 22:06 187,776 ----a-w C:\WINDOWS\system32\drivers\acpi.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73193c0b-27ce-4130-b26a-74dc56efb845}]
C:\WINDOWS\system32\tkqsmgma.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D66E33A5-D383-41DF-82C8-9E5650185CE4}]
C:\WINDOWS\system32\urqQjjkH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDCB4272-2905-455D-9FC4-57C8707EE017}]
C:\WINDOWS\system32\ddcCSkJD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"SetDefaultMIDI"="MIDIDef.exe" [2003-06-20 04:13 49152 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 21:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-27 22:22 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-27 22:21 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-27 22:21 138008]
"atchk"="C:\Program Files\Intel\AMT\atchk.exe" [2007-06-27 22:18 404248]
"CTHelper"="CTHELPER.EXE" [2004-02-02 20:30 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"@"="" []
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"2c18f635"="C:\WINDOWS\system32\scqmlclx.dll" [ ]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]
"BM2f2bc5a9"="C:\WINDOWS\system32\duaitpal.dll" [ ]
"combofix"="C:\WINDOWS\system32\CF22161.exe" [2008-04-13 21:42 389120]
"OutpostMonitor"="C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" [2007-10-22 16:49 936960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-06-01 17:41:48 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-01 17:46:18 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQKbyX]
byXQKbyX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\agnitum\outpos~1\wl_hook.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2005-11-30 10:35 49152 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link Wireless G WUA-1340]
--a------ 2005-12-15 12:19 2715648 C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R1 SandBox;SandBox;C:\WINDOWS\system32\DRIVERS\SandBox.sys [2007-10-17 11:59]
R2 acssrv;Agnitum Client Security Service;C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe [2007-10-22 13:51]
R2 atchksrv;Intel(R) Active Management Technology System Status Service;C:\Program Files\Intel\AMT\atchksrv.exe [2007-06-27 22:18]
R2 LMS;Intel(R) Active Management Technology Local Management Service;C:\Program Files\Intel\AMT\LMS.exe [2007-06-27 22:18]
R2 UNS;Intel(R) Active Management Technology User Notification Service;C:\Program Files\Intel\AMT\UNS.exe [2007-06-27 22:18]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2007-10-16 16:17]
R3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys [2002-11-25 05:46]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 06:00]
S3 ASWFilt;ASWFilt;C:\WINDOWS\system32\Filt\ASWFilt.dll [2007-10-17 12:01]

*Newly Created Service* - HTTPFILTER
*Newly Created Service* - PGFILTER
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-08 12:44:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\OP_CACHE.ATR 24 bytes
C:\OP_CACHE.IDX 12 bytes
C:\WINDOWS\OP_CACHE.ATR 432 bytes
C:\WINDOWS\OP_CACHE.IDX 216 bytes
C:\WINDOWS\system32\wbem\OP_CACHE.ATR 216 bytes
C:\WINDOWS\system32\wbem\OP_CACHE.IDX 108 bytes
C:\WINDOWS\system32\OP_CACHE.ATR 12456 bytes
C:\WINDOWS\system32\OP_CACHE.IDX 6228 bytes
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Adobe\Calibration\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Adobe\Calibration\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Adobe\Updater5\OP_CACHE.ATR 48 bytes
C:\Program Files\Common Files\Adobe\Updater5\OP_CACHE.IDX 24 bytes
C:\Program Files\Common Files\Adobe\Workflow\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Adobe\Workflow\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\InstallShield\Driver\10\Intel 32\OP_CACHE.ATR 48 bytes
C:\Program Files\Common Files\InstallShield\Driver\10\Intel 32\OP_CACHE.IDX 24 bytes
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Microsoft Shared\DW\OP_CACHE.ATR 48 bytes
C:\Program Files\Common Files\Microsoft Shared\DW\OP_CACHE.IDX 24 bytes
C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Microsoft Shared\MSInfo\OP_CACHE.ATR 48 bytes
C:\Program Files\Common Files\Microsoft Shared\MSInfo\OP_CACHE.IDX 24 bytes
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\OP_CACHE.ATR 48 bytes
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\OP_CACHE.IDX 24 bytes
C:\Program Files\Common Files\Microsoft Shared\Smart Tag\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Microsoft Shared\Smart Tag\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Microsoft Shared\Speech\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Microsoft Shared\Speech\OP_CACHE.IDX 12 bytes
C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OP_CACHE.ATR 24 bytes
C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OP_CACHE.IDX 12 bytes

scan completed successfully
hidden files: 38

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-06-08 12:48:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-08 18:48:11

Pre-Run: 46,883,090,432 bytes free
Post-Run: 46,828,167,168 bytes free

386 --- E O F --- 2008-06-03 02:17:57
Shaba
2008-06-09, 16:11
Hi

I see that you are using an illegal copy of NOD32

2008-06-02 20:12 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-06-02 20:12 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 06:00]

So next step is to uninstall NOD32 and install a free AV from below:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that, please post back a fresh HijackThis log :)
Shaba
2008-06-14, 11:24
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.