Virtumonde

**St.jimmy** · 2008-02-21, 17:23

Im having trouble removing this Virus - Virtumonde

Symptoms:
-Cant open my computer
-Missing .dll on startup
-Internet explorer opens its own tabs
-Typing very slow and non responsive (Keylogger maybe?)

Antivirus NOD32 has nt been able to remove it,neither has spybot,Ad-Aware,'Symantec adware.virtuonde removal tool'.

Here is the Hijackthis logfile.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:25:04 PM, on 2008/02/21
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Owner\Desktop\FxVMonde.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: run=
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Owner\AppData\Local\Temp\ddayw.dll,c
O4 - HKCU\..\Run: [e4aa858c] rundll32.exe "C:\Users\Owner\AppData\Local\Temp\fmremkao.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\Users\Owner\AppData\Local\Temp\jhqwiimh.dll",run
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa...bs/tgctlsr.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://www.update.microsoft.com/micr...?1189425381671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189425353953
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V020...5033/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: SMC Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 9242 bytes

Any help would be much appreciated.

-St.Jimmy

**Blade81** · 2008-02-23, 17:17

Hi

Disable user account control (unless already disabled) by following method #4 instructions here

1. Download this file -
combofix.exe to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh hjt log in your
next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

**St.jimmy** · 2008-02-24, 19:53

Thank you for the response.

Whilst combofix was running - i left my comp for 5mins,when i returned everything was gone and just my wallpaper was being displayed - so a manually reset the tower.

On startup Combofix created a log - im uncertain if it completed though.I then ran HJT - find both logs below.

**St.jimmy** · 2008-02-24, 19:58

ComboFix 08-02-24.4 - Owner 2008-02-24 20:18:01.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.333 [GMT 2:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$WINDOWS.~Q\DATA\Program Files\Winamp\Skins\Winamp Skins\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\521\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\521\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\521\shell\minus2\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\521\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\521\wp\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Arysta\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Arysta\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Arysta\Screenshots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Arysta\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Arysta\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Arysta\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Arysta\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\521\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\521\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\521\shell\minus2\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\521\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\521\wp\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Added Themes\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Arysta\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Arysta\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Arysta\Screenshots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Arysta\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Arysta\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Arysta\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Arysta\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Black\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Black\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Black\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Blade\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Blade\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Blade\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Blade\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Blade\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Blade\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Destiny\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Destiny\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Destiny\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Destiny\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Destiny\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Eclipse\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Eclipse\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Eclipse\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Eclipse\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\ForestGreen\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\ForestGreen\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\ForestGreen\Screenshots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\ForestGreen\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\ForestGreen\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\ForestGreen\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\ForestGreen\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Gem\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Gem\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Gem\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Gem\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Gem\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Luna\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Luna\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Luna\Shell\Homestead\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Luna\Shell\Metallic\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Luna\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Powder\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Powder\ExplorerBar\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Powder\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Powder\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Powder\Sounds\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Powder\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QuickSilver\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QuickSilver\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QuickSilver\ScreenShots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QuickSilver\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QuickSilver\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QuickSilver\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QuickSilver\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\QxP\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\Resources\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\Resources\Themes\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\Resources\Themes\RednBlack\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\Resources\Themes\RednBlack\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\Resources\Themes\RednBlack\shell\red\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\RednBlack\shell\red\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Run time\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Spectra\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Spectra\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Spectra\Screenshots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Spectra\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Spectra\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Spectra\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Spectra\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Visions\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Visions\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Visions\ScreenShots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Visions\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Visions\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Visions\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\WaterColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\WaterColor\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\WaterColor\shell\Ergonomic\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\WaterColor\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\WaterColor\shell\Olive\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\WaterColor\shell\Silver\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Wisp\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Wisp\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Wisp\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Wisp\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Wisp\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Wisp\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Blue\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Gold\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Green\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Primrose\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Purple\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Red\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Silver\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Black\Z3r0s Beta 3 (With Cursors)\NightBlue\Teal\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\521\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\521\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\521\shell\minus2\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\521\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\521\wp\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Added Themes\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Arysta\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Arysta\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Arysta\Screenshots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Arysta\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Arysta\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Arysta\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Arysta\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Black\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Black\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Black\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Blade\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Blade\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Blade\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Blade\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Blade\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Blade\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Destiny\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Destiny\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Destiny\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Destiny\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Destiny\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Eclipse\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Eclipse\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Eclipse\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Eclipse\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\ForestGreen\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\ForestGreen\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\ForestGreen\Screenshots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\ForestGreen\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\ForestGreen\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\ForestGreen\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\ForestGreen\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Gem\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Gem\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Gem\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Gem\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Gem\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Luna\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Luna\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Luna\Shell\Homestead\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Luna\Shell\Metallic\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Luna\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Powder\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Powder\ExplorerBar\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Powder\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Powder\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Powder\Sounds\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Powder\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QuickSilver\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QuickSilver\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QuickSilver\ScreenShots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QuickSilver\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QuickSilver\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QuickSilver\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QuickSilver\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\QxP\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\Resources\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\Resources\Themes\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\Resources\Themes\RednBlack\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\Resources\Themes\RednBlack\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\Resources\Themes\RednBlack\shell\red\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\RednBlack\shell\red\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Run time\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Spectra\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Spectra\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Spectra\Screenshots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Spectra\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Spectra\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Spectra\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Spectra\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Visions\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Visions\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Visions\ScreenShots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Visions\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Visions\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Visions\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\WaterColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\WaterColor\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\WaterColor\shell\Ergonomic\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\WaterColor\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\WaterColor\shell\Olive\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\WaterColor\shell\Silver\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Wisp\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Wisp\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Wisp\shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Wisp\shell\normalcolor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Wisp\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Wisp\Wallpaper\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Blue\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Gold\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Green\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Primrose\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Purple\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Red\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Silver\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\Hybrid\Z3r0s Beta 3 (With Cursors)\NightBlue\Teal\_desktop.ini

**St.jimmy** · 2008-02-24, 19:59

C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\QuickSilver\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\QuickSilver\Icons\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\QuickSilver\ScreenShots\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\QuickSilver\Shell\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\QuickSilver\Shell\NormalColor\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\QuickSilver\User Icon\_desktop.ini
C:\$WINDOWS.~Q\DATA\WINDOWS\Resources\Themes\QuickSilver\Wallpaper\_desktop.ini
C:\Program Files\Winamp\Skins\Winamp Skins\_desktop.ini
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\Owner\AppData\Local\Temp\ddayw.dll
C:\Users\Owner\AppData\Roaming\addon.dat
C:\Users\Owner\AppData\Roaming\inst.exe

----- BITS: Possible infected sites -----

hxxp://www.downlo
.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.

2008-02-21 18:52 . 2008-02-21 18:52 0 --ah----- C:\ntuser.dat.LOG2
2008-02-21 18:52 . 2008-02-21 18:52 0 --ah----- C:\ntuser.dat.LOG1
2008-02-21 18:52 . 2008-02-21 18:52 0 --a------ C:\ntuser.dat
2008-02-21 17:24 . 2008-02-21 17:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 12:16 . 2008-02-21 12:17 186,199,970 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-02-20 21:36 . 2008-02-20 21:37 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-02-20 21:36 . 2008-02-20 21:37 <DIR> d-------- C:\ProgramData\Lavasoft
2008-02-20 21:36 . 2008-02-20 21:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-20 18:04 . 2008-02-20 18:04 2,598 --a------ C:\Windows\wininit.ini
2008-02-20 17:40 . 2008-02-20 18:07 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-20 17:40 . 2008-02-20 18:07 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-20 17:40 . 2008-02-20 17:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 18:26 . 2008-02-17 18:26 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-16 17:40 . 2008-02-22 19:34 <DIR> d-------- C:\Users\Owner\Tracing
2008-02-16 17:34 . 2008-02-16 17:34 <DIR> d-------- C:\Program Files\Windows Live
2008-02-16 12:36 . 2008-02-17 14:23 <DIR> d-------- C:\Users\Owner\Incomplete
2008-02-16 12:29 . 2008-02-16 18:49 <DIR> d-------- C:\Users\Owner\AppData\Roaming\LimeWire
2008-02-16 12:28 . 2008-02-16 14:02 <DIR> d-------- C:\Program Files\LimeWire
2008-02-16 11:28 . 2008-02-16 11:28 <DIR> d-------- C:\Program Files\FDRLab
2008-02-16 00:21 . 2008-02-16 00:21 <DIR> d-------- C:\Windows\PCHEALTH
2008-02-15 23:29 . 2008-02-15 23:29 306,432 --a------ C:\Windows\System32\TuneUpDefragService.exe
2008-02-15 23:29 . 2007-12-20 12:41 29,440 --a------ C:\Windows\System32\uxtuneup.dll
2008-02-15 23:24 . 2006-12-20 08:03 229,888 --a------ C:\Windows\System32\msshsq.dll
2008-02-15 18:50 . 2008-02-21 19:05 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Winamp
2008-02-13 22:24 . 2008-02-13 22:24 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 22:24 . 2008-02-13 22:24 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 22:23 . 2008-02-13 22:23 613,888 --a------ C:\Windows\System32\wpd_ci.dll
2008-02-13 22:23 . 2008-02-13 22:23 260,096 --a------ C:\Windows\System32\dpx.dll
2008-02-13 22:23 . 2008-02-13 22:23 224,824 --a------ C:\Windows\System32\clfs.sys
2008-02-13 22:23 . 2008-02-13 22:23 221,696 --a------ C:\Windows\System32\umpnpmgr.dll
2008-02-13 22:23 . 2008-02-13 22:23 101,888 --a------ C:\Windows\System32\drvinst.exe
2008-02-13 22:23 . 2008-02-13 22:23 19,456 --a------ C:\Windows\System32\cfgmgr32.dll
2008-02-13 22:23 . 2008-02-13 22:23 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-02-13 22:20 . 2008-02-13 22:20 3,504,696 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-02-13 22:20 . 2008-02-13 22:20 3,470,392 --a------ C:\Windows\System32\ntoskrnl.exe
2008-02-13 22:20 . 2008-02-13 22:20 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-02-13 22:20 . 2008-02-13 22:20 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-02-13 22:20 . 2008-02-13 22:20 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-02-13 22:20 . 2008-02-13 22:20 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-02-13 22:20 . 2008-02-13 22:20 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-02-13 22:19 . 2008-02-13 22:19 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-02-13 22:19 . 2008-02-13 22:19 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-02-13 22:19 . 2008-02-13 22:19 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-02-13 22:19 . 2008-02-13 22:19 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-02-13 22:19 . 2008-02-13 22:19 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-02-13 22:18 . 2008-02-13 22:18 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 22:18 . 2008-02-13 22:18 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-02-06 19:13 . 2008-02-06 19:13 <DIR> d-------- C:\Program Files\OpenAL
2008-02-06 19:11 . 2008-02-06 19:11 <DIR> d-------- C:\Windows\System32\xlive
2008-01-30 10:11 . 2008-01-30 10:11 764,416 --a------ C:\Windows\System32\drivers\athr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 15:04 --------- d-----w C:\Users\Owner\AppData\Roaming\dvdcss
2008-02-21 06:16 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-20 19:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:33 --------- d-----w C:\Program Files\Java
2008-02-16 15:38 --------- d-----w C:\Program Files\MSN Messenger
2008-02-16 11:59 --------- d-----w C:\ProgramData\Symantec
2008-02-16 11:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-16 10:13 --------- d-----w C:\Program Files\Winamp
2008-02-16 07:18 47,360 ----a-w C:\Users\Owner\AppData\Roaming\pcouffin.sys
2008-02-16 07:18 --------- d-----w C:\Users\Owner\AppData\Roaming\Vso
2008-02-15 22:29 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-15 21:29 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-02-15 18:39 --------- d-----w C:\Program Files\Google
2008-02-13 20:18 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 20:18 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 20:18 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 20:18 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 20:15 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 20:15 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 20:15 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 20:15 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-06 17:13 413,696 ----a-w C:\Windows\System32\wrap_oal.dll
2008-02-06 17:13 110,592 ----a-w C:\Windows\System32\OpenAL32.dll
2008-02-01 04:44 98,304 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-01-27 07:46 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-01-27 07:46 --------- d-----w C:\Program Files\AutoCAD 2007
2008-01-27 07:14 --------- d-----w C:\Program Files\Glovebox
2008-01-27 07:13 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-23 16:45 --------- d-----w C:\Users\Owner\AppData\Roaming\fretsonfire
2008-01-23 15:11 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-01-23 15:11 --------- d-----w C:\Program Files\VSO
2008-01-21 10:56 --------- d-----w C:\Program Files\vghd
2008-01-21 10:54 --------- d-----w C:\Users\Owner\AppData\Roaming\vghd
2008-01-15 06:32 --------- d-----w C:\Program Files\Common Files\Nero
2008-01-13 16:13 --------- d-----w C:\Program Files\DaemonTools_WhenUSave_Installer
2008-01-13 15:15 --------- d-----w C:\Program Files\ESET
2008-01-13 14:34 --------- d-----w C:\Program Files\BYTE@HAND
2008-01-13 07:37 --------- d-----w C:\ProgramData\Eset
2008-01-12 09:55 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-01-12 09:55 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-01-12 09:54 --------- d-----w C:\ProgramData\LogiShrd
2008-01-12 09:51 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-01-12 09:50 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2008-01-12 09:46 --------- d-----w C:\Program Files\Common Files\Logitech
2008-01-12 09:46 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-01-12 09:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-12 09:45 --------- d-----w C:\ProgramData\Logitech
2008-01-10 17:14 --------- d-----w C:\ProgramData\Creative
2008-01-10 17:06 --------- d-----w C:\Users\Owner\AppData\Roaming\Creative
2008-01-10 16:56 --------- d--h--w C:\Program Files\Creative Installation Information
2008-01-10 16:56 --------- d-----w C:\Program Files\Creative
2008-01-10 16:52 --------- d-----w C:\Program Files\Common Files\Creative
2008-01-10 07:37 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 07:33 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 07:33 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-10 07:32 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 07:32 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 14:10 --------- d-----w C:\Program Files\PCI Audio Applications
2008-01-09 06:56 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-08 20:43 --------- d-----w C:\Program Files\Reallusion
2008-01-06 08:09 174 --sha-w C:\Program Files\desktop.ini
2008-01-06 08:02 --------- d-----w C:\Program Files\Windows Calendar
2008-01-06 08:01 --------- d-----w C:\Program Files\Windows Defender
2008-01-05 18:15 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-01-05 18:15 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-01-05 18:15 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-01-05 18:14 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-01-05 18:14 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-01-05 18:14 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-01-05 18:14 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-01-05 18:14 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-01-05 18:14 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-01-05 18:14 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-01-05 18:14 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-01-05 18:14 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-01-05 18:14 2,923,520 ----a-w C:\Windows\explorer.exe
2008-01-05 18:14 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-01-05 18:13 36,864 ----a-w C:\Windows\System32\wmdmps.dll
2008-01-05 18:13 311,296 ----a-w C:\Windows\System32\mswmdm.dll
2008-01-05 18:13 31,744 ----a-w C:\Windows\System32\wmdmlog.dll
2008-01-05 18:12 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-01-05 18:12 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-01-05 18:09 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-01-05 18:08 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-01-05 18:05 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-01-05 18:05 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-01-05 18:03 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2008-01-05 18:03 8,704 ----a-w C:\Windows\System32\hccoin.dll
2008-01-05 18:03 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-01-05 18:03 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-01-05 18:03 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2008-01-05 18:03 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-01-05 18:03 192,000 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-01-05 18:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-01-05 18:01 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-01-05 18:01 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-01-05 18:00 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-01-05 18:00 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-01-05 18:00 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-01-05 18:00 351,232 ----a-w C:\Windows\System32\SLUI.exe

**St.jimmy** · 2008-02-24, 20:00

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 09:32 1232896]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-11-02 11:45 8704]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-19 14:26 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-09 02:36 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-09 02:36 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-09 02:36 81920]
"P17RunE"="P17RunE.dll" [2007-04-09 03:40 14848 C:\Windows\System32\P17RunE.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\Windows\KHALMNPR.Exe]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-06-27 23:02:17 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\Users\Owner\AppData\Local\Temp\ddayw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
"cmds"=rundll32.exe C:\Users\Owner\AppData\Local\Temp\ddayw.dll,c
"MS Juan"=rundll32 "C:\Users\Owner\AppData\Local\Temp\jhqwiimh.dll",run
"e4aa858c"=rundll32.exe "C:\Users\Owner\AppData\Local\Temp\fmremkao.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"C-Media Mixer"=Mixer.exe /startup
"Windows Mobile-based device management"=%windir%\WindowsMobile\wmdSync.exe
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"UpdReg"=C:\Windows\UpdReg.EXE
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\system32\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\Program Files\MSN Messenger\livecall.exe"= C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\Program Files\MSN Messenger\msnmsgr.exe"= C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"445:TCP"= 445:TCP:*:Enabled:@xpsp2res.dll,-22005

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B4E96A16-D694-4610-AFB1-7B6FAA346A1A}"= UDP:990:LocalSubnet:LocalSubnet|IF={420A066C-FBDA-41B7-ACD0-A87719BFB3A1}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001|Desc=@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"C:\Program Files\MSN Messenger\msnmsgr.exe-UDP-Domain"= TCP:C:\Program Files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.1
"C:\Program Files\MSN Messenger\msnmsgr.exe-TCP-Domain"= UDP:C:\Program Files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.1
"C:\Program Files\MSN Messenger\livecall.exe-UDP-Domain"= TCP:C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"C:\Program Files\MSN Messenger\livecall.exe-TCP-Domain"= UDP:C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe-UDP-Domain"= TCP:C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:ActiveSync Application
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe-TCP-Domain"= UDP:C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:ActiveSync Application
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe-UDP-Domain"= TCP:C:\Program Files\Microsoft ActiveSync\wcescomm.exe:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe-TCP-Domain"= UDP:C:\Program Files\Microsoft ActiveSync\wcescomm.exe:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe-UDP-Domain"= TCP:C:\Program Files\Microsoft ActiveSync\rapimgr.exe:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe-TCP-Domain"= UDP:C:\Program Files\Microsoft ActiveSync\rapimgr.exe:ActiveSync RAPI Manager
"%windir%\Network Diagnostic\xpnetdiag.exe-UDP-Domain"= TCP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\Network Diagnostic\xpnetdiag.exe-TCP-Domain"= UDP:%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"26675:TCP-Domain"= UDP:26675:169.254.2.0/255.255.255.0:ActiveSync Service
"C:\Program Files\MSN Messenger\msnmsgr.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.1
"C:\Program Files\MSN Messenger\msnmsgr.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\MSN Messenger\msnmsgr.exe:Windows Live Messenger 8.1
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:Microsoft Office Outlook
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:Microsoft Office Outlook
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe-UDP-Standard"= TCP:Profile=Public:169.254.2.0/255.255.255.0|C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:ActiveSync Application
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe-TCP-Standard"= UDP:Profile=Public:169.254.2.0/255.255.255.0|C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:ActiveSync Application
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe-UDP-Standard"= TCP:Profile=Public:169.254.2.0/255.255.255.0|C:\Program Files\Microsoft ActiveSync\wcescomm.exe:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe-TCP-Standard"= UDP:Profile=Public:169.254.2.0/255.255.255.0|C:\Program Files\Microsoft ActiveSync\wcescomm.exe:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe-UDP-Standard"= TCP:Profile=Public:169.254.2.0/255.255.255.0|C:\Program Files\Microsoft ActiveSync\rapimgr.exe:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe-TCP-Standard"= UDP:Profile=Public:169.254.2.0/255.255.255.0|C:\Program Files\Microsoft ActiveSync\rapimgr.exe:ActiveSync RAPI Manager
"C:\Program Files\Messenger\msmsgs.exe-UDP-Standard"= TCP:Profile=Public|C:\Program Files\Messenger\msmsgs.exe:Windows Messenger
"C:\Program Files\Messenger\msmsgs.exe-TCP-Standard"= UDP:Profile=Public|C:\Program Files\Messenger\msmsgs.exe:Windows Messenger
"%windir%\Network Diagnostic\xpnetdiag.exe-UDP-Standard"= TCP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"%windir%\Network Diagnostic\xpnetdiag.exe-TCP-Standard"= UDP:Profile=Public|%windir%\Network Diagnostic\xpnetdiag.exe:@xpsp3res.dll,-20000
"26675:TCP-Standard"= UDP:26675:169.254.2.0/255.255.255.0:ActiveSync Service
"TCP Query User{B0EC142D-8DF3-465C-AA2E-8BB3BAED158E}C:\program files\bitlord\bitlord.exe"= UDP:C:\program files\bitlord\bitlord.exe:BitLord|Desc=BitLord
"UDP Query User{3BAE1BF0-EEA2-434C-8716-76468A345F35}C:\program files\bitlord\bitlord.exe"= TCP:C:\program files\bitlord\bitlord.exe:BitLord|Desc=BitLord
"{5ABB7677-5C83-4FFF-AB86-F62151D90EC5}"= UDP:I:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer
"{4421C9E3-9A39-4C46-941E-CB643D9926CD}"= TCP:I:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM) Multiplayer
"{950ABB63-C098-41A0-8905-2A1F8EF18E48}"= UDP:I:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4X.exe:SWAT 4 - The Stetchkov Syndicate
"{C0C98AF2-B1A6-4D97-B032-93EE9D5F3352}"= TCP:I:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4X.exe:SWAT 4 - The Stetchkov Syndicate
"{6A069789-FC15-4A72-B3AC-CF810A6A6F58}"= UDP:I:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4XDedicatedServer.exe:SWAT 4 - The Stetchkov Syndicate Dedicated Server
"{B97B014D-7441-4479-839C-A55DEC6A308F}"= TCP:I:\Program Files\Sierra\SWAT 4\ContentExpansion\System\Swat4XDedicatedServer.exe:SWAT 4 - The Stetchkov Syndicate Dedicated Server
"TCP Query User{1B368C7A-D6A2-43CE-ABC4-2EBBED96FB03}C:\users\public\unrealtournament\system\unrealtournament.exe"= UDP:C:\users\public\unrealtournament\system\unrealtournament.exe:UnrealTournament|Desc=UnrealTournament
"UDP Query User{F6E78DC0-28BA-4A19-B84F-C51B399AF56D}C:\users\public\unrealtournament\system\unrealtournament.exe"= TCP:C:\users\public\unrealtournament\system\unrealtournament.exe:UnrealTournament|Desc=UnrealTournament
"TCP Query User{68D51843-42FA-4856-9E71-861D2E166D60}H:\program files\age of empires ii\age2_x1\age2_x1.exe"= UDP:H:\program files\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion|Desc=Age of Empires II Expansion
"UDP Query User{92248FFB-2A0D-4844-A841-FB873089314F}H:\program files\age of empires ii\age2_x1\age2_x1.exe"= TCP:H:\program files\age of empires ii\age2_x1\age2_x1.exe:Age of Empires II Expansion|Desc=Age of Empires II Expansion
"TCP Query User{AC19D6E2-971B-4DC3-BF4E-4EC898A5EB0E}C:\windows\system32\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper|Desc=Microsoft DirectPlay Helper
"UDP Query User{98C8E714-1C58-47AD-8ADD-2199B01605DF}C:\windows\system32\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper|Desc=Microsoft DirectPlay Helper
"TCP Query User{B201E675-DA9B-4090-BA86-81F94357FD2C}H:\program files\age of empires ii\empires2.exe"= UDP:H:\program files\age of empires ii\empires2.exe:Age of Empires II|Desc=Age of Empires II
"UDP Query User{755795FD-76F5-456E-9C0C-F1458AC67A2F}H:\program files\age of empires ii\empires2.exe"= TCP:H:\program files\age of empires ii\empires2.exe:Age of Empires II|Desc=Age of Empires II
"TCP Query User{C8EBF60B-7CD6-41A3-8525-19CE3C64B0F7}H:\games\company\reliccoh.exe"= UDP:H:\games\company\reliccoh.exe:RelicCOH|Desc=RelicCOH
"UDP Query User{9F34BCA4-6111-4C19-B526-900BE408A318}H:\games\company\reliccoh.exe"= TCP:H:\games\company\reliccoh.exe:RelicCOH|Desc=RelicCOH
"TCP Query User{A48337BA-80BF-4F9B-A79E-63BE829023FE}H:\program files\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe"= UDP:H:\program files\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe:SplinterCell4|Desc=SplinterCell4
"UDP Query User{CB9D55B0-FE86-4BCD-9E9C-39C5F76939B1}H:\program files\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe"= TCP:H:\program files\ubisoft\tom clancy's splinter cell double agent\scda-offline\system\splintercell4.exe:SplinterCell4|Desc=SplinterCell4
"{4AD58AFC-41AF-4162-9452-53DD85E2A51E}"= UDP:H:\Program Files\Eidos\Kane and Lynch Dead Men\kaneandlynch.exe:Kane & Lynch: Dead Men
"{AF3C8FE4-E80D-49AF-A130-3190533DB9B2}"= TCP:H:\Program Files\Eidos\Kane and Lynch Dead Men\kaneandlynch.exe:Kane & Lynch: Dead Men
"{4FA3B19E-A759-4791-A771-A503D73A51CF}"= UDP:990:LocalSubnet:LocalSubnet|IF={48867751-79BD-4793-B33C-288EA2F45A1B}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001|Desc=@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"TCP Query User{6F4DEDDC-59C0-4CC1-BE98-41A70CFD44EB}C:\program files\common files\nero\nero web\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer|Desc=Nero Installer
"UDP Query User{D4C1A872-8BAB-4BFC-9FAB-4AACDC719BEB}C:\program files\common files\nero\nero web\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer|Desc=Nero Installer
"TCP Query User{E241ED56-0AC7-489C-A35F-FD9D505998FB}C:\program files\lucasarts\star wars battlefront ii\gamedata\battlefrontii.exe"= UDP:C:\program files\lucasarts\star wars battlefront ii\gamedata\battlefrontii.exe:battlefrontII|Desc=battlefrontII
"UDP Query User{314150AB-A30A-4561-89B4-7F95BDA75DDD}C:\program files\lucasarts\star wars battlefront ii\gamedata\battlefrontii.exe"= TCP:C:\program files\lucasarts\star wars battlefront ii\gamedata\battlefrontii.exe:battlefrontII|Desc=battlefrontII
"{601FEAED-8BBB-4A79-88FF-6F216E8671DB}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{9C1FDFDE-12EE-4869-B8FC-EE2ADA9A0104}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{7F01A252-E4D7-4032-BC91-67B1300DD182}"= C:\Program Files\Windows Live\Messenger\wlcsdk.exe:Windows Live Messenger (Phone)|Edge=TRUE|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"%windir%\system32\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"C:\Program Files\Messenger\msmsgs.exe"= C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"= C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"= C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"= C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
"C:\Program Files\MSN Messenger\livecall.exe"= C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
"C:\Program Files\MSN Messenger\msnmsgr.exe"= C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"137:UDP"= 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"139:TCP"= 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"445:TCP"= 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

R1 epfwtdir;epfwtdir;C:\Windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 11:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe [2006-11-02 11:45]
R2 WcesComm;Windows Mobile 2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 11:45]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\Windows\system32\DRIVERS\AN983.sys [2005-01-13 09:28]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2008-01-30 10:11]
R3 vmcam325av;Vimicro USB2.0 PC Camera(VC0323);C:\Windows\system32\Drivers\vmcam323av.sys [2007-03-27 17:30]
R3 vvftav323;vvftav323;C:\Windows\system32\drivers\vvftav323.sys [2007-03-27 17:30]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 09:30]
S3 FastNIC;SMC1233A-TX 10/100Mbps PCI NIC Driver;C:\Windows\system32\DRIVERS\FastNIC.sys [2001-10-17 15:09]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\Windows\System32\TuneUpDefragService.exe [2008-02-15 23:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f603c44b-bb8b-11dc-9e49-806e6f6e6963}]
\shell\AutoRun\command - G:\BSAutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 18:37:40 C:\Windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-02-24 18:23:16 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-24 08:01:36 C:\Windows\Tasks\User_Feed_Synchronization-{F94EB1ED-A432-42BA-9FE5-565D2526903D}.job"
- C:\Windows\system32\msfeedssync.exe

**St.jimmy** · 2008-02-24, 20:01

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 20:38:12
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-24 20:43:47
ComboFix-quarantined-files.txt 2008-02-24 18:43:42
.
2008-02-22 11:45:29 --- E O F ---

**St.jimmy** · 2008-02-24, 20:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:44:27 PM, on 2008/02/24
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa...bs/tgctlsr.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - http://www.update.microsoft.com/micr...?1189425381671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189425353953
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V020...5033/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: SMC Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 8460 bytes

**Blade81** · 2008-02-24, 20:21

Hi

Disable Spybot's TeaTimer

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"cmds"=-
"MS Juan"=-
"e4aa858c"=-

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.

The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:

Scan using the following Anti-Virus database:

Extended (If available, otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

Once the scan is complete:

Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post also ComboFix log and a fresh hjt log.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

**St.jimmy** · 2008-02-25, 04:13

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 25, 2008 5:10:50 AM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/02/2008
Kaspersky Anti-Virus database records: 578541
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 248819
Number of viruses found: 11
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 03:25:20

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU2FE4.txt Object is locked skipped
C:\ProgramData\Eset\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\ProgramData\Eset\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\ProgramData\Eset\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.50.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.50.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy194.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3AC2.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3AD2.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-11022006-050253.log Object is locked skipped
C:\ProgramData\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\0D9A0DA1.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\123F7156.exe Infected: Virus.Win32.Small.r skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\2A3F62BA.exe Infected: Trojan.Win32.Agent.ark skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\39982FD6.EXE Infected: Trojan.Win32.Buzus.cl skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\3BF4073E.007 Infected: not-a-virus:Monitor.Win32.Ardamax.271 skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\659A49D0.exe Infected: Trojan-Downloader.Win32.Cn911.j skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\6FDF6211.exe Infected: Trojan-Downloader.Win32.Cn911.j skipped
C:\ProgramData\Symantec\Norton AntiVirus\Quarantine\7D5E1E5A.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\QooBox\Quarantine\catchme2008-02-24_203754.96.zip/ddayw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-24_203754.96.zip ZIP: infected - 1 skipped
C:\Users\Owner\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\UsrClass.dat{2586d85f-bf4f-11dc-97f7-0050bfa9a130}.TM.blf Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\UsrClass.dat{2586d85f-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows\UsrClass.dat{2586d85f-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Owner\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Owner\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Owner\AppData\Local\Temp\~DF4DE0.tmp Object is locked skipped
C:\Users\Owner\AppData\Local\Temp\~DF4E71.tmp Object is locked skipped
C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Owner\Incomplete\T-274274-American Dad S03E11.zip/Video.exe Infected: P2P-Worm.Win32.Polip.a skipped
C:\Users\Owner\Incomplete\T-274274-American Dad S03E11.zip ZIP: infected - 1 skipped
C:\Users\Owner\ntuser.dat Object is locked skipped
C:\Users\Owner\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Owner\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Owner\NTUSER.DAT{2586d85d-bf4f-11dc-97f7-0050bfa9a130}.TM.blf Object is locked skipped
C:\Users\Owner\NTUSER.DAT{2586d85d-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Owner\NTUSER.DAT{2586d85d-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\CSC\v2.0.6\pq Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\S6E5BDEE5.tmp Object is locked skipped
C:\Windows\SchedLgU.Txt Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{2586d859-bf4f-11dc-97f7-0050bfa9a130}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{2586d859-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{2586d859-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{2586d857-bf4f-11dc-97f7-0050bfa9a130}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{2586d857-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{2586d857-bf4f-11dc-97f7-0050bfa9a130}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{58dcd6b1-ddd8-11dc-9686-0050bfa9a130}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{58dcd6b1-ddd8-11dc-9686-0050bfa9a130}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{58dcd6b1-ddd8-11dc-9686-0050bfa9a130}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{58dcd6b1-ddd8-11dc-9686-0050bfa9a130}.TxR.blf Object is locked skipped
C:\Windows\System32\drivers\AnyDVD.sys.bak Infected: Backdoor.Win32.Agent.eop skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.003 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\Utilities\DVD\Slysoft\Slysoft - All crack.exe Infected: Trojan-Dropper.Win32.Small.awz skipped
I:\Utilities\DVD\Slysoft\Slysoft_all products with crack_30-06-2007.zip/Slysoft - All crack.exe Infected: Trojan-Dropper.Win32.Small.awz skipped
I:\Utilities\DVD\Slysoft\Slysoft_all products with crack_30-06-2007.zip ZIP: infected - 1 skipped
I:\Utilities\New\Nero-7.9.6.5\Nero-7.7.5.1.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
I:\Utilities\New\Nero-7.9.6.5\Nero-7.7.5.1.exe RAR: infected - 1 skipped

Scan process completed.

Thread: Virtumonde

Thread Tools

Display

Virtumonde

Posting Permissions