Virtumonde??

**Jhatz** · 2009-03-23, 01:25

Above keeps showing up on scans. Seems to be refusing to go away.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:56 PM, on 3/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\PD6000SM.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PD6000StatusMonitor] C:\WINDOWS\system32\PD6000SM.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1229562077968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1229562025484
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAFDB245-E8C2-425C-BECA-41FCE9C8736E}: NameServer = 198.88.216.2 198.88.216.3
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

--
End of file - 7689 bytes

**Shaba** · 2009-03-24, 08:14

Hi Jhatz

Please post next spybot report

**Jhatz** · 2009-03-25, 13:16

Ok, here it is. There were a couple of boxes unchecked by default. I left as is.

On a side note, I noticed a mistake as I re-read the initial instructions...I did not disable the tea-timer bfeore posting the above HJT report. Let me know if I need to resend the report. I'm sorry about that - can't believe I missed it.

--- Search result list ---
Virtumonde: [SBI $92386332] Library (File, nothing done)
C:\WINDOWS\system32\zipfldr.dll

--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2009-03-05 TeaTimer.exe (1.6.6.32)
2005-07-18 unins000.exe (51.41.0.0)
2008-03-29 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-10-22 Tools.dll (2.1.6.8)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-01-22 Includes\Adware.sbi (*)
2009-03-10 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-10 Includes\Dialer.sbi (*)
2009-03-10 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-02-10 Includes\Hijackers.sbi (*)
2009-03-03 Includes\HijackersC.sbi (*)
2009-03-17 Includes\Keyloggers.sbi (*)
2009-03-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-03-18 Includes\Malware.sbi (*)
2009-03-18 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-03-17 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-01-28 Includes\Spyware.sbi (*)
2009-01-28 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-03-17 Includes\Trojans.sbi (*)
2009-03-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ Internet Explorer 6 / SP0: Windows XP Hotfix - KB834707
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944338-v2)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB945553)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ Windows XP / SP3: Security Update for Windows XP (KB950749)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958215)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB960714)

--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, AGRSMMSG
command: AGRSMMSG.exe
file: C:\WINDOWS\AGRSMMSG.exe
size: 88107
MD5: 338879395DF79B77565077F9C0727F7B

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 590848
MD5: 39A815061956C38532963FF83BCE8356

Located: HK_LM:Run, AVG7_EMC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
size: 406528
MD5: FC0B2AE890BB0DC8C2306DABEDC8A4BA

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 290088
MD5: E6A4E341E4304B34AA280D3E73818C90

Located: HK_LM:Run, Lexmark 1200 Series
command: "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
file: C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
size: 57344
MD5: CBDA2D5F8338812923B92D80F410AD5E

Located: HK_LM:Run, Logitech Utility
command: Logi_MwX.Exe
file: C:\WINDOWS\Logi_MwX.Exe
size: 19968
MD5: 34A14CD6B6E9C8BFBABEAF6EED5149BB

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 1519616
MD5: 67A8DD30AF82E412CB4BF1B6D1623809

Located: HK_LM:Run, PD6000StatusMonitor
command: C:\WINDOWS\system32\PD6000SM.EXE
file: C:\WINDOWS\system32\PD6000SM.EXE
size: 266240
MD5: 0ADFEBBCD0C6AB90991C5129C918B8FC

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
size: 36975
MD5: D3E445A99A1142C35D8D3100B5564591

Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922EB54890C77005268882629A31FE

Located: HK_LM:Run, Windows Defender
command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC

Located: HK_LM:RunOnce, Spybot - Search & Destroy
command: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A

Located: HK_LM:RunOnceEx,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, AVG7_Run
where: .DEFAULT...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, DWQueuedReporting
where: .DEFAULT...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file: C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
size: 39264
MD5: 6D787FDF93DE266CE25378FB362DF011

Located: HK_CU:RunOnce, RunNarrator
where: .DEFAULT...
command: Narrator.exe
file: C:\WINDOWS\system32\Narrator.exe
size: 53760
MD5: 797B56BB7F031926FC540D8F6CFFAD50

Located: HK_CU:Run, AVG7_Run
where: S-1-5-19...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, AVG7_Run
where: S-1-5-20...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1644491937-1767777339-839522115-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, updateMgr
where: S-1-5-21-1644491937-1767777339-839522115-1003...
command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
size: 313472
MD5: 43F3F6D33C793089A7C32B45DA16094B

Located: HK_CU:Run, AVG7_Run
where: S-1-5-18...
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
size: 219136
MD5: B331EF4C7437F5093D703340678469EB

Located: HK_CU:Run, DWQueuedReporting
where: S-1-5-18...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file: C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
size: 39264
MD5: 6D787FDF93DE266CE25378FB362DF011

Located: HK_CU:RunOnce, RunNarrator
where: S-1-5-18...
command: Narrator.exe
file: C:\WINDOWS\system32\Narrator.exe
size: 53760
MD5: 797B56BB7F031926FC540D8F6CFFAD50

Located: Startup (common), Adobe Reader Speed Launch.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362B96870CE8649F4F2EC893DA93F0

Located: Startup (common), Kodak EasyShare software.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
file: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
size: 614531
MD5: BD01E18519665AA81AD8A80417CCA286

Located: Startup (common), KODAK Software Updater.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
file: C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
size: 16432
MD5: A4ABD04731982411A0E2CE5161D23051

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 9/23/2005 10:12:08 PM
Date (last access): 3/25/2009 7:01:04 AM
Date (last write): 1/12/2006 8:38:22 PM
Filesize: 63128
Attributes: archive
MD5: F17B2B264072B921FC66A0BE16626BAB
CRC32: 5184CFEA
Version: 7.0.7.142

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~2\
Long name: SDHelper.dll
Short name:
Date (created): 7/18/2005 11:21:20 AM
Date (last access): 3/25/2009 7:01:04 AM
Date (last write): 9/15/2008 2:25:44 PM
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll googletoolbar*.dll (* = number) googletoolbar_en_*.**-big.dll Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 2/20/2009 10:31:20 AM
Date (last access): 3/25/2009 7:01:04 AM
Date (last write): 2/20/2009 10:31:20 AM
Filesize: 2403392
Attributes: readonly archive
MD5: 6319F2D4708DBCAE37CFA03DA10782C0
CRC32: D51D8296
Version: 4.0.1601.4978

--- ActiveX list ---
{02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass)
DPF name:
CLSID name: VaioInfo.CMClass
Installer: C:\WINDOWS\Downloaded Program Files\VaioInfo.INF
Codebase: http://esupport.sony.com/VaioInfo.CAB
description:
classification: Legitimate
known filename: VaioInfo.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: VaioInfo.dll
Short name:
Date (created): 10/27/2004 12:06:30 PM
Date (last access): 3/25/2009 1:47:12 AM
Date (last write): 10/27/2004 12:06:30 PM
Filesize: 49152
Attributes:
MD5: 48A6D73627BED4C463FEBA338D8E13A5
CRC32: 01620329
Version: 2.2.0.0

{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 6:04:22 PM
Date (last access): 3/25/2009 1:46:18 AM
Date (last write): 3/20/2008 6:06:36 PM
Filesize: 1480232
Attributes:
MD5: E058C4821D48E0A67F6069CB50818D44
CRC32: 3513AE02
Version: 1.7.69.2

{5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)
DPF name:
CLSID name: Windows Live Safety Center Base Module
Installer: C:\WINDOWS\Downloaded Program Files\wlscBase.inf
Codebase: https://scan.safety.live.com/resourc...scbase3401.cab
description:
classification: Legitimate
known filename: wlscBase.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: wlscBase.dll
Short name:
Date (created): 12/13/2005 10:44:54 PM
Date (last access): 3/25/2009 1:47:30 AM
Date (last write): 12/13/2005 10:44:54 PM
Filesize: 327408
Attributes:
MD5: 6C90E0B6B0EB8C89455BA8F710276127
CRC32: 4136A275
Version: 0.100.3401.1

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/micr...?1229562077968
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 5/26/2005 3:19:32 AM
Date (last access): 3/25/2009 1:47:02 AM
Date (last write): 10/16/2008 2:12:24 PM
Filesize: 202776
Attributes: archive
MD5: 0006DE8037F5A562F96B461B3C557C3C
CRC32: 9B107DED
Version: 7.2.6001.788

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://www.update.microsoft.com/micr...?1229562025484
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 3/25/2009 1:46:30 AM
Date (last write): 10/16/2008 2:07:48 PM
Filesize: 208744
Attributes: archive
MD5: 90058C2AD9FC43A3B3D59F82FFC6AEA7
CRC32: 7D5F90FA
Version: 7.2.6001.788

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_04
Installer: C:\WINDOWS\Downloaded Program Files\jinstall-1_5_0_04.inf
Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_04\bin\
Long name: NPJPI150_04.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2005 2:52:58 AM
Date (last access): 3/25/2009 1:47:14 AM
Date (last write): 6/3/2005 3:09:54 AM
Filesize: 69746
Attributes: archive
MD5: 8548FE98BD687F35AFD0AED9C2A2DEE3
CRC32: 4058FA1B
Version: 5.0.40.5

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get.../ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_04
Installer:
Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_04.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_04\bin\
Long name: NPJPI150_04.dll
Short name: NPJPI1~1.DLL
Date (created): 6/3/2005 2:52:58 AM
Date (last access): 3/25/2009 7:06:36 AM
Date (last write): 6/3/2005 3:09:54 AM
Filesize: 69746
Attributes: archive
MD5: 8548FE98BD687F35AFD0AED9C2A2DEE3
CRC32: 4058FA1B
Version: 5.0.40.5

--- Process list ---
PID: 0 ( 0) [System]
PID: 388 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 448 ( 388) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 480 ( 388) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 524 ( 480) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 536 ( 480) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 680 ( 524) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 760 ( 524) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 800 ( 524) C:\Program Files\Windows Defender\MsMpEng.exe
size: 13592
MD5: F45DD1E1365D857DD08BC23563370D0E
PID: 840 ( 524) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 884 ( 524) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 916 ( 524) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1064 ( 524) C:\WINDOWS\system32\LEXBCES.EXE
size: 311296
MD5: A1043645D16915DF12A6F2E049922A18
PID: 1092 ( 524) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1104 (1064) C:\WINDOWS\system32\LEXPPS.EXE
size: 174592
MD5: AF31E60B6BF71BD74B16DDF5C679FBA3
PID: 1252 ( 524) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 132424
MD5: A8AA9D47F971570A5162B862B80F87E8
PID: 1264 ( 524) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
size: 418816
MD5: 3C7B93F947355E374A49564D0D017B7B
PID: 1316 ( 524) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
size: 49664
MD5: 30A14F65DB477DC00A64A5A24E96919C
PID: 1336 ( 524) C:\Program Files\Bonjour\mDNSResponder.exe
size: 238888
MD5: 9EFE4236F8670846B6E7C5B0EFF6E715
PID: 1372 ( 524) C:\WINDOWS\system32\drivers\KodakCCS.exe
size: 294972
MD5: A97812A623D23727E50F501F95719B23
PID: 1444 ( 524) C:\WINDOWS\system32\nvsvc32.exe
size: 143436
MD5: AA78C4677E06CFD4FE048718EE7F6332
PID: 1496 ( 524) C:\Program Files\CyberLink\Shared files\RichVideo.exe
size: 244904
MD5: D1F1D0EE50F8C070A612796676971699
PID: 1688 ( 524) C:\WINDOWS\system32\ScsiAccess.EXE
size: 181312
MD5: ED9C5CF6CC611EC8AC4A77C3F58F0601
PID: 1728 ( 524) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1968 (1920) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 244 ( 524) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2100 (1968) C:\WINDOWS\AGRSMMSG.exe
size: 88107
MD5: 338879395DF79B77565077F9C0727F7B
PID: 2076 (1968) C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 590848
MD5: 39A815061956C38532963FF83BCE8356
PID: 2140 (1968) C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
size: 406528
MD5: FC0B2AE890BB0DC8C2306DABEDC8A4BA
PID: 2152 (1968) C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
size: 36975
MD5: D3E445A99A1142C35D8D3100B5564591
PID: 2180 ( 808) C:\Program Files\Logitech\MouseWare\system\em_exec.exe
size: 37888
MD5: 7D325EC9B9B1589DF12D0874700BC59E
PID: 1768 (1968) C:\WINDOWS\system32\PD6000SM.EXE
size: 266240
MD5: 0ADFEBBCD0C6AB90991C5129C918B8FC
PID: 1552 (1968) C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
size: 57344
MD5: CBDA2D5F8338812923B92D80F410AD5E
PID: 1700 (1968) C:\Program Files\Windows Defender\MSASCui.exe
size: 866584
MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC
PID: 672 (1968) C:\Program Files\QuickTime\QTTask.exe
size: 413696
MD5: 9C9B6807425CEF840C117654D8B033D1
PID: 1016 (1968) C:\Program Files\iTunes\iTunesHelper.exe
size: 290088
MD5: E6A4E341E4304B34AA280D3E73818C90
PID: 2208 (1968) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 1624 (1552) C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
size: 53248
MD5: 6041683BD131110B462D41263DCDB4F9
PID: 1392 (1968) C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
size: 614531
MD5: BD01E18519665AA81AD8A80417CCA286
PID: 2264 (1968) C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
size: 16432
MD5: A4ABD04731982411A0E2CE5161D23051
PID: 2508 ( 524) C:\Program Files\iPod\bin\iPodService.exe
size: 536872
MD5: 62937A89470AF8FF172F0980CA8AEFC9
PID: 2656 (2208) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 2956 (1968) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8
PID: 4 ( 0) System

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BD397B9-DB5D-4DE0-86D1-C2116A223EC8}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9BD397B9-DB5D-4DE0-86D1-C2116A223EC8}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7C3913C9-ACFC-47EA-94E2-78B12F44F681}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7C3913C9-ACFC-47EA-94E2-78B12F44F681}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{79BDC54E-3157-46EE-8B3B-EB56E3D9E01D}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{79BDC54E-3157-46EE-8B3B-EB56E3D9E01D}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6FF94069-C4A0-42F5-ACCE-18ECD79F6ABF}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6FF94069-C4A0-42F5-ACCE-18ECD79F6ABF}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{125F5F59-6DCC-41AA-9817-7598DF7BACB1}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{125F5F59-6DCC-41AA-9817-7598DF7BACB1}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAFDB245-E8C2-425C-BECA-41FCE9C8736E}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CAFDB245-E8C2-425C-BECA-41FCE9C8736E}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

**Shaba** · 2009-03-25, 15:29

That is false positive from old version of Spybot.

Please update spybot, rescan with it and post back if it now found something.

**Shaba** · 2009-03-29, 12:54

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.

Thread: Virtumonde??

Thread Tools

Display

Virtumonde??

Posting Permissions