Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pe_virut.av Is Some Sorta Supervirus Or Something


  • This topic is locked This topic is locked
6 replies to this topic

#1 TStrauss

TStrauss

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 16 December 2007 - 11:07 PM

Nothing has been able to get rid of this thing: Trend Micro AV, Spybot, Super antispyware, nothing. Please someone have an answer, because I don't know what else to try.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:26 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Palm\HOTSYNC.EXE
D:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\cmd.exe
C:\HijackThis\HijackThis.exe
D:\Documents and Settings\Toby\Desktop\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {177658C0-6B60-40FA-9A49-0E1A7E8C5ACC} - (no file)
O2 - BHO: (no name) - {316BC31E-EFAC-4974-A942-1D23AC48CC0F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {94AAA916-62FE-115C-DE2F-4BE670815CE5} - (no file)
O2 - BHO: (no name) - {C0F2FF43-34AD-135F-8B2F-4BE670815CE6} - (no file)
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] D:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] D:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] D:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] D:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LyraHD2TrayApp] "D:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "D:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Aeas] "D:\PROGRA~1\COMMON~1\DOBE~1\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [Ajygr] D:\WINDOWS\?ystem32\m?iexec.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Belkin 11Mbps Wireless Desktop Network Card Monitor.lnk = D:\WINDOWS\system32\BelkinMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195350072120
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195367443203
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_a...asyInstallX.CAB
O23 - Service: Application Management (AppMgmt) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - D:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Windows CardSpace (idsvc) - Unknown owner - D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing)
O23 - Service: Server (lanmanserver) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Network Connections (Netman) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - D:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - D:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - D:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - D:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
O23 - Service: Security Center (wscsvc) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - D:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - D:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - D:\WINDOWS\System32\svchost.exe

--
End of file - 11451 bytes



BC AdBot (Login to Remove)

 


#2 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:58 PM

Posted 17 December 2007 - 03:44 AM

Hello TStrauss and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.


Nothing has been able to get rid of this thing: Trend Micro AV, Spybot, Super antispyware, nothing. Please someone have an answer, because I don't know what else to try.


Pe_virut.av - This is file infecting virus which infects .EXE and .SCR files, it also has backdoor capabilities. I suggest that you make a back up of any important documents you might need, you can also back up your music and picture files, but don't back up any .exe or .scr files also do not back up any zipped or in rar files that contain exe or scr inside of it. All these will be infected and you run a risk of getting infected again if you use them anywhere else.

I am afraid that when dealing with file infecting viruses like this variant clean reformat is the best and probably the only choice. Even though some antivirus vendors claim that they can clean this virus, the files after that are damaged and not usable and because until now most probably all your files are infected you might end up with computer not to be able to boot.

I would like to know:

- Do you have recovery cd or back up image of the system;
- Do you have important data on the computer and do you have a back up of it;
- Is this computer used for work, a company computer and contain any client's sensitive info;

Because at this moment I don't have enough information about your computer and is the file infecting virus in quarantine or it spreads in the computer , I suggest that you follow the steps below and post back with the reports so we can have more reliable info and according to it, make the right decision.



Step #11. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
2. Download combofix from one of these links:
Link1
Link2
3. Double click combofix.exe & follow the prompts.
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:
Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.

Step #2

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
In your next post include combofix report, Kaspersky report, new HijackThis log, also answers to requested info.

Please also do not insert "Center" or anything similar in your reports because it makes them more difficult for reading.


Regards,

Edited by SNOWHITE, 17 December 2007 - 03:46 AM.

SNOWHITE
Posted Image

#3 TStrauss

TStrauss
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 17 December 2007 - 07:51 PM

This is not a work pc. I would like to try and avoid wiping as I reinstalled windows about a month ago (hardware change required it). However, if it comes to that I do have the cds to reinstall somewhere around here :thumbsup: Kaspersky log is attached, combofix log is included. Note that I ran these from safemode; regular mode is not functioning correctly now ;(

Combofix log:
ComboFix 07-12-17.1 - Toby 2007-12-17 14:58:24.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1009 [GMT -8:00]
Running from: D:\Documents and Settings\Toby\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
D:\Program Files\Helper
D:\Program Files\Helper\Helper6.dll
D:\Program Files\icroso~1.net
D:\Program Files\icroso~1.net\?icrosoft.NET\
D:\Program Files\Llkkjicm
D:\Program Files\Llkkjicm\pfnfhiqi.dll
D:\Program Files\SecCenter
D:\Program Files\smss.exe
D:\Program Files\spoolsv.exe
D:\Program Files\ssembl~1
D:\Program Files\ssembl~1\m?hta.exe
D:\WINDOWS\ystem3~1

.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-16 20:25 . 2007-12-16 20:25 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2007-12-16 20:25 . 1999-03-12 14:31 7,440 --a------ D:\WINDOWS\system32\sporder.dll
2007-12-16 20:25 . 2007-12-16 20:27 4,212 ---h----- D:\WINDOWS\system32\zllictbl.dat
2007-12-15 21:59 . 2007-12-15 21:59 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Trend Micro
2007-12-15 21:59 . 2007-09-18 01:10 138,512 --a------ D:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-15 21:59 . 2007-09-18 01:10 52,496 --a------ D:\WINDOWS\system32\drivers\tmactmon.sys
2007-12-15 21:59 . 2007-09-18 01:10 52,368 --a------ D:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-12-15 21:58 . 2007-12-15 21:59 <DIR> d-------- D:\Program Files\Trend Micro
2007-12-15 21:37 . 2007-09-05 23:22 289,144 --a------ D:\WINDOWS\system32\VCCLSID.exe
2007-12-15 21:37 . 2006-04-27 16:49 288,417 --a------ D:\WINDOWS\system32\SrchSTS.exe
2007-12-15 21:37 . 2007-12-17 10:15 87,552 --a------ D:\WINDOWS\system32\IEDFix.exe
2007-12-15 21:37 . 2007-12-17 10:16 61,440 --a------ D:\WINDOWS\system32\Process.exe
2007-12-15 21:37 . 2007-12-17 10:16 36,352 --a------ D:\WINDOWS\system32\WS2Fix.exe
2007-12-15 21:12 . 2007-12-17 10:02 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2007-12-15 21:12 . 2007-12-15 21:12 <DIR> d-------- D:\Documents and Settings\Toby\Application Data\SUPERAntiSpyware.com
2007-12-15 21:12 . 2007-12-15 21:12 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2007-12-15 20:05 . 2007-12-15 20:05 <DIR> d-------- D:\VundoFix Backups
2007-12-15 20:00 . 2007-12-15 21:31 <DIR> d-a------ D:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-12-15 19:41 . 2005-09-23 08:29 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll
2007-12-15 16:03 . 2007-12-17 09:45 <DIR> d-------- D:\Documents and Settings\Administrator.TOMSERVO\.housecall6.6
2007-12-15 15:06 . 2007-12-15 15:06 <DIR> d-------- D:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\AVG7
2007-12-15 15:05 . 2007-12-15 15:05 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2007-12-15 15:05 . 2007-12-15 22:02 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2007-12-15 15:05 . 2007-12-15 15:05 499,712 --a------ D:\WINDOWS\system32\msvcp71.dll
2007-12-15 13:21 . 2007-12-17 09:47 <DIR> d-------- D:\Documents and Settings\Toby\.housecall6.6
2007-12-15 13:17 . 2007-09-24 23:31 69,632 --a------ D:\WINDOWS\system32\javacpl.cpl
2007-12-15 13:09 . 2007-12-15 13:09 <DIR> d-------- D:\Documents and Settings\Toby\Application Data\Earthsim
2007-12-15 12:01 . 2007-12-15 20:17 11,280 --ahs---- D:\WINDOWS\system32\stutv.ini2
2007-12-15 11:27 . 2007-12-15 12:29 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-12-15 11:20 . 2007-12-17 09:59 32,768 -r-hs---- D:\Program Files\lsass.exe
2007-12-15 11:17 . 2007-12-15 19:16 <DIR> d-------- D:\WINDOWS\system32\juvprpba
2007-12-15 11:17 . 2007-12-17 09:54 <DIR> d-------- D:\Program Files\AquariaDemo
2007-12-09 16:07 . 2007-12-09 16:07 <DIR> d-------- D:\Documents and Settings\Toby\Application Data\Snapfish
2007-12-09 16:07 . 2007-12-15 13:45 1,263 --a------ D:\WINDOWS\mozver.dat
2007-12-07 13:20 . 2007-12-07 13:24 <DIR> d-------- D:\Program Files\ATI Technologies
2007-12-07 12:32 . 2007-12-15 11:54 80 --a------ D:\WINDOWS\WININIT.INI
2007-12-07 12:30 . 2007-12-07 12:30 552 --a------ D:\WINDOWS\system32\d3d8caps.dat
2007-12-07 12:22 . 2007-12-07 12:22 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\ArcSoft
2007-12-07 12:21 . 2007-12-07 12:21 <DIR> d-------- D:\Documents and Settings\Toby\Application Data\ArcSoft
2007-12-02 14:23 . 1995-07-31 13:44 212,480 --a------ D:\WINDOWS\PCDLIB32.DLL
2007-12-02 14:23 . 2007-12-17 10:16 172,032 --a------ D:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-12-02 14:22 . 2007-12-02 14:22 <DIR> d-------- D:\Program Files\ArcSoft
2007-12-02 14:21 . 2007-12-02 14:21 <DIR> d-------- D:\Program Files\Samsung
2007-12-02 14:20 . 2000-10-21 13:29 102,912 -ra------ D:\WINDOWS\system32\JPEGCODE.DLL
2007-12-02 03:01 . 2007-12-02 03:01 <DIR> d-------- D:\Program Files\MSXML 6.0
2007-12-01 11:12 . 2007-12-15 14:49 <DIR> d-------- D:\Temp
2007-12-01 11:10 . 2007-12-01 11:10 <DIR> d-------- D:\Program Files\MSBuild
2007-12-01 11:05 . 2007-12-01 11:05 <DIR> d-------- D:\WINDOWS\system32\XPSViewer
2007-12-01 11:04 . 2007-12-01 11:04 <DIR> d-------- D:\Program Files\Reference Assemblies
2007-12-01 11:03 . 2006-06-29 13:07 14,048 --a------ D:\WINDOWS\system32\spmsg2.dll
2007-12-01 10:49 . 2007-12-17 09:55 <DIR> d-------- D:\Program Files\Boilsoft MP4 Converter
2007-11-29 07:18 . 2007-11-29 07:18 <DIR> d-------- D:\Documents and Settings\Toby\Application Data\InstallShield
2007-11-26 17:53 . 2007-11-26 17:53 <DIR> d-------- D:\Program Files\Thomson
2007-11-25 13:32 . 2001-08-17 14:02 9,600 --a------ D:\WINDOWS\system32\drivers\hidusb.sys
2007-11-25 13:32 . 2001-08-17 14:02 9,600 --a--c--- D:\WINDOWS\system32\dllcache\hidusb.sys
2007-11-25 10:01 . 2007-11-25 10:01 <DIR> d-------- D:\Documents and Settings\Toby\Application Data\Apple Computer
2007-11-25 09:48 . 2007-11-25 10:01 <DIR> d-------- D:\Program Files\PSPEnc
2007-11-25 09:48 . 2007-11-25 09:48 <DIR> d-------- D:\Program Files\AviSynth 2.5
2007-11-25 07:35 . 2007-12-15 14:27 54,156 --ah----- D:\WINDOWS\QTFont.qfn
2007-11-25 07:35 . 2007-11-25 07:35 1,409 --a------ D:\WINDOWS\QTFont.for
2007-11-25 07:34 . 2007-12-17 10:01 <DIR> d-------- D:\Program Files\QuickTime
2007-11-25 07:34 . 2007-11-25 07:34 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2007-11-25 07:33 . 2007-11-25 07:33 <DIR> d-------- D:\Program Files\Apple Software Update
2007-11-25 07:33 . 2007-11-25 07:33 <DIR> d-------- D:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2007-11-24 21:16 . 2006-10-04 06:06 1,197,294 -----c--- D:\WINDOWS\system32\dllcache\sysmain.sdb
2007-11-24 21:16 . 2006-10-04 06:06 764,868 -----c--- D:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-11-24 21:16 . 2006-10-04 06:06 217,118 -----c--- D:\WINDOWS\system32\dllcache\apphelp.sdb
2007-11-24 21:10 . 2007-11-24 21:10 <DIR> d-------- D:\Program Files\MSXML 4.0
2007-11-24 18:14 . 2007-11-24 18:53 <DIR> d-------- D:\Program Files\Personal Media Manager
2007-11-24 17:27 . 2004-08-03 22:08 26,496 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-24 14:23 . 2007-11-24 14:23 <DIR> dr------- D:\Documents and Settings\Toby\Application Data\Brother
2007-11-24 12:52 . 2007-12-17 10:16 <DIR> d-------- D:\WINDOWS\system32\WinXP
2007-11-24 12:52 . 2007-12-17 10:16 <DIR> d-------- D:\WINDOWS\system32\Win2K
2007-11-24 12:52 . 2003-07-25 16:28 872,448 --a------ D:\WINDOWS\system32\bcmwlcpl.cpl
2007-11-24 12:52 . 2007-12-17 10:14 471,040 --a------ D:\WINDOWS\system32\bcmwltry.exe
2007-11-24 12:52 . 2003-07-17 16:40 265,728 --a------ D:\WINDOWS\system32\bcmwl5.sys
2007-11-24 12:52 . 2007-12-17 10:14 151,552 --a------ D:\WINDOWS\system32\bcmwlu00.exe
2007-11-24 12:52 . 2007-12-17 10:14 65,536 --a------ D:\WINDOWS\system32\bcmwld2k.exe
2007-11-24 12:52 . 2003-07-17 16:40 9,600 --a------ D:\WINDOWS\system32\bcmwlntp.sys
2007-11-24 12:52 . 2007-11-24 12:52 23 --a------ D:\WINDOWS\BCMWL.DMR
2007-11-24 12:42 . 2005-10-03 09:49 204,800 --a------ D:\WINDOWS\system32\UploadDLL.dll
2007-11-24 12:42 . 2005-11-20 04:31 192,512 --a------ D:\WINDOWS\system32\blkwcd.dll
2007-11-24 12:42 . 2005-10-03 09:50 167,936 --a------ D:\WINDOWS\system32\BelkinwcuiDLL.dll
2007-11-24 12:42 . 2005-10-03 09:50 101,888 --a------ D:\WINDOWS\system32\CrashRpt.dll
2007-11-24 12:42 . 2005-10-03 09:49 81,920 --a------ D:\WINDOWS\system32\brdcm2k.dll
2007-11-24 12:42 . 2005-10-03 09:49 61,440 --a------ D:\WINDOWS\system32\BelkinHWStatus.dll
2007-11-24 12:42 . 2004-10-29 12:09 53,248 --a------ D:\WINDOWS\system32\preflib.dll
2007-11-24 12:18 . 2001-08-17 12:11 26,568 --a------ D:\WINDOWS\system32\drivers\BCM4E5.SYS
2007-11-24 12:18 . 2001-08-17 12:11 26,568 --a--c--- D:\WINDOWS\system32\dllcache\bcm4e5.sys
2007-11-24 11:21 . 2007-12-17 10:14 380,928 --a------ D:\WINDOWS\system32\BelkinMonitor.exe
2007-11-24 11:21 . 2002-11-12 17:26 110,592 --a------ D:\WINDOWS\system32\BelkinRes.dll
2007-11-24 11:21 . 2002-11-01 18:32 81,920 --a------ D:\WINDOWS\system32\install.dll
2007-11-24 11:21 . 2002-11-07 05:43 78,720 --a------ D:\WINDOWS\system32\drivers\BEL6001p.sys
2007-11-24 11:21 . 2002-09-19 23:11 61,440 --a------ D:\WINDOWS\system32\bkw32n50.DLL
2007-11-24 11:21 . 2002-09-27 18:17 16,929 --a------ D:\WINDOWS\system32\BelkinMonitor.chm
2007-11-24 11:21 . 2002-09-19 23:34 15,104 --a------ D:\WINDOWS\system32\PCAND5BK.SYS
2007-11-24 11:21 . 2002-10-29 18:15 163 --a------ D:\WINDOWS\filespec
2007-11-24 10:56 . 2007-11-24 10:59 410 --a------ D:\WINDOWS\brwmark.ini
2007-11-24 10:56 . 2007-11-24 10:56 209 --a------ D:\WINDOWS\Brpfx04a.ini
2007-11-24 10:56 . 2007-11-24 10:56 92 --a------ D:\WINDOWS\brpcfx.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-17 18:17 32,768 ----a-w D:\WINDOWS\twunk_32.exe
2007-12-17 18:17 290,816 ----a-w D:\WINDOWS\winhlp32.exe
2007-12-17 18:16 96,768 ----a-w D:\WINDOWS\system32\smlogsvc.exe
2007-12-17 18:16 86,016 ----a-w D:\WINDOWS\system32\wmpstub.exe
2007-12-17 18:16 86,016 ----a-w D:\WINDOWS\system32\usrmlnka.exe
2007-12-17 18:16 84,992 ----a-w D:\WINDOWS\system32\shrpubw.exe
2007-12-17 18:16 84,480 ----a-w D:\WINDOWS\system32\sdbinst.exe
2007-12-17 18:16 84,480 ----a-w D:\WINDOWS\system32\rtcshare.exe
2007-12-17 18:16 81,920 ----a-w D:\WINDOWS\system32\slserv.exe
2007-12-17 18:16 77,824 ----a-w D:\WINDOWS\system32\usrshuta.exe
2007-12-17 18:16 77,824 ----a-w D:\WINDOWS\system32\odbcconf.exe
2007-12-17 18:16 77,312 ----a-w D:\WINDOWS\system32\sigverif.exe
2007-12-17 18:16 74,240 ----a-w D:\WINDOWS\system32\rdshost.exe
2007-12-17 18:16 72,704 ----a-w D:\WINDOWS\system32\wextract.exe
2007-12-17 18:16 712,704 ----a-w D:\WINDOWS\system32\ss3dfo.scr
2007-12-17 18:16 69,632 ----a-w D:\WINDOWS\system32\usrprbda.exe
2007-12-17 18:16 69,632 ----a-w D:\WINDOWS\system32\rdpclip.exe
2007-12-17 18:16 688,128 ----a-w D:\WINDOWS\system32\sstext3d.scr
2007-12-17 18:16 65,536 ----a-w D:\WINDOWS\system32\packager.exe
2007-12-17 18:16 65,024 ------w D:\WINDOWS\system32\spoolsv.exe
2007-12-17 18:16 64,000 ----a-w D:\WINDOWS\system32\sol.exe
2007-12-17 18:16 64,000 ----a-w D:\WINDOWS\system32\rasphone.exe
2007-12-17 18:16 618,496 ----a-w D:\WINDOWS\system32\sspipes.scr
2007-12-17 18:16 58,368 ----a-w D:\WINDOWS\system32\syncapp.exe
2007-12-17 18:16 57,344 ----a-w D:\WINDOWS\system32\reg.exe
2007-12-17 18:16 57,344 ----a-w D:\WINDOWS\system32\proquota.exe
2007-12-17 18:16 56,832 ----a-w D:\WINDOWS\system32\w32tm.exe
2007-12-17 18:16 56,320 ----a-w D:\WINDOWS\system32\rsmui.exe
2007-12-17 18:16 56,320 ----a-w D:\WINDOWS\system32\rsm.exe
2007-12-17 18:16 56,320 ----a-w D:\WINDOWS\system32\powercfg.exe
2007-12-17 18:16 545,792 ----a-w D:\WINDOWS\system32\spider.exe
2007-12-17 18:16 54,272 ----a-w D:\WINDOWS\system32\ssmypics.scr
2007-12-17 18:16 51,712 ----a-w D:\WINDOWS\system32\tscupgrd.exe
2007-12-17 18:16 49,664 ----a-w D:\WINDOWS\system32\shmgrate.exe
2007-12-17 18:16 49,152 ----a-w D:\WINDOWS\system32\RemoveInstallShield.exe
2007-12-17 18:16 47,616 ----a-w D:\WINDOWS\system32\osuninst.exe
2007-12-17 18:16 440,832 ----a-w D:\WINDOWS\system32\wiaacmgr.exe
2007-12-17 18:16 44,032 ----a-w D:\WINDOWS\system32\syskey.exe
2007-12-17 18:16 427,008 ----a-w D:\WINDOWS\system32\ntvdm.exe
2007-12-17 18:16 401,408 ----a-w D:\WINDOWS\system32\ssflwbox.scr
2007-12-17 18:16 40,960 ----a-w D:\WINDOWS\system32\slrundll.exe
2007-12-17 18:16 40,960 ----a-w D:\WINDOWS\system32\regini.exe
2007-12-17 18:16 40,960 ----a-w D:\WINDOWS\system32\odbcad32.exe
2007-12-17 18:16 40,448 ----a-w D:\WINDOWS\system32\rundll32.exe
2007-12-17 18:16 40,448 ----a-w D:\WINDOWS\system32\ping6.exe
2007-12-17 18:16 39,424 ----a-w D:\WINDOWS\system32\wpnpinst.exe
2007-12-17 18:16 39,424 ----a-w D:\WINDOWS\system32\wpabaln.exe
2007-12-17 18:16 38,912 ----a-w D:\WINDOWS\system32\tracert6.exe
2007-12-17 18:16 38,912 ----a-w D:\WINDOWS\system32\ntsd.exe
2007-12-17 18:16 38,400 ----a-w D:\WINDOWS\system32\sethc.exe
2007-12-17 18:16 38,400 ----a-w D:\WINDOWS\system32\sc.exe
2007-12-17 18:16 37,888 ----a-w D:\WINDOWS\system32\xcopy.exe
2007-12-17 18:16 354,304 ----a-w D:\WINDOWS\system32\tourstart.exe
2007-12-17 18:16 35,840 ----a-w D:\WINDOWS\system32\verclsid.exe
2007-12-17 18:16 33,280 ----a-w D:\WINDOWS\system32\skeys.exe
2007-12-17 18:16 32,768 ----a-w D:\WINDOWS\system32\WinXPDisableZeroConfigation.exe
2007-12-17 18:16 32,768 ----a-w D:\WINDOWS\system32\shutdowncomputer.exe
2007-12-17 18:16 32,768 ----a-w D:\WINDOWS\system32\routemon.exe
2007-12-17 18:16 31,744 ----a-w D:\WINDOWS\system32\userinit.exe
2007-12-17 18:16 31,744 ----a-w D:\WINDOWS\system32\rsmsink.exe
2007-12-17 18:16 30,720 ----a-w D:\WINDOWS\system32\sort.exe
2007-12-17 18:16 30,208 ----a-w D:\WINDOWS\system32\setup.exe
2007-12-17 18:16 296,960 ----a-w D:\WINDOWS\system32\vssvc.exe
2007-12-17 18:16 29,184 ----a-w D:\WINDOWS\system32\qwinsta.exe
2007-12-17 18:16 28,672 ----a-w D:\WINDOWS\system32\spupdwxp.exe
2007-12-17 18:16 28,672 ----a-w D:\WINDOWS\system32\rcp.exe
2007-12-17 18:16 28,672 ----a-w D:\WINDOWS\system32\pathping.exe
2007-12-17 18:16 28,160 ----a-w D:\WINDOWS\system32\ssmarque.scr
2007-12-17 18:16 27,648 ----a-w D:\WINDOWS\system32\qprocess.exe
2007-12-17 18:16 27,136 ----a-w D:\WINDOWS\system32\ssbezier.scr
2007-12-17 18:16 27,136 ----a-w D:\WINDOWS\system32\route.exe
2007-12-17 18:16 26,624 ----a-w D:\WINDOWS\system32\tcpsvcs.exe
2007-12-17 18:16 26,624 ----a-w D:\WINDOWS\system32\shutdown.exe
2007-12-17 18:16 26,112 ----a-w D:\WINDOWS\system32\ssmyst.scr
2007-12-17 18:16 25,600 ----a-w D:\WINDOWS\system32\ups.exe
2007-12-17 18:16 25,088 ----a-w D:\WINDOWS\system32\ping.exe
2007-12-17 18:16 24,576 ----a-w D:\WINDOWS\system32\wpdshextautoplay.exe
2007-12-17 18:16 24,064 ----a-w D:\WINDOWS\system32\upnpcont.exe
2007-12-17 18:16 24,064 ----a-w D:\WINDOWS\system32\tsshutdn.exe
2007-12-17 18:16 24,064 ----a-w D:\WINDOWS\system32\tftp.exe
2007-12-17 18:16 24,064 ----a-w D:\WINDOWS\system32\qappsrv.exe
2007-12-17 18:16 23,552 ----a-w D:\WINDOWS\system32\tskill.exe
2007-12-17 18:16 23,552 ----a-w D:\WINDOWS\system32\runas.exe
2007-12-17 18:16 23,040 ----a-w D:\WINDOWS\system32\rwinsta.exe
2007-12-17 18:16 23,040 ----a-w D:\WINDOWS\system32\perfmon.exe
2007-12-17 18:16 22,528 ----a-w D:\WINDOWS\TASKMAN.EXE
2007-12-17 18:16 22,528 ----a-w D:\WINDOWS\system32\taskman.exe
2007-12-17 18:16 22,528 ----a-w D:\WINDOWS\system32\pentnt.exe
2007-12-17 18:16 22,016 ----a-w D:\WINDOWS\system32\tsdiscon.exe
2007-12-17 18:16 22,016 ----a-w D:\WINDOWS\system32\tscon.exe
2007-12-17 18:16 22,016 ----a-w D:\WINDOWS\system32\stimon.exe
2007-12-17 18:16 22,016 ----a-w D:\WINDOWS\system32\shadow.exe
2007-12-17 18:16 22,016 ----a-w D:\WINDOWS\system32\rsh.exe
2007-12-17 18:16 21,504 ----a-w D:\WINDOWS\system32\ssstars.scr
2007-12-17 18:16 20,992 ----a-w D:\WINDOWS\system32\wscntfy.exe
2007-12-17 18:16 20,992 ----a-w D:\WINDOWS\system32\rexec.exe
2007-12-17 18:16 20,992 ----a-w D:\WINDOWS\system32\rdsaddin.exe
2007-12-17 18:16 20,480 ----a-w D:\WINDOWS\system32\savedump.exe
2007-12-17 18:16 19,968 ----a-w D:\WINDOWS\system32\replace.exe
2007-12-17 18:16 19,456 ----a-w D:\WINDOWS\system32\tracert.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2007-12-17 06:27]
"Steam"="D:\Program Files\Steam\Steam.exe" [2007-12-07 13:26]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-12-17 10:02]
"Aeas"="D:\PROGRA~1\COMMON~1\DOBE~1\logonui.exe" []
"Ajygr"="D:\WINDOWS\?ystem32\m?iexec.exe" [2007-12-17 10:15]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2007-12-17 09:55]
"AudCtrl"="RunDll32 AudCtrl.dll" []
"SSBkgdUpdate"="D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2007-12-17 09:56]
"PaperPort PTD"="D:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-12-17 10:01]
"IndexSearch"="D:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-12-17 10:01]
"SetDefPrt"="D:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2007-12-17 09:55]
"ControlCenter2.0"="D:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2007-12-17 09:55]
"bcmwltry"="bcmwltry.exe" [2007-12-17 10:14 D:\WINDOWS\system32\bcmwltry.exe]
"removecpl"="RemoveCpl.exe" []
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-12-17 10:01]
"LyraHD2TrayApp"="D:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe" [2007-12-17 10:02]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"UfSeAgnt.exe"="D:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 01:10]

D:\Documents and Settings\Toby\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-07-19 21:13:50]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 viamraid;viamraid;D:\WINDOWS\system32\DRIVERS\viamraid.sys [2006-11-08 14:23]
R0 videX32;videX32;D:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
S1 vcdrom;Virtual CD-ROM Device Driver;D:\Documents and Settings\Toby\Desktop\New Folder\VCdRom.sys [2001-12-19 11:45]
S2 X4HSX32;X4HSX32;c:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-10-31 05:14]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;D:\WINDOWS\system32\DRIVERS\BCM4E5.SYS [2001-08-17 12:11]
S3 BrScnUsb;Brother USB Still Image driver;D:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;D:\WINDOWS\system32\Drivers\BrSerIf.sys [2004-09-29 03:24]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;D:\WINDOWS\system32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 PsSdk30;PsSdk30;D:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 sbext;Sound Blaster Extigy Audio Driver;D:\WINDOWS\system32\DRIVERS\sbext.sys [2002-05-31 01:21]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-12 06:49:03 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 15:01:15
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 15:02:00
.
2007-12-17 14:23:20 --- E O F ---

Attached Files



#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:58 PM

Posted 18 December 2007 - 11:57 AM

This is not a work pc. I would like to try and avoid wiping as I reinstalled windows about a month ago (hardware change required it). However, if it comes to that I do have the cds to reinstall somewhere around here :blink: Kaspersky log is attached, combofix log is included. Note that I ran these from safemode; regular mode is not functioning correctly now ;(

Unfortunately there is not much that can be done. This is polymorphic memory-resident file infecter that also has backdoor capabilities, as I said in my previous post. Polymorphic viruses does too much corruption to files, making them corrupted beyond repair. :thumbsup:

I suggest that you also change passwords and logging details, if you are going to do back up of data, don't forget NOT to back up any exe or scr files also zip or rar that contain exe's or scr's. Before putting back any of the backed up data on the reformatted computer, you should scan them with antivirus program.

You can find here a nice tutorial for reformatting http://spyware-free.us/tutorials/reformat/

In future avoid visiting sites with illegal material for example sites that offer cracks, keygens and similar. Also don't use P2P programs because many of the files available for downloading are purposely infected with some sort of infection.

Should you have any questions, please feel free to ask.

Regards,
SNOWHITE
Posted Image

#5 TStrauss

TStrauss
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 18 December 2007 - 11:37 PM

I appreciate all of your help. I've gone ahead and formatted/reinstalled windows. Needless to say, the first things I installed this time around were a firewall and an antivirus program.

I will just have to chalk this up to a painful lesson learned about 1) internet security and 2) honest (and the dangers of dishonesty). :thumbsup:

Have a great day.

#6 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:58 PM

Posted 19 December 2007 - 12:24 AM

I appreciate all of your help. I've gone ahead and formatted/reinstalled windows. Needless to say, the first things I installed this time around were a firewall and an antivirus program.

I will just have to chalk this up to a painful lesson learned about 1) internet security and 2) honest (and the dangers of dishonesty). :blink:

Have a great day.


I am glad that I could help with something, sorry i couldn't do more. I will post you some tips and links for reading where you can learn how to make your computer more secure.
  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
  • Change 'Download signed ActiveX controls' to Prompt
  • Change 'Download unsigned ActiveX controls' to Disable
  • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
  • Change 'Installation of desktop items' to Prompt
  • Change 'Launching programs and files in an IFRAME' to Prompt
  • Change 'Navigate sub-frames across different domains' to Prompt
  • When all these changes have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*] Select OK to exit the Internet Properties page.
[/list]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Secunia Software Inspector
Check for other vulnerable programs running on your PC that are in need of an update.
http://secunia.com/software_inspector
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see this link:
Understanding and Using Firewalls



SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here:
http://www.bleepingcomputer.com/forums/tutorial49.html


IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here:
http://www.spywarewarrior.com/uiuc/resource.htm


COMODO BOClean
BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. A tutorial on installing this product can be found here:
http://www.comodo.com/boclean/boclean.html


WINPATROL
Download and install the free version of Winpatrol. A tutorial for this product is located here:
http://www.winpatrol.com/features.html

A-SQUARED Anti-Dialer
This is a free program that provides defense against Dialers, scans the harddisk and provides a permanent background guard protection against new Dialer infections.

"Dialers are small programs that change the Internet access number of a modem-equipped computer to a much more expensive number"

To understand this threat better read this article The Dialer-Problem in Detail. a-squared Anti-Dialer can be downloaded at the following link:
http://download5.emsisoft.com/a2AntiDialerSetup.exe

A-SQUARED Free
This program is completely free of charge for private use, it removes infections of Trojans, Spyware, Adware, Worms, Keyloggers, Rootkits, Dialers and other malicious programs. It can be downloaded at the following link:
http://www.emsisoft.com/en/software/free

SUPERAntiSpyware Home Edition
Another effective program for helping remove some of the more difficult infections.
http://www.superantispyware.com/downloadfile.html
  • More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, and Opera
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

See these links for more information:

Foistware & How To Avoid It
Browser Hijacking & How to Stop It
Rogue/Suspect Anti-Spyware Products & Web Sites
So how did I get infected in the first place?

Stand Up and Be Counted ---> Posted Image <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Happy surfing and stay clean! :thumbsup:


Best regards,
SNOWHITE
Posted Image

#7 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:08:58 PM

Posted 23 December 2007 - 07:41 AM

As the problem here seems to be resolved this topic is now closed.
To get it reopened PM a staff member with the address of this thread.
This applies to the topic starter only, everyone else with similar problems start a new topic.
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users