PDA

View Full Version : VirtuMonde infection? (revisited)



epoclaen
2008-12-30, 07:16
I had posted about problems at here (http://forums.spybot.info/showthread.php?p=239063&mode=linear#post239063) I was having which might be related to a virtumonde infection.

Thanks to the holidays and the infection, I was unable to both read the response and to follow the given instructions before the thread was archived.

Here are the requested logs nonetheless.

ComboFix 08-12-29.01 - Jeff two 2008-12-29 20:03:58.1 - NTFSx86
Running from: c:\documents and settings\Jeff two\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-28 20:02 . 2008-12-28 20:35 <DIR> d-------- c:\program files\Softwin
2008-12-28 14:51 . 2005-09-18 02:32 5,376 --a------ c:\windows2\system32\antiwpa.dll_12E1DC
2008-12-28 13:03 . 2005-01-13 22:41 11,254 --a------ c:\windows2\system32\locate.com
2008-12-28 12:22 . 2008-12-28 13:41 63,369 --a------ C:\MGlogs.zip
2008-12-28 12:21 . 2008-12-28 13:41 <DIR> d-------- C:\MGtools
2008-12-28 06:37 . 2008-12-03 19:54 15,504 --a------ c:\windows2\system32\drivers\mbam.sys
2008-12-28 06:33 . 2008-12-03 19:54 38,496 --a------ c:\windows2\system32\drivers\mbamswissarmy.sys
2008-12-28 06:09 . 2008-12-28 06:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 01:11 . 2008-12-27 00:42 73,728 --a------ c:\windows2\system32\javacpl.cpl
2008-12-26 23:56 . 2008-12-26 23:56 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\SUPERAntiSpyware.com
2008-12-26 23:47 . 2008-12-26 23:52 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-26 23:47 . 2008-12-26 23:47 <DIR> d-------- c:\documents and settings\Jeff two\Application Data\SUPERAntiSpyware.com
2008-12-26 23:23 . 2008-12-26 23:23 1,313,125 --a------ C:\MGtools.exe
2008-12-24 01:46 . 2008-12-24 01:26 102,664 --a------ c:\windows2\system32\drivers\tmcomm.sys
2008-12-24 01:25 . 2008-12-24 01:47 <DIR> d-------- c:\documents and settings\Jeff two\.housecall6.6
2008-12-23 20:11 . 2008-12-23 20:11 <DIR> d-------- c:\documents and settings\Jeff two\Application Data\KRKsoft
2008-12-23 12:10 . 2008-12-23 12:10 8,628 --ah----- c:\windows2\system32\cmmgr32.GID
2008-12-14 23:18 . 2008-12-14 23:19 <DIR> d-------- c:\documents and settings\Jeff two\Application Data\codeblocks
2008-12-14 01:59 . 2006-08-01 15:02 49,152 --a------ c:\windows2\system32\ChCfg.exe
2008-12-14 01:58 . 2006-07-31 11:19 315,392 --a------ c:\windows2\alcupd.exe
2008-12-11 16:55 . 2008-12-11 16:55 <DIR> d-------- c:\program files\TagScanner
2008-12-03 21:16 . 2008-12-27 00:41 410,984 --a------ c:\windows2\system32\deploytk.dll
2008-11-30 17:35 . 2008-11-30 17:35 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Sony
2008-11-19 23:49 . 2008-11-19 23:49 <DIR> d-------- c:\documents and settings\Jeff two\Application Data\Right Hemisphere
2008-11-19 23:49 . 2008-11-19 23:49 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Right Hemisphere
2008-11-19 18:57 . 2008-11-19 18:57 <DIR> d-------- c:\documents and settings\Jeff two\Application Data\Malwarebytes
2008-11-19 18:57 . 2008-11-19 18:57 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Malwarebytes
2008-11-18 21:01 . 2006-06-02 16:40 438,976 --a------ c:\windows2\system32\MSHFLXGD.OCX
2008-11-18 21:01 . 2000-05-22 00:00 203,976 --a------ c:\windows2\system32\Richtx32.ocx
2008-11-18 21:01 . 2006-01-23 10:09 131,072 --a------ c:\windows2\system32\mtrcom32.dll
2008-11-18 21:01 . 1998-06-18 00:00 89,360 --a------ c:\windows2\system32\VB5DB.DLL
2008-11-18 21:01 . 1998-06-24 00:00 67,376 --a------ c:\windows2\system32\Sysinfo.ocx
2008-11-18 21:01 . 1998-10-19 12:34 37,062 --a------ c:\windows2\system32\odbcinst.hlp
2008-11-18 21:01 . 1998-10-19 12:34 324 --a------ c:\windows2\system32\odbcinst.cnt
2008-11-15 19:48 . 2008-11-15 19:48 4 --a------ c:\windows2\system32\ulfconfig0103.ulf
2008-11-13 13:31 . 2008-11-13 13:31 <DIR> d-------- c:\documents and settings\Jeff two\Application Data\Dimdim
2008-11-13 13:30 . 2008-11-13 13:30 <DIR> d-------- c:\program files\Dimdim
2008-11-13 12:29 . 2008-11-13 12:29 <DIR> d-------- c:\program files\Core AAC Decoder
2008-11-10 15:36 . 2008-12-29 19:23 <DIR> d-------- c:\program files\Everything
2008-11-06 00:46 . 2008-11-06 00:46 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-06 00:46 . 2008-11-06 00:46 <DIR> d-------- C:\44d32a99ec178b22225470bd58
2008-11-06 00:46 . 2004-08-03 17:56 221,184 --a------ c:\windows2\system32\wmpns.dll
2008-11-06 00:45 . 2008-11-06 00:45 <DIR> d-------- c:\windows2\system32\LogFiles
2008-11-06 00:45 . 2008-11-06 00:45 <DIR> d-------- c:\windows2\system32\drivers\UMDF
2008-11-05 22:35 . 2008-11-05 22:35 <DIR> d-------- c:\program files\SOCK Software
2008-11-02 20:29 . 2008-11-02 20:38 <DIR> d-------- c:\documents and settings\All Users.WINDOWS2\Application Data\Fashion Solitaire 1.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 03:03 --------- d-----w c:\program files\Zoom Player
2008-12-28 00:52 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\Spybot - Search & Destroy
2008-12-28 00:18 --------- d-----w c:\documents and settings\Jeff two\Application Data\OpenOffice.org2
2008-12-27 04:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-27 03:10 --------- d-----w c:\program files\Trillian
2008-12-27 02:23 --------- d-----w c:\program files\PeerGuardian2
2008-12-27 02:19 --------- d-----w c:\program files\Java
2008-12-23 23:57 --------- d-----w c:\program files\NetMeter
2008-12-23 22:03 --------- d-----w c:\documents and settings\All Users.WINDOWS2\Application Data\FLEXnet
2008-12-23 16:25 --------- d-----w c:\program files\CCleaner
2008-12-23 04:13 --------- d-----w c:\documents and settings\Jeff two\Application Data\Azureus
2008-12-23 03:51 --------- d-----w c:\program files\Azureus
2008-12-20 05:13 --------- d-----w c:\documents and settings\Jeff two\Application Data\Corel
2008-12-19 17:43 2,516 --sha-w c:\windows2\system32\KGyGaAvL.sys
2008-12-19 05:02 --------- d-----w c:\documents and settings\Jeff two\Application Data\Move Networks
2008-12-16 21:38 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-12-14 06:58 --------- d-----w c:\program files\Realtek AC97
2008-12-06 00:33 --------- d---a-w c:\documents and settings\All Users.WINDOWS2\Application Data\TEMP
2008-12-05 02:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 06:25 --------- d-----w c:\documents and settings\Jeff two\Application Data\Sony
2008-11-30 22:35 --------- d-----w c:\program files\Sony
2008-11-30 22:34 --------- d-----w c:\program files\Sony Setup
2008-11-19 02:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-13 18:18 --------- d-----w c:\program files\QuickTime Alternative
2008-11-13 17:28 --------- d-----w c:\program files\OpenSource MPEG Splitter
2008-11-13 17:01 --------- d-----w c:\program files\DivX
2008-11-01 17:34 --------- d-----w c:\documents and settings\Jeff two\Application Data\DivX
2008-10-30 23:50 --------- d-----w c:\program files\Vstplugins
2008-10-28 22:36 823,296 ----a-w c:\windows2\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows2\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows2\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows2\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows2\system32\DivX.dll
2008-10-16 19:13 202,776 ----a-w c:\windows2\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows2\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows2\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows2\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows2\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows2\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows2\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows2\system32\wups.dll
2008-09-29 14:14 28,672 ----a-w c:\windows2\system32\Partizan.exe
2008-09-25 08:03 81,920 ----a-w c:\windows2\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows2\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows2\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows2\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows2\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows2\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows2\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows2\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows2\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows2\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows2\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows2\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows2\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows2\system32\DivXWMPExtType.dll
2007-02-28 02:13 30,601 ----a-w c:\documents and settings\User\x.exe
2006-03-23 21:32 73,728 ----a-w c:\documents and settings\User\SetupNI.dll
2006-03-21 03:00 7 ----a-w c:\documents and settings\User\Application Data\bin.dll
2006-01-04 01:08 32 ----a-w c:\documents and settings\User\Application Data\pexmodes.dat
2004-10-18 03:36 2,146,304 ----a-w c:\program files\PowerInternetTV 3.bak
2006-10-31 17:24 57,344 ----a-w c:\program files\mozilla firefox\plugins\NCScnet.dll
2006-10-31 17:32 1,298,432 ----a-w c:\program files\mozilla firefox\plugins\NCSEcw.dll
2006-10-31 17:24 147,456 ----a-w c:\program files\mozilla firefox\plugins\NCSUtil.dll
2008-08-06 19:33 88 --sh--r c:\windows2\system32\B51130D402.sys
2006-05-03 09:06 163,328 --sha-r c:\windows2\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r c:\windows2\system32\msfDX.dll
2008-03-16 12:30 216,064 --sha-r c:\windows2\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows2\system32\ctfmon.exe" [2004-08-12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows2\system32\NvCpl.dll" [2008-05-16 13529088]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Everything"="c:\program files\Everything\Everything.exe" [2008-09-28 459776]
"NvMediaCenter"="c:\windows2\system32\NvMcTray.dll" [2008-05-16 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows2\Logi_MwX.Exe]
"nwiz"="nwiz.exe" [2007-04-19 c:\windows2\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows2\soundman.exe]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk.disabled [2008-06-27 881]
SGETASK.EXE [1999-04-04 58368]

c:\documents and settings\Jeff two\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk.disabled [2008-06-27 881]
SGETASK.EXE [1999-04-04 58368]
Trillian.lnk.disabled [2007-11-01 701]
Uedit32.lnk.disabled [2007-05-22 927]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe"
"prunnet"="c:\docume~1\JEFFTW~1\LOCALS~1\Temp\prun.exe"
"PeerGuardian"=c:\program files\PeerGuardian2\pg2.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\DCPFLICS\\DCPFLICS_tools.exe"=
"c:\\Program Files\\IDM Computer Solutions\\UltraEdit-32\\uedit32.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\WINDOWS2\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows2\system32\DRIVERS\agpkx.sys [2006-01-18 45056]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-22 55024]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;"c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe" [2008-03-09 65536]
R3 dfmirage;dfmirage;c:\windows2\system32\DRIVERS\dfmirage.sys [2005-11-27 31896]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows2\system32\DRIVERS\ULILAN51.SYS [2007-06-27 28672]
S3 Partizan;Partizan;c:\windows2\system32\drivers\Partizan.sys [2008-09-29 30946]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 W2kbhid;KBGear Tablet (USB);c:\windows2\system32\DRIVERS\W2kbhid.sys [2006-09-07 23552]
S3 Wtcls2k;Wtcls2k;c:\windows2\system32\DRIVERS\Wtcls2k.sys [2006-09-07 13824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b5db91f-5c5b-11dd-9069-98afd8e69f47}]
\Shell\AutoRun\command - c:\windows2\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 20:26:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows2\system32\antiwpa.dll
.
Completion time: 2008-12-29 21:18:13
ComboFix-quarantined-files.txt 2008-12-30 02:17:39
ComboFix2.txt 2008-12-28 17:01:17

Pre-Run: 24,981,745,664 bytes free
Post-Run: 24,973,524,992 bytes free

231

===================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:16 PM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS2\system32\Wintab32.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
C:\WINDOWS2\system32\nvsvc32.exe
C:\WINDOWS2\system32\PSIService.exe
C:\WINDOWS2\system32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS2\system32\wscntfy.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\WINDOWS2\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS2\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS2\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS2\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.4.lnk.disabled
O4 - Startup: SGETASK.EXE
O4 - Startup: Trillian.lnk.disabled
O4 - Startup: Uedit32.lnk.disabled
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\PROGRA~1\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS2\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS2\system32\PSIService.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS2\system32\Wintab32.exe

--
End of file - 7829 bytes