Virtumonde and IS 2010 Infection

Blade81 · Feb 8, 2010

I had to use "%userprofile%" instead of "%userprofile" as given, however.

Yeah, I had a typo there. Sorry.

Simple delete for that ocx file should be enough. If you use uninstall that will remove also other versions.

Mystery · Feb 8, 2010

I cannot delete it because it is marked as read-only. It won't let me remove the write protection so I can delete it and "uninstall_plugin" only removed the latest Flash version (10.0.42.34), making me have to redownload it. :scratch:

Blade81 · Feb 9, 2010

Hi,

Does it allow to delete the file in safe mode?

Mystery · Feb 9, 2010

...Nope. Same as before, won't let me delete it because of write protection, won't let me remove write protection (Read-Only status) so I *can* delete it.

Blade81 · Feb 9, 2010

Hi,

Move C:\WINDOWS\system32\Macromed\Flash folder to your desktop. Delete the stubborn file and then move the Flash folder back to C:\WINDOWS\system32\Macromed folder.

Mystery · Feb 9, 2010

:bigthumb: That'll do it.

Blade81 · Feb 10, 2010

Good. Any other issues?

Mystery · Feb 10, 2010

All symptoms are gone -- Flash is loading normally and no more popups -- but Spybot said it found one Virtumonde.sdn when I scanned this morning and removed it. (I have Spybot/AVG do automatic scans on Wednesday because I have classes early on Wed.) Is this anything to look into?

Blade81 · Feb 11, 2010

Hi,

Do you have Spybot log of that run handy? Monitor situation for a few days and let me know if problem returns

Mystery · Feb 11, 2010

It's really a shame that we have to be on such different schedules/timezones, it makes correspondence so slow.

How do I get the log of a previous scan from Spybot? Is it the report I get through Tools -> View Report -> View Report? If so, here is that from yesterday's scan:

Code:

--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-08-14 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2005-06-02 unins000.exe (51.41.0.0)
2009-02-23 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-10-08 Includes\Adware.sbi
2010-02-09 Includes\AdwareC.sbi
2010-01-25 Includes\Cookies.sbi
2009-11-03 Includes\Dialer.sbi
2010-02-09 Includes\DialerC.sbi
2010-01-25 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2010-02-09 Includes\HijackersC.sbi
2010-01-20 Includes\Keyloggers.sbi
2010-02-09 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2010-02-10 Includes\Malware.sbi
2010-02-10 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2010-02-09 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2010-02-10 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-11-03 Includes\Spyware.sbi
2010-02-09 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-12-08 Includes\Trojans.sbi
2010-02-10 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
 / .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB887998)
 / .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB930494)
 / .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB953295)
 / .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3
 / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Security Update (KB953297)
 / .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
 / Media Center 2005 / SP4: Update Rollup 2 for Windows XP Media Center Edition 2005
 / MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
 / MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
 / MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
 / MSXML4SP2: Security update for MSXML4 SP2 (KB973688)
 / Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
 / Windows / SP1: Microsoft National Language Support Downlevel APIs
 / Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
 / Windows Media Player: Security Update for Windows Media Player (KB952069)
 / Windows Media Player: Security Update for Windows Media Player (KB954155)
 / Windows Media Player: Security Update for Windows Media Player (KB968816)
 / Windows Media Player: Security Update for Windows Media Player (KB973540)
 / Windows Media Player 10: Security Update for Windows Media Player 10 (KB911565)
 / Windows Media Player 10: Update for Windows Media Player 10 (KB913800)
 / Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
 / Windows Media Player 10: Update for Windows Media Player 10 (KB926251)
 / Windows Media Player 10 / SP0: Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
 / Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
 / Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
 / Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
 / Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
 / Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
 / Windows XP: Security Update for Windows XP (KB923689)
 / Windows XP: Security Update for Windows XP (KB941569)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB931768)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
 / Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB960714)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB963027)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB969897)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB971961)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB972260)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB974455)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB976325)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB976325)
 / Windows XP / SP0: Update for Windows Internet Explorer 7 (KB976749)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB978207)
 / Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB978207)
 / Windows XP / SP0: Update for Windows Internet Explorer 8 (KB978506)
 / Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
 / Windows XP / SP3: Windows XP Hotfix - KB873333
 / Windows XP / SP3: Security Update for Windows XP (KB883939)
 / Windows XP / SP3: Windows XP Hotfix - KB887742
 / Windows XP / SP3: Security Update for Windows XP (KB890046)
 / Windows XP / SP3: Windows XP Hotfix - KB890175
 / Windows XP / SP3: Windows XP Hotfix - KB890923
 / Windows XP / SP3: Security Update for Windows XP (KB893066)
 / Windows XP / SP3: Windows XP Hotfix - KB893086
 / Windows XP / SP3: Windows Installer 3.1 (KB893803)
 / Windows XP / SP3: Security Update for Windows XP (KB896422)
 / Windows XP / SP3: Security Update for Windows XP (KB896688)
 / Windows XP / SP3: Update for Windows XP (KB896727)
 / Windows XP / SP3: Update for Windows XP (KB898461)
 / Windows XP / SP3: Security Update for Windows XP (KB899589)
 / Windows XP / SP3: Security Update for Windows XP (KB903235)
 / Windows XP / SP3: Security Update for Windows XP (KB905915)
 / Windows XP / SP3: Security Update for Windows XP (KB912812)
 / Windows XP / SP3: Security Update for Windows XP (KB913446)
 / Windows XP / SP3: Windows XP Service Pack 3
 / Windows XP / SP3: Microsoft .NET Framework 1.0 Hotfix (KB953295)
 / Windows XP / SP4: Security Update for Windows XP (KB923561)
 / Windows XP / SP4: Security Update for Windows XP (KB938464)
 / Windows XP / SP4: Security Update for Windows XP (KB946648)
 / Windows XP / SP4: Security Update for Windows XP (KB950760)
 / Windows XP / SP4: Security Update for Windows XP (KB950762)
 / Windows XP / SP4: Security Update for Windows XP (KB950974)
 / Windows XP / SP4: Security Update for Windows XP (KB951066)
 / Windows XP / SP4: Update for Windows XP (KB951072-v2)
 / Windows XP / SP4: Security Update for Windows XP (KB951376)
 / Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
 / Windows XP / SP4: Security Update for Windows XP (KB951698)
 / Windows XP / SP4: Security Update for Windows XP (KB951748)
 / Windows XP / SP4: Update for Windows XP (KB951978)
 / Windows XP / SP4: Security Update for Windows XP (KB952004)
 / Windows XP / SP4: Hotfix for Windows XP (KB952287)
 / Windows XP / SP4: Security Update for Windows XP (KB952954)
 / Windows XP / SP4: Security Update for Windows XP (KB953839)
 / Windows XP / SP4: Security Update for Windows XP (KB954211)
 / Windows XP / SP4: Security Update for Windows XP (KB954459)
 / Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
 / Windows XP / SP4: Security Update for Windows XP (KB954600)
 / Windows XP / SP4: Security Update for Windows XP (KB955069)
 / Windows XP / SP4: Update for Windows XP (KB955759)
 / Windows XP / SP4: Update for Windows XP (KB955839)
 / Windows XP / SP4: Security Update for Windows XP (KB956391)
 / Windows XP / SP4: Security Update for Windows XP (KB956572)
 / Windows XP / SP4: Security Update for Windows XP (KB956744)
 / Windows XP / SP4: Security Update for Windows XP (KB956802)
 / Windows XP / SP4: Security Update for Windows XP (KB956803)
 / Windows XP / SP4: Security Update for Windows XP (KB956841)
 / Windows XP / SP4: Security Update for Windows XP (KB956844)
 / Windows XP / SP4: Security Update for Windows XP (KB957095)
 / Windows XP / SP4: Security Update for Windows XP (KB957097)
 / Windows XP / SP4: Security Update for Windows XP (KB958644)
 / Windows XP / SP4: Security Update for Windows XP (KB958687)
 / Windows XP / SP4: Security Update for Windows XP (KB958690)
 / Windows XP / SP4: Security Update for Windows XP (KB958869)
 / Windows XP / SP4: Security Update for Windows XP (KB959426)
 / Windows XP / SP4: Security Update for Windows XP (KB960225)
 / Windows XP / SP4: Security Update for Windows XP (KB960715)
 / Windows XP / SP4: Security Update for Windows XP (KB960803)
 / Windows XP / SP4: Security Update for Windows XP (KB960859)
 / Windows XP / SP4: Hotfix for Windows XP (KB961118)
 / Windows XP / SP4: Security Update for Windows XP (KB961371)
 / Windows XP / SP4: Security Update for Windows XP (KB961373)
 / Windows XP / SP4: Security Update for Windows XP (KB961501)
 / Windows XP / SP4: Update for Windows XP (KB967715)
 / Windows XP / SP4: Update for Windows XP (KB968389)
 / Windows XP / SP4: Security Update for Windows XP (KB968537)
 / Windows XP / SP4: Security Update for Windows XP (KB969059)
 / Windows XP / SP4: Security Update for Windows XP (KB969898)
 / Windows XP / SP4: Security Update for Windows XP (KB969947)
 / Windows XP / SP4: Security Update for Windows XP (KB970238)
 / Windows XP / SP4: Security Update for Windows XP (KB970430)
 / Windows XP / SP4: Hotfix for Windows XP (KB970653-v3)
 / Windows XP / SP4: Security Update for Windows XP (KB971468)
 / Windows XP / SP4: Security Update for Windows XP (KB971486)
 / Windows XP / SP4: Security Update for Windows XP (KB971557)
 / Windows XP / SP4: Security Update for Windows XP (KB971633)
 / Windows XP / SP4: Security Update for Windows XP (KB971657)
 / Windows XP / SP4: Update for Windows XP (KB971737)
 / Windows XP / SP4: Security Update for Windows XP (KB971961)
 / Windows XP / SP4: Security Update for Windows XP (KB972270)
 / Windows XP / SP4: Security Update for Windows XP (KB973346)
 / Windows XP / SP4: Security Update for Windows XP (KB973354)
 / Windows XP / SP4: Security Update for Windows XP (KB973507)
 / Windows XP / SP4: Security Update for Windows XP (KB973525)
 / Windows XP / SP4: Update for Windows XP (KB973687)
 / Windows XP / SP4: Update for Windows XP (KB973815)
 / Windows XP / SP4: Security Update for Windows XP (KB973869)
 / Windows XP / SP4: Security Update for Windows XP (KB973904)
 / Windows XP / SP4: Security Update for Windows XP (KB974112)
 / Windows XP / SP4: Security Update for Windows XP (KB974318)
 / Windows XP / SP4: Security Update for Windows XP (KB974392)
 / Windows XP / SP4: Security Update for Windows XP (KB974571)
 / Windows XP / SP4: Security Update for Windows XP (KB975025)
 / Windows XP / SP4: Security Update for Windows XP (KB975467)
 / Windows XP / SP4: Security Update for Windows XP (KB975560)
 / Windows XP / SP4: Security Update for Windows XP (KB975713)
 / Windows XP / SP4: Hotfix for Windows XP (KB976098-v2)
 / Windows XP / SP4: Security Update for Windows XP (KB977165)
 / Windows XP / SP4: Security Update for Windows XP (KB977914)
 / Windows XP / SP4: Security Update for Windows XP (KB978037)
 / Windows XP / SP4: Security Update for Windows XP (KB978251)
 / Windows XP / SP4: Security Update for Windows XP (KB978262)
 / Windows XP / SP4: Security Update for Windows XP (KB978706)
 / Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221


--- Startup entries list ---
Located: HK_LM:Run, Adobe ARM
command: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
   file: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
   size: 948672
    MD5: 73BB442A717B9BB0097C243374C14A3E

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
   file: C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
   size: 35760
    MD5: 466CE40EAA865752F4930A472563E4E1

Located: HK_LM:Run, ATICCC
command: "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
   file: C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
   size: 45056
    MD5: 64C4C17BF6A40FF1CD21205E6FD415B8

Located: HK_LM:Run, DLA
command: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
   file: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
   size: 122940
    MD5: CEFD0E35B35AFD9D1C2FEC9AF81AFDB8

Located: HK_LM:Run, ehTray
command: C:\WINDOWS\ehome\ehtray.exe
   file: C:\WINDOWS\ehome\ehtray.exe
   size: 67584
    MD5: 7E48B4958C131E9643DDCD2E7CA3FE9F

Located: HK_LM:Run, HP Software Update
command: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
   file: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
   size: 49152
    MD5: 926A397334FE426A6C7657096FE681DB

Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
   file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
   size: 221184
    MD5: FB9E5C251CF6C37749F296BACB34A69B

Located: HK_LM:Run, ISUSScheduler
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
   file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
   size: 81920
    MD5: 763DAB43BDAB27316DBF3373192823D7

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
   file: C:\Program Files\iTunes\iTunesHelper.exe
   size: 141608
    MD5: 8DC7685764B22DB97891012026FA7ED1

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
   file: C:\Program Files\QuickTime\QTTask.exe
   size: 417792
    MD5: 55D7A219AD8D0DB8980528944152A6FD

Located: HK_LM:Run, SigmatelSysTrayApp
command: stsystra.exe
   file: C:\WINDOWS\stsystra.exe
   size: 282624
    MD5: 289BDC9E5681BD1BE0FB871C460BD254

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
   file: C:\Program Files\Common Files\Java\Java Update\jusched.exe
   size: 246504
    MD5: E0D6538B62C79FCBF0B27F95FAF3208B

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
   file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
   size: 198160
    MD5: 29BE51557A3E686B297BE273EB17CA67

Located: HK_LM:Run, DMXLauncher (DISABLED)
command: C:\Program Files\Dell\Media Experience\DMXLauncher.exe
   file: C:\Program Files\Dell\Media Experience\DMXLauncher.exe
   size: 94208
    MD5: C24B51FAF9BAAEF67C484D60866693B1

Located: HK_CU:Run, ctfmon.exe
  where: S-1-5-21-1908293018-4181019595-1031187214-1006...
command: C:\WINDOWS\system32\ctfmon.exe
   file: C:\WINDOWS\system32\ctfmon.exe
   size: 15360
    MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, SpybotSD TeaTimer
  where: S-1-5-21-1908293018-4181019595-1031187214-1006...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
   file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
   size: 2260480
    MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, Steam
  where: S-1-5-21-1908293018-4181019595-1031187214-1006...
command: "c:\program files\steam\steam.exe" -silent
   file: c:\program files\steam\steam.exe
   size: 1217808
    MD5: A740B005ADD7DEBEAF922C4AE86F7C2D

Located: HK_CU:Run, DellSupport
  where: S-1-5-21-1908293018-4181019595-1031187214-500...
command: "C:\Program Files\Dell Support\DSAgnt.exe" /startup
   file: C:\Program Files\Dell Support\DSAgnt.exe
   size: 395776
    MD5: 825EDDDB0521EB2183C7E3C45BB5FE97

Located: Startup (common), Digital Line Detect.lnk
  where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Digital Line Detect\DLG.exe
   file: C:\Program Files\Digital Line Detect\DLG.exe
   size: 24576
    MD5: B66E56733E2CD6A10FDA5919625FBF46

Located: Startup (common), HP Digital Imaging Monitor.lnk
  where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
   file: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
   size: 288472
    MD5: 4543367E50BD35E7D1269D42841B156E

Located: Startup (common), Run Nintendo Wi-Fi USB Connector Registration Tool.lnk
  where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\WiFiConnector\NintendoWFCReg.exe
   file: C:\Program Files\WiFiConnector\NintendoWFCReg.exe
   size: 1073152
    MD5: E7F99344C5C441C0B7771E40C9E1E8C7

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
   file: Ati2evxx.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, avgrsstarter
command: avgrsstx.dll
   file: avgrsstx.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
   file: crypt32.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
   file: cryptnet.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
   file: cscdll.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
   file: %SystemRoot%\System32\dimsntfy.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
   file: wlnotify.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
   file: wlnotify.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
   file: sclgntfy.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
   file: WlNotify.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
   file: wlnotify.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
   file: WgaLogon.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
   file: wlnotify.dll
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: AcroIEHelperStub
        CLSID name: Adobe PDF Link Helper
              Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
         Long name: AcroIEHelperShim.dll
        Short name:       ACROIE~2.DLL
    Date (created): 12/21/2009 6:27:44 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 12/21/2009 6:27:44 PM
          Filesize:              75200
        Attributes:           archive 
               MD5: DC1E56092CC57FB4605B088D3DCCBF7A
             CRC32:           FF82C62B
           Version:          9.3.0.148

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (WormRadar.com IESiteBlocker.NavFilter)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: WormRadar.com IESiteBlocker.NavFilter
        CLSID name: AVG Safe Search
              Path: C:\Program Files\AVG\AVG9\
         Long name:        avgssie.dll
        Short name:                   
    Date (created): 1/12/2010 11:21:08 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 1/12/2010 11:21:08 PM
          Filesize:            1484056
        Attributes:           archive 
               MD5: F7CC657F40C56C9BA7C189066D259F9E
             CRC32:           DBEFFA87
           Version:          9.0.0.713

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: 
        CLSID name: Spybot-S&D IE Protection
       description: Spybot-S&D IE Browser plugin
    classification: Legitimate
    known filename: SDhelper.dll
         info link: http://spybot.eon.net.au/
       info source: Patrick M. Kolla
              Path: C:\PROGRA~1\SPYBOT~1\
         Long name:       SDHelper.dll
        Short name:                   
    Date (created): 6/2/2005 2:52:16 PM
Date (last access): 2/11/2010 10:19:30 AM
 Date (last write): 1/26/2009 3:31:02 PM
          Filesize:            1879896
        Attributes:           archive 
               MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
             CRC32:           5BA24007
           Version:           1.6.2.14

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: 
        CLSID name: Google Toolbar Helper
       description: Google toolbar
    classification: Open for discussion
    known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
         info link: http://toolbar.google.com/
       info source: TonyKlein
              Path: C:\Program Files\Google\Google Toolbar\
         Long name: GoogleToolbar_32.dll
        Short name:       GOOGLE~2.DLL
    Date (created): 11/27/2009 8:04:38 AM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 1/12/2010 11:09:28 PM
          Filesize:             263280
        Attributes:           archive 
               MD5: 6CAC864C230B5E520AD054CF2DD66D59
             CRC32:           7E94DC92
           Version:      6.3.1014.1517

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: 
        CLSID name: Google Toolbar Notifier BHO
              Path: C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\
         Long name:            swg.dll
        Short name:                   
    Date (created): 1/12/2010 11:20:18 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 1/12/2010 11:20:18 PM
          Filesize:             764912
        Attributes:           archive 
               MD5: CD91E666B2446530583FBFFCF537BE4C
             CRC32:           34534F50
           Version:      5.4.4525.1752

{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: 
        CLSID name: McAfee SiteAdvisor BHO
              Path: c:\PROGRA~1\mcafee\SITEAD~1\
         Long name:        McIEPlg.dll
        Short name:                   
    Date (created): 12/22/2008 11:20:50 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 12/23/2009 3:59:04 PM
          Filesize:             251416
        Attributes:           archive 
               MD5: 5F53D3BBF941C6F502C101DDDBEE3FAA
             CRC32:           FA368854
           Version:          3.1.0.134

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: 
        CLSID name: Java(tm) Plug-In 2 SSV Helper
              Path: C:\Program Files\Java\jre6\bin\
         Long name:         jp2ssv.dll
        Short name:                   
    Date (created): 1/11/2010 8:42:48 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 1/11/2010 8:42:48 PM
          Filesize:              41760
        Attributes:           archive 
               MD5: 883EF2DD3C9F68691CE02DAAC7267D41
             CRC32:           C0FCD56C
           Version:          6.0.180.7

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name: JQSIEStartDetectorImpl
        CLSID name: JQSIEStartDetectorImpl Class
              Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
         Long name:     jqs_plugin.dll
        Short name:       JQS_PL~1.DLL
    Date (created): 1/11/2010 8:42:48 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 1/11/2010 8:42:48 PM
          Filesize:              79648
        Attributes:           archive 
               MD5: FD60844F7DC0CF7C7AFA70B7EC6D0A7E
             CRC32:           386E7BEE
           Version:          6.0.180.7



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
          DPF name: Microsoft XML Parser for Java
        CLSID name: 
         Installer: 
          Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
       description: 
    classification: Legitimate
    known filename: %WINDIR%\Java\classes\xmldso.cab
         info link: 
       info source: Patrick M. Kolla

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
          DPF name: 
        CLSID name: Shockwave ActiveX Control
         Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
          Codebase: http://active.macromedia.com/director/cabs/sw.cab
       description: Macromedia ShockWave Flash Player 7
    classification: Legitimate
    known filename: SWDIR.DLL
         info link: 
       info source: Patrick M. Kolla
              Path: C:\WINDOWS\system32\Adobe\Director\
         Long name:          SwDir.dll
        Short name:                   
    Date (created): 1/18/2010 2:24:44 AM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 1/18/2010 2:24:44 AM
          Filesize:             213272
        Attributes:           archive 
               MD5: 9E6DEA101212D0244FA3F08945482413
             CRC32:           E3B3F3BE
           Version:         11.5.6.606

{215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6)
          DPF name: 
        CLSID name: Trend Micro ActiveX Scan Agent 6.6
         Installer: C:\WINDOWS\Downloaded Program Files\hcImpl.inf
          Codebase: http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
       description: 
    classification: Legitimate
    known filename: Housecall_ActiveX.dll
         info link: 
       info source: Safer Networking Ltd.
              Path: C:\WINDOWS\Downloaded Program Files\
         Long name: Housecall_ActiveX.dll

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
          DPF name: 
        CLSID name: Office Update Installation Engine
         Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
          Codebase: http://office.microsoft.com/officeupdate/content/opuc2.cab
       description: 
    classification: Legitimate
    known filename: opuc.dll
         info link: 
       info source: Safer Networking Ltd.
              Path:        C:\WINDOWS\
         Long name:           opuc.dll
        Short name:                   
    Date (created): 1/18/2005 3:07:18 AM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 1/18/2005 3:07:18 AM
          Filesize:             326656
        Attributes:           archive 
               MD5: 20393D64F69F26361A97FD9AFB3C9243
             CRC32:           0B4DBA7F
           Version:        11.0.6466.0

{58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class)
          DPF name: 
        CLSID name: shizmoo Class
         Installer: C:\WINDOWS\Downloaded Program Files\webmoo.inf
          Codebase: http://www.kungfuchess.com/activex/web665.cab
       description: 
    classification: Open for discussion
    known filename: 
         info link: 
       info source: Safer Networking Ltd.
              Path: C:\Program Files\shizmoo\webgames\
         Long name:      webmoo665.dll
        Short name:       WEBMOO~1.DLL
    Date (created): 1/15/2008 1:19:14 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 10/29/2003 4:06:34 AM
          Filesize:              90112
        Attributes:           archive 
               MD5: 9BED4027BC3EFC880C450ACF81F48781
             CRC32:           6424EA65
           Version:          665.0.0.1

{5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class)
          DPF name: 
        CLSID name: ijjiPlugin2 Class
         Installer: C:\WINDOWS\Downloaded Program Files\ijjiPlugin2.inf
          Codebase: http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
              Path: C:\WINDOWS\system32\
         Long name:    ijjiPlugin2.dll
        Short name:       IJJIPL~1.DLL
    Date (created): 9/12/2007 5:49:32 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 6/21/2007 5:59:50 PM
          Filesize:              58776
        Attributes:           archive 
               MD5: B5101674241FB89A35B16F278EBE088A
             CRC32:           C8B835AA
           Version:            2.0.0.0

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
          DPF name: 
        CLSID name: WUWebControl Class
         Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
          Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165960990742
       description: 
    classification: Legitimate
    known filename: wuweb.dll
         info link: 
       info source: Safer Networking Ltd.
              Path: C:\WINDOWS\system32\
         Long name:          wuweb.dll
        Short name:                   
    Date (created): 8/16/2005 4:40:18 AM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 8/6/2009 6:24:18 PM
          Filesize:             209632
        Attributes:           archive 
               MD5: 033AF4CE25B6D871F0DE2C982658E049
             CRC32:           2C204902
           Version:       7.4.7600.226

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
          DPF name: Java Runtime Environment 1.6.0
        CLSID name: Java Plug-in 1.6.0_18
         Installer: 
          Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
       description: Sun Java
    classification: Legitimate
    known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
         info link: 
       info source: Patrick M. Kolla
              Path: C:\Program Files\Java\jre6\bin\
         Long name:    npjpi160_18.dll
        Short name:       NPJPI1~1.DLL
    Date (created): 12/17/2009 3:02:50 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 12/17/2009 5:14:02 PM
          Filesize:             136992
        Attributes:           archive 
               MD5: FD681B5B1CEC8B3181E63A3CC9A8C5EF
             CRC32:           23BC9EDD
           Version:          6.0.180.7

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
          DPF name: 
        CLSID name: 
         Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
          Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
       description: 
    classification: Open for discussion
    known filename: 
         info link: 
       info source: Safer Networking Ltd.

{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
          DPF name: Java Runtime Environment 1.6.0
        CLSID name: Java Plug-in 1.6.0_18
         Installer: 
          Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
              Path: C:\Program Files\Java\jre6\bin\
         Long name:    npjpi160_18.dll
        Short name:       NPJPI1~1.DLL
    Date (created): 12/17/2009 3:02:50 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 12/17/2009 5:14:02 PM
          Filesize:             136992
        Attributes:           archive 
               MD5: FD681B5B1CEC8B3181E63A3CC9A8C5EF
             CRC32:           23BC9EDD
           Version:          6.0.180.7

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
          DPF name: Java Runtime Environment 1.6.0
        CLSID name: Java Plug-in 1.6.0_18
         Installer: 
          Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
       description: 
    classification: Legitimate
    known filename: npjpi150_06.dll
         info link: 
       info source: Safer Networking Ltd.
              Path: C:\Program Files\Java\jre6\bin\
         Long name:    npjpi160_18.dll
        Short name:       NPJPI1~1.DLL
    Date (created): 12/17/2009 3:02:50 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 12/17/2009 5:14:02 PM
          Filesize:             136992
        Attributes:           archive 
               MD5: FD681B5B1CEC8B3181E63A3CC9A8C5EF
             CRC32:           23BC9EDD
           Version:          6.0.180.7

{CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class)
          DPF name: 
        CLSID name: HGPlugin9USA Class
         Installer: C:\WINDOWS\Downloaded Program Files\HGPlugin9USA.inf
          Codebase: http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
       description: 
    classification: Legitimate
    known filename: HGPlugin9USA.dll
         info link: 
       info source: Safer Networking Ltd.
              Path: C:\WINDOWS\Downloaded Program Files\
         Long name:   HGPlugin9USA.dll
        Short name:       HGPLUG~1.DLL
    Date (created): 8/9/2006 8:56:06 PM
Date (last access): 2/11/2010 10:19:32 AM
 Date (last write): 8/9/2006 8:56:06 PM
          Filesize:              53248
        Attributes:           archive 
               MD5: D075F38B14A69362897FA1010A676A7B
             CRC32:           A87C7F44
           Version:            9.0.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} ()
          DPF name: 
        CLSID name: 
         Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
          Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
       description: Macromedia Shockwave Flash Player
    classification: Legitimate
    known filename: 
         info link: 
       info source: Patrick M. Kolla



--- Process list ---
PID:    0 (   0) [System]
PID:  764 (   4) \SystemRoot\System32\smss.exe
 size: 50688
PID:  816 ( 764) \??\C:\WINDOWS\system32\csrss.exe
 size: 6144
PID:  848 ( 764) \??\C:\WINDOWS\system32\winlogon.exe
 size: 507904
PID:  892 ( 848) C:\WINDOWS\system32\services.exe
 size: 110592
  MD5: 65DF52F5B8B6E9BBD183505225C37315
PID:  904 ( 848) C:\WINDOWS\system32\lsass.exe
 size: 13312
  MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1120 ( 892) C:\WINDOWS\system32\Ati2evxx.exe
 size: 561152
  MD5: 3C94E4E7983EFF03E7E128325891EA80
PID: 1136 ( 892) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1188 ( 892) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1548 ( 892) C:\WINDOWS\System32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1628 ( 892) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1696 ( 848) C:\WINDOWS\system32\Ati2evxx.exe
 size: 561152
  MD5: 3C94E4E7983EFF03E7E128325891EA80
PID: 1724 ( 848) C:\Program Files\AVG\AVG9\avgchsvx.exe
 size: 1055000
  MD5: 5BB7141D64039953C82CF1BFAC0072C8
PID: 1732 ( 848) C:\Program Files\AVG\AVG9\avgrsx.exe
 size: 503576
  MD5: 66A153463F0435369E8291DCCD152C2F
PID: 1892 ( 892) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1968 (1732) C:\Program Files\AVG\AVG9\avgcsrvx.exe
 size: 702744
  MD5: 64B2872A01F80FD3EC5E3AE111451DB0
PID:  496 ( 468) C:\WINDOWS\Explorer.EXE
 size: 1033728
  MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID:  648 ( 892) C:\WINDOWS\system32\spoolsv.exe
 size: 57856
  MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1316 ( 496) C:\WINDOWS\stsystra.exe
 size: 282624
  MD5: 289BDC9E5681BD1BE0FB871C460BD254
PID: 1324 ( 496) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
 size: 45056
  MD5: 64C4C17BF6A40FF1CD21205E6FD415B8
PID: 1332 ( 496) C:\WINDOWS\System32\DLA\DLACTRLW.EXE
 size: 122940
  MD5: CEFD0E35B35AFD9D1C2FEC9AF81AFDB8
PID: 1348 ( 496) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
 size: 81920
  MD5: 763DAB43BDAB27316DBF3373192823D7
PID: 1356 ( 496) C:\WINDOWS\ehome\ehtray.exe
 size: 67584
  MD5: 7E48B4958C131E9643DDCD2E7CA3FE9F
PID: 1380 ( 496) C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
 size: 49152
  MD5: 926A397334FE426A6C7657096FE681DB
PID: 1388 ( 496) C:\Program Files\Common Files\Java\Java Update\jusched.exe
 size: 246504
  MD5: E0D6538B62C79FCBF0B27F95FAF3208B
PID: 1440 ( 496) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
 size: 198160
  MD5: 29BE51557A3E686B297BE273EB17CA67
PID: 1504 ( 496) C:\Program Files\iTunes\iTunesHelper.exe
 size: 141608
  MD5: 8DC7685764B22DB97891012026FA7ED1
PID: 1520 ( 496) C:\program files\steam\steam.exe
 size: 1217808
  MD5: A740B005ADD7DEBEAF922C4AE86F7C2D
PID: 1580 ( 496) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
 size: 2260480
  MD5: 390679F7A217A5E73D756276C40AE887
PID: 1664 ( 496) C:\WINDOWS\system32\ctfmon.exe
 size: 15360
  MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 1824 ( 496) C:\Program Files\Digital Line Detect\DLG.exe
 size: 24576
  MD5: B66E56733E2CD6A10FDA5919625FBF46
PID:  248 ( 496) C:\Program Files\WiFiConnector\NintendoWFCReg.exe
 size: 1073152
  MD5: E7F99344C5C441C0B7771E40C9E1E8C7
PID:  976 ( 892) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID:  908 ( 892) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
 size: 144712
  MD5: 7E94E567C1AA5ABE6174032B3DAB6C23
PID: 1604 ( 892) C:\Program Files\AVG\AVG9\avgwdsvc.exe
 size: 285392
  MD5: 7E7B5FA964F578ACD655E8BEEAE2A5CA
PID: 1716 ( 892) C:\Program Files\Bonjour\mDNSResponder.exe
 size: 238888
  MD5: 3F56903E124E820AEECE6D471583C6C1
PID: 2084 ( 892) C:\WINDOWS\eHome\ehRecvr.exe
 size: 237568
  MD5: 5D1347AA5AE6E2F77D7F4F8372D95AC9
PID: 2224 ( 892) C:\WINDOWS\eHome\ehSched.exe
 size: 102912
  MD5: A53243709439AC2A4C216B817F8D7411
PID: 2420 ( 892) C:\Program Files\Java\jre6\bin\jqs.exe
 size: 153376
  MD5: 77AC10DB097DFD0CD3071465B644D0AB
PID: 2476 ( 892) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
 size: 93320
  MD5: 6457A49B09540FE1054099CA0A5F741F
PID: 2832 ( 892) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
 size: 322120
  MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 2916 (1604) C:\Program Files\AVG\AVG9\avgnsx.exe
 size: 600344
  MD5: 43E406C4660125C003DC898AE936157F
PID: 2968 ( 892) C:\WINDOWS\system32\HPZipm12.exe
 size: 69632
  MD5: D31F88C5F19EEFA366A415D6BC5F2ABC
PID: 3268 ( 892) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 3392 ( 892) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 3664 ( 892) C:\WINDOWS\ehome\mcrdsvc.exe
 size: 99328
  MD5: DF0A511F38F16016BF658FCA0090CB87
PID: 1596 ( 892) C:\Program Files\iPod\bin\iPodService.exe
 size: 545576
  MD5: 1E6F080D5EDB4C3B4C4EB787A0848DCC
PID: 2148 ( 892) C:\WINDOWS\system32\dllhost.exe
 size: 5120
  MD5: 0A9BA6AF531AFE7FA5E4FB973852D863
PID: 3624 ( 892) C:\WINDOWS\System32\alg.exe
 size: 44544
  MD5: 8C515081584A38AA007909CD02020B3D
PID: 4036 ( 892) C:\WINDOWS\System32\svchost.exe
 size: 14336
  MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 3724 (1136) C:\WINDOWS\eHome\ehmsas.exe
 size: 46592
  MD5: 03A905FBA1D62317087DB5C21C0F8F62
PID: 2724 (1324) C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
 size: 45056
  MD5: 64C4C17BF6A40FF1CD21205E6FD415B8
PID: 3240 ( 496) C:\Program Files\Trillian\trillian.exe
 size: 1873280
  MD5: D5A9CF972E155A10AD68D5C1866C3124
PID: 2440 ( 496) C:\Program Files\mIRC\mirc.exe
 size: 1949696
  MD5: 0471108D25398E9F200FD7C580082A8E
PID: 1460 ( 496) C:\Program Files\Mozilla Firefox\firefox.exe
 size: 908248
  MD5: B4A8CA9A1EEEE32A4DC5D323A002ED3F
PID: 4500 ( 496) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
 size: 5365592
  MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID:    4 (   0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 2/11/2010 10:22:57 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
  C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
  http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
  about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
  http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
  C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
  http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
  http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
  http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
  http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
  http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
  http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
  http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol  0: MSAFD Tcpip [TCP/IP]
        GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP IP protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD Tcpip [*]

Protocol  1: MSAFD Tcpip [UDP/IP]
        GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP IP protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD Tcpip [*]

Protocol  2: MSAFD Tcpip [RAW/IP]
        GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP IP protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD Tcpip [*]

Protocol  3: RSVP UDP Service Provider
        GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
 Description: Microsoft Windows NT/2k/XP RVSP
 DB filename: %SystemRoot%\system32\rsvpsp.dll
 DB protocol: RSVP * Service Provider

Protocol  4: RSVP TCP Service Provider
        GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
    Filename: %SystemRoot%\system32\rsvpsp.dll
 Description: Microsoft Windows NT/2k/XP RVSP
 DB filename: %SystemRoot%\system32\rsvpsp.dll
 DB protocol: RSVP * Service Provider

Protocol  5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF83F386-2883-46A3-AA2E-9EDA4B34CE7C}] SEQPACKET 5
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol  6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF83F386-2883-46A3-AA2E-9EDA4B34CE7C}] DATAGRAM 5
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol  7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACF728AF-8BFB-419C-A62C-7F6420D4E44F}] SEQPACKET 4
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol  8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACF728AF-8BFB-419C-A62C-7F6420D4E44F}] DATAGRAM 4
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol  9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{651F9C10-8AD0-4011-A45A-299F4FFAEB1D}] SEQPACKET 3
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{651F9C10-8AD0-4011-A45A-299F4FFAEB1D}] DATAGRAM 3
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D9F149B7-EA29-4B2A-8A1F-BAB8AA73B5A3}] SEQPACKET 0
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D9F149B7-EA29-4B2A-8A1F-BAB8AA73B5A3}] DATAGRAM 0
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29B39846-0902-49E5-B96A-2F1FC54E9A72}] SEQPACKET 1
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29B39846-0902-49E5-B96A-2F1FC54E9A72}] DATAGRAM 1
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}] SEQPACKET 2
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}] DATAGRAM 2
        GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
    Filename: %SystemRoot%\system32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP NetBios protocol
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: MSAFD NetBIOS *

Namespace Provider  0: Tcpip
        GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
    Filename: %SystemRoot%\System32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: TCP/IP

Namespace Provider  1: NTDS
        GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
    Filename: %SystemRoot%\System32\winrnr.dll
 Description: Microsoft Windows NT/2k/XP name space provider
 DB filename: %SystemRoot%\system32\winrnr.dll
 DB protocol: NTDS

Namespace Provider  2: Network Location Awareness (NLA) Namespace
        GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
    Filename: %SystemRoot%\System32\mswsock.dll
 Description: Microsoft Windows NT/2k/XP name space provider
 DB filename: %SystemRoot%\system32\mswsock.dll
 DB protocol: NLA-Namespace

Namespace Provider  3: mdnsNSP
        GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
    Filename: C:\Program Files\Bonjour\mdnsNSP.dll
 Description: Apple Rendezvous protocol
 DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
 DB protocol: mdnsNSP

Yeah I know, logs should just go directly to the textbox of the post... I figured this would make the rest of my post easier to read since I'm not even sure yet if this is what you wanted. If it is, great! We just saved ourselves a day of waiting.

If not, I'll get what you're looking for or I'll do another scan if necessary. As I said, I haven't had any issues since around the third ComboFix run but there could always be some asymptomatic evil still lurking.

Well, off to class, where I will be gone all day and completely miss you when you're active. :slap:

Mystery · Feb 11, 2010

Oh, and for what it's worth, AVG didn't find anything in yesterday's scan either. Sorry I forgot to mention that previously.

Blade81 · Feb 11, 2010

Hi,

That's different report. Better run a fresh scan with Spybot and see if it finds anything.

Mystery · Feb 11, 2010

I ran another Spybot scan and it did not find anything this time. Where can I find the log file you want, just for future reference?

Blade81 · Feb 12, 2010

It probably requires that you save the results after the scan.

Mystery · Feb 12, 2010

Since Spybot didn't find anything the second time, does that mean we might finally be done here?

If you want, I can scan again and see if I can save a log.

Blade81 · Feb 12, 2010

Yes, I believe we're done here

Blade81 · Feb 19, 2010

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.

Virtumonde and IS 2010 Infection

Blade81

Security Expert: Emeritus

Mystery

New member

Blade81

Security Expert: Emeritus

Mystery

New member

Blade81

Security Expert: Emeritus

Mystery

New member

Blade81

Security Expert: Emeritus

Mystery

New member

Blade81

Security Expert: Emeritus

Mystery

New member

Mystery

New member

Blade81

Security Expert: Emeritus

Mystery

New member

Blade81

Security Expert: Emeritus

Mystery

New member

Blade81

Security Expert: Emeritus

Blade81

Security Expert: Emeritus