Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infested With Replicating Trojan Vundo/virtumonde


  • This topic is locked This topic is locked
24 replies to this topic

#1 CaptainKillgore

CaptainKillgore

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 05 January 2008 - 06:50 AM

Hello there!
Have a happy New Year!

It has been nearly two weeks that my PC has been crammed up with Trojan Vundo/Virtumonde.
Despite numerous efforts to get rid of the infestation, the cheeky little trojan is still there (so Vundofix tells me, even though previously a Virtumundobegone was executed in safe mode...). My vain efforts have even had collateral damages on my system (e.g. I use the log on windows feature when resuming from screensaver... just to realize that the password for the account username has changed, so that eventually I cannot log in back to my session (sigh).... ; there are more damages (namely in terms of services not able to start).
However, so much for the collateral damages, and let us tackle the Trojan Vundo/Virtumonde..

I have scrupulously followed the Vundo/Virtumonde Removal guide from this forum right to the end.
I have scanned with Ad Aware 2007 and SpyBot Search and Destroy(both up-to-date).
I have run the online anti-virus scanner (Panda, BitDefender and Trend Micro House Call) for a deep scan. My PC is protected by Trend Micro PCCillin 2007 wich is up to date.
As mentioned, I also have run the Vundofix.exe, FixVundo, the Trojan.Vundo removal tool from Symantec, and VirtumundoBegone...
However from looking at my windows registry, I can see that there are many malicious .exes and .dlls and services which should not be running (as well as services which should be running and were not, e.g. Remote Procedure Call!) . Besides, some of my "legitimate" executables are replicated when they are not infested. The start up time for my computer has gotten incredibly and irritatingly long.

Any help in terminating the trojan.Vundo/Virtumonde would sincerely be much appreciated. :thumbsup:

Please find below for your review and comments a HijackThis log of my computer.
Thank you very much for your experienced and kind assistance.

Kind regards,
Dan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:30, on 05/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\BitTorrent\BitTorrent .exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\NETSCAPE\NAVIGA~1\NAVIGA~1.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evc.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkklk.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.fr/"); (C:\Documents and Settings\DAMIEN NUSSBAUM\Application Data\Mozilla\Profiles\default\fiouh0h9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\DAMIEN NUSSBAUM\Application Data\Mozilla\Profiles\default\fiouh0h9.slt\prefs.js)
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\OLITEC\MOH\Ltmoh.exe
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [8d466b6d] rundll32.exe "C:\WINDOWS\system32\nmrgkuvx.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SaitekInstall] "D:\My Safe\My Drivers\Drivers Win XP\FlightYokeQV1.1 (E)\x86\Setup.exe" -S0 -R
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule .exe -AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent .exe"
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [SaitekInstall] "D:\My Safe\My Drivers\Drivers Win XP\FlightYokeQV1.1 (E)\x86\Setup.exe" -S0 -R (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule .exe -AutoStart (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent .exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-484763869-606747145-682003330-1003 Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\BitTorrent.exe (User '?')
O4 - Startup: BitTorrent.lnk = C:\Program Files\BitTorrent\BitTorrent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ajouter au fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir la sélection en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la sélection en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir les liens sélectionnés en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Tout télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://externe.ofivalmo.fr/iNotes6.cab,Dan...101.12,CT=java+
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105167911843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DirectX Service (DirectRopf) - Unknown owner - c:\windows\system32\directx.exe (file missing)
O23 - Service: DirectX multi version - Unknown owner - C:\WINDOWS\system32\dxcombin.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IWin service - Unknown owner - C:\WINDOWS\system32\iwinapp.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: svchosl - Unknown owner - C:\Documents and Settings\Administrator\srvyce.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)

--
End of file - 16991 bytes



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:24 AM

Posted 08 January 2008 - 12:00 AM

Hello CaptainKillgore,

You have a very nasty form of Vundo on this computer.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure.

This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter.
When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.


Let's run ComboFix.

Disable your TrendMicro Antivirus as that will prevent ComboFix from working.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup



You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not run Combofix more than once.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 CaptainKillgore

CaptainKillgore
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 08 January 2008 - 02:29 AM

Hi SifuMike!
Thank you very much for your prompt reply.
I will follow the step-by-step procedure that you described and will keep you posted of the results (i.e. ComboFix and HijackThis logs).
Best regards,
CK

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:24 AM

Posted 08 January 2008 - 01:28 PM

No rush. I shall be here. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 CaptainKillgore

CaptainKillgore
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 08 January 2008 - 04:16 PM

Dear SifuMike -

As discussed please find attached for your review:-
(i) a ComboFix log [FYI: it took about 45' for ComboFix to run (20') and prepare the log (25'); incidentally there was the following error messages : Access is denied // SED: can't read runs.dat: No such file or directory // Access is denied (...); but eventually the ComboFix log window did show up. I suppose all went relatively as expected.]; and
(ii) a HijackThis log performed after ComboFix has been run and the PC rebooted.

You will find those logs as attachments because I was not able to send the post due to length restrictions. Sorry for the inconvenience. If you could designate sections of those logs that are not crucial I could see to it that they are reduced (while preserving essential information) to a size allowing their posting on the forum.

I look forward to receiving new instructions aiming at getting rid of the Trojan.Vundo/Virtumonde infestation.
Thank you very much for your kind assistance in this matter.

Kind regards,
Dan

BTW it is a nice avatar that you have ; it looks like Chief Inspector Clouzeau in the Pink Panther. :thumbsup:

Attached Files



#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:24 AM

Posted 08 January 2008 - 06:21 PM

Hello CaptainKillgore,


I see you have P2P software (i.e. BitTorrent Azureus and eMule) installed on your machine.

We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you susceptible to infections. It may the cause of your current situation. This page will give you further information.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. Even scanning the files with your antivirus programs will not catch the malware and viruses. :thumbsup:

P2P file sharing is used as a major conduit to spread malware and is now being used for Identity Theft.
http://www.pcworld.com/article/id,126230-p...le.html?RSS=RSS
http://www.eweek.com/article2/0,1895,1980963,00.asp
http://www.techpowerup.com/index.php?41354

*******************************************

You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

D:\My Safe\My Drivers\Drivers Win XP\driver CH Pro Pedals USB Win XP\chstart\CMStart.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

*******************************************

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
When everything is done and your log is clean again, you can enable it again.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

You should NEVER have your P2P programs running at startup, at that leaves you open to anyone accessing you hard drives whenever they want to. We will close them and then they will be available to start up manually when you want them.


Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule .exe -AutoStart
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule .exe -AutoStart (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe" (User '?')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe (file missing)
O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\actsrv.exe (file missing)
O23 - Service: DirectX Service (DirectRopf) - Unknown owner - c:\windows\system32\directx.exe (file missing)
O23 - Service: DirectX multi version - Unknown owner - C:\WINDOWS\system32\dxcombin.exe (file missing)
O23 - Service: IWin service - Unknown owner - C:\WINDOWS\system32\iwinapp.exe (file missing)
O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer

Disable Teatimer.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\xvukgrmn.ini
C:\WINDOWS\system32\qroljgnr.ini
C:\WINDOWS\system32\daspqxjy.ini


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please do not attach the ComobFix and Hijackthis log, as they are hard to that way. Attach them only if they will not fit on the thread.

*******************************************

Download http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
to your Desktop.

Double click RenV.exe to run it
It will produce a log for you, please post it. Please do not attach it (unless you have to).

Edited by SifuMike, 08 January 2008 - 06:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 CaptainKillgore

CaptainKillgore
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 10 January 2008 - 04:21 PM

Hi SifuMike!

As per your instructions, please find below for your review the following logs:
(i) VirusTotal log in relation to CMStart.exe;
(ii) ComboFix log;
(iii) HijackThis log; and
(iv) RenV.exe log.-

(i) File CMStart.exe received on 01.09.2008 07:25:27 (CET)
Current status: finished
Result: 1/32 (3.12%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - Suspicious file
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -
Additional information
MD5: 452fecdce159e7c2c0f9f3f0c8cf0319



(ii) ComboFix 08-01-08.4 - Damien Nussbaum 2008-01-10 8:30:27.5 - NTFSx86

Running from: C:\Documents and Settings\Damien Nussbaum\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Damien Nussbaum\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\daspqxjy.ini
C:\WINDOWS\system32\qroljgnr.ini
C:\WINDOWS\system32\xvukgrmn.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\daspqxjy.ini
C:\WINDOWS\system32\qroljgnr.ini
C:\WINDOWS\system32\xvukgrmn.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-09 08:18 . 2008-01-09 08:18 <DIR> d-------- C:\Program Files\CCleaner
2008-01-08 20:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 16:41 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-06 16:41 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-06 16:41 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-06 16:41 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-06 16:41 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-01-05 09:14 . 2008-01-05 09:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 21:35 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-02 13:22 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-01-01 18:46 . 2008-01-05 09:27 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-01 18:46 . 2008-01-05 09:27 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 18:46 . 2008-01-05 09:27 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 18:44 . 2008-01-05 14:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-01 18:27 . 2008-01-03 08:21 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\.housecall6.6
2008-01-01 17:04 . 2008-01-01 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-01-01 16:55 . 2008-01-01 16:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 13:57 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-01 13:56 . 2003-03-02 02:28 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-01 13:55 . 2003-03-02 02:27 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-01-01 13:54 . 2003-03-02 02:27 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-01 13:53 . 2003-03-02 02:27 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-01 13:52 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-01 13:51 . 2003-03-02 02:29 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll
2008-01-01 13:51 . 2003-03-02 02:28 94,720 --a--c--- C:\WINDOWS\system32\dllcache\certmap.ocx
2008-01-01 13:51 . 2003-03-02 02:29 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-01-01 13:51 . 2003-03-02 02:29 14,336 --a--c--- C:\WINDOWS\system32\dllcache\iisreset.exe
2008-01-01 13:51 . 2003-03-02 02:29 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-01-01 13:51 . 2003-03-02 02:29 6,144 --a--c--- C:\WINDOWS\system32\dllcache\ftpsapi2.dll
2008-01-01 13:51 . 2003-03-02 02:29 5,632 --a--c--- C:\WINDOWS\system32\dllcache\iisrstap.dll
2008-01-01 13:16 . 2008-01-01 13:16 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-01-01 13:16 . 2008-01-01 13:16 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-01 12:43 . 2008-01-01 12:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Saitek
2007-12-30 14:37 . 2008-01-09 08:42 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-30 11:20 . 2007-12-30 11:20 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe.tmp
2007-12-30 11:20 . 2007-12-30 11:20 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-12-26 22:21 . 2007-12-26 23:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-12-26 20:22 . 2007-12-16 20:49 97 --a------ C:\fixit.bat
2007-12-26 13:00 . 2007-12-26 13:21 <DIR> d-------- C:\Program Files\RegCleaner
2007-12-26 09:58 . 2008-01-04 20:50 <DIR> d-------- C:\VundoFix Backups
2007-12-25 22:24 . 2008-01-02 21:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-25 20:28 . 2007-12-25 20:28 <DIR> d-------- C:\Program Files\Software by Design
2007-12-25 20:28 . 2005-05-25 06:00 90,112 --------- C:\WINDOWS\SDUnInst.exe
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\Grisoft
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\Grisoft
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2007-12-25 16:11 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-25 15:23 . 2008-01-03 21:09 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\HouseCall 6.6
2007-12-25 15:23 . 2008-01-03 21:09 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\HouseCall 6.6
2007-12-21 20:51 . 2008-01-02 08:36 <DIR> d-------- C:\Program Files\DNA
2007-12-21 20:51 . 2007-12-25 11:19 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\DNA
2007-12-21 20:51 . 2007-12-25 11:19 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\DNA
2007-12-21 20:42 . 2008-01-01 15:05 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2007-12-21 20:41 . 2007-12-25 21:25 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-21 20:15 . 2007-12-21 20:15 3,932,214 --a------ C:\WINDOWS\InvaderDark1280.bmp
2007-12-19 22:44 . 2007-12-19 22:44 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\Windows Desktop Search
2007-12-19 22:44 . 2007-12-19 22:44 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\Windows Desktop Search
2007-12-19 22:43 . 2008-01-05 14:04 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-12-18 23:16 . 2007-12-18 23:16 <DIR> d-------- C:\Program Files\SysTools Software
2007-12-18 23:16 . 2007-10-21 08:22 1,458,688 --a------ C:\WINDOWS\system32\osenxpsuite2007.ocx
2007-12-18 23:16 . 2007-10-21 07:54 718,848 --a------ C:\WINDOWS\system32\osenxpzuite2007.dll
2007-12-18 23:16 . 2007-10-21 08:00 247,296 --a------ C:\WINDOWS\system32\osenxpsuite2007.dll
2007-12-18 23:16 . 2004-01-09 03:35 212,892 --a------ C:\WINDOWS\system32\domobj.tlb
2007-12-17 23:54 . 2007-12-17 23:57 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Citrix
2007-12-17 23:54 . 2007-12-17 23:54 81 --a------ C:\CTX.DAT
2007-12-16 17:49 . 1998-06-17 18:07 57,344 --a------ C:\WINDOWS\system32\Mfc42loc.dll
2007-12-16 17:49 . 2004-04-14 11:08 44,064 --a------ C:\WINDOWS\system32\drivers\WmXlCore.sys
2007-12-16 17:49 . 2004-04-14 11:08 21,280 --a------ C:\WINDOWS\system32\drivers\WmFilter.sys
2007-12-16 17:49 . 2004-04-14 11:08 10,144 --a------ C:\WINDOWS\system32\drivers\WmBEnum.sys
2007-12-16 17:49 . 2004-04-14 11:08 5,600 --a------ C:\WINDOWS\system32\drivers\WmVirHid.sys
2007-12-16 00:03 . 2007-12-16 00:03 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-12-15 21:58 . 2007-12-15 21:58 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Bluetooth Software
2007-12-15 21:53 . 2007-12-15 21:53 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Logitech
2007-12-15 21:50 . 2007-12-15 21:50 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-12-15 21:49 . 2007-12-15 21:56 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\Logitech
2007-12-15 21:49 . 2007-12-15 21:56 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\Logitech
2007-12-15 21:49 . 2005-10-05 12:00 47,104 --a------ C:\WINDOWS\system32\drivers\vserial.sys
2007-12-15 21:49 . 2005-10-05 12:00 18,167 --a------ C:\WINDOWS\system32\drivers\vsb.sys
2007-12-15 21:47 . 2007-12-15 21:47 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-15 21:47 . 2007-12-15 21:47 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-12-15 21:46 . 2007-01-23 15:45 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-12-15 21:46 . 2007-01-23 15:44 101,136 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-12-15 21:46 . 2007-01-23 15:45 78,864 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-12-15 21:46 . 2007-01-23 15:44 62,992 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2007-12-15 21:46 . 2007-01-23 15:45 34,576 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2007-12-15 21:46 . 2007-01-23 15:45 33,296 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2007-12-15 21:46 . 2007-01-23 15:44 20,496 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2007-12-15 21:45 . 2007-12-16 17:49 <DIR> d-------- C:\Program Files\Logitech
2007-12-15 21:45 . 2007-12-16 17:49 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-12-15 21:45 . 2007-12-15 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-12-15 21:45 . 2006-12-04 13:32 290,881 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2007-12-15 21:45 . 2007-01-30 01:46 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2007-12-15 21:45 . 2007-01-30 01:46 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-12-15 21:45 . 2007-01-30 01:46 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-12-15 21:45 . 2007-01-30 01:46 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2007-12-15 21:44 . 2007-12-15 21:44 <DIR> d-------- C:\Program Files\WIDCOMM
2007-12-15 21:44 . 2006-12-04 22:33 863,402 --a------ C:\WINDOWS\system32\drivers\btkrnl.sys
2007-12-15 21:44 . 2006-12-04 22:33 329,901 --a------ C:\WINDOWS\system32\drivers\btaudio.sys
2007-12-15 21:44 . 2006-12-04 22:33 106,557 --a------ C:\WINDOWS\system32\btw_ci.dll
2007-12-15 21:44 . 2006-12-04 22:33 67,672 --a------ C:\WINDOWS\system32\drivers\btwusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 07:59 --------- d-----w C:\Documents and Settings\Damien Nussbaum\Application Data\BitTorrent
2008-01-10 07:59 --------- d-----w C:\DOCUME~1\DAMIEN~1\APPLIC~1\BitTorrent
2008-01-10 01:06 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-01-10 00:56 --------- d-----w C:\Program Files\FlashGet
2008-01-08 20:02 --------- d-----w C:\Program Files\BitTorrent
2008-01-08 20:01 --------- d-----w C:\Program Files\GameFace Messenger
2008-01-08 20:01 --------- d-----w C:\Program Files\Anti-Blaxx
2008-01-08 19:02 --------- d-----w C:\Program Files\mIRC
2008-01-05 11:14 --------- d-----w C:\Program Files\AlienGUIse
2008-01-03 07:09 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-02 11:05 --------- d-----w C:\Program Files\QuickTime
2008-01-02 07:39 --------- d-----w C:\Program Files\eMule
2008-01-02 07:33 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-02 04:34 --------- d-----w C:\Program Files\Maplom
2008-01-02 04:34 --------- d-----w C:\Program Files\MagicISO
2008-01-01 11:43 --------- d-----w C:\Program Files\Saitek
2007-12-30 10:46 --------- d-----w C:\Program Files\Java
2007-12-30 10:20 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
2007-12-30 08:31 --------- d-----w C:\Program Files\Netscape
2007-12-30 08:31 --------- d-----w C:\Documents and Settings\Damien Nussbaum\Application Data\Netscape
2007-12-30 08:31 --------- d-----w C:\DOCUME~1\DAMIEN~1\APPLIC~1\Netscape
2007-12-25 19:31 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-25 12:55 --------- d-----w C:\Program Files\Trend Micro
2007-12-24 07:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-12-21 06:52 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-12-18 22:31 --------- d-----w C:\Program Files\XitNotes
2007-12-16 16:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 07:32 --------- d-----w C:\Program Files\OLITEC
2007-12-04 07:09 --------- d-----w C:\Program Files\SoftwareForLitSupport
2007-11-27 10:12 --------- d-----w C:\Program Files\Olifax
2007-11-26 18:35 --------- d-----w C:\Program Files\MSN Messenger
2007-11-18 10:42 461,952 ----a-w C:\WINDOWS\system32\drivers\MRVW245.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-08-21 03:25 460,928 ----a-w C:\WINDOWS\inf\WN111\Mrvw245.sys
2007-05-24 13:58 249,856 ----a-w C:\WINDOWS\inf\WN111\InsDrv2k.exe
2006-07-05 10:21 212,992 ----a-w C:\WINDOWS\inf\WN111\CopyWHQLDriver.exe
2006-01-07 12:05 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-17 14:46 845,736 ----a-w C:\WINDOWS\inf\WN111\DPInst.exe
2003-03-16 01:00 7,216 ----a-w C:\WINDOWS\inf\RAMDISK.SYS
1998-04-26 22:00 570,128 ----a-w C:\Program Files\Common Files\DAO350.dll
2005-01-08 10:08 61 --sh--w C:\WINDOWS\cnerolf.dat
.
<pre>
----a-w		 1,517,568 2008-01-01 14:04:31  C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol .exe
----a-w		   180,269 2007-12-30 12:05:12  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			49,152 2008-01-01 14:04:04  C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
----a-w		   122,880 2008-01-01 14:05:07  C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe
----a-w		   157,592 2008-01-01 14:05:05  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   290,112 2007-12-26 17:17:04  C:\Program Files\DNA\btdna .exe
----a-w		   132,496 2007-12-30 10:35:06  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   132,496 2008-01-01 14:05:30  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			77,824 2008-01-01 14:05:52  C:\Program Files\Logitech\Profiler\lwemon .exe
----a-w		 1,200,128 2007-12-25 14:40:24  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w			81,920 2007-12-25 14:40:22  C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd .exe
----a-w		   155,648 2007-12-25 14:40:00  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   233,472 2008-01-01 14:05:32  C:\Program Files\Saitek\SD6\Software\ProfilerU .exe
----a-w		   131,072 2008-01-01 14:05:33  C:\Program Files\Saitek\SD6\Software\SaiMfd .exe
----a-w		   159,744 2008-01-01 14:04:56  C:\Program Files\Saitek\Software\Profiler .exe
----a-w			98,304 2008-01-01 14:04:54  C:\Program Files\Saitek\Software\SaiSmart .exe
----a-w			49,152 2008-01-01 14:05:01  C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12 .exe
----a-w			40,960 2008-01-01 14:04:48  C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
----a-w			57,393 2008-01-01 14:04:59  C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
----a-w		 1,460,560 2008-01-01 14:05:40  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 3,112,960 2008-01-01 14:04:28  C:\Program Files\Trend Micro\Internet Security 2007\PccGuide .exe
----a-w		   315,392 2007-12-25 10:24:52  C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon .exe
----a-w			90,112 2008-01-01 14:05:12  C:\WINDOWS\UpdReg .EXE
----a-w		   155,648 2007-12-25 20:25:11  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-08_21.25.17.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-07 06:01:42 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-08 20:08:49 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-07 06:01:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-08 20:08:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-07 06:01:42 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-08 20:08:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-05 07:55:34 79,702 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-09 07:48:07 80,458 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-05 07:55:34 441,576 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-09 07:48:07 442,908 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-09 07:45:50 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_218.dat
+ 2008-01-09 07:50:26 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_498.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [ ]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [ ]
"SaitekInstall"="D:\My Safe\My Drivers\Drivers Win XP\FlightYokeQV1.1 (E)\x86\Setup.exe" [2007-07-13 03:22 1052672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [ ]
"ASUS SmartDoctor"="C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\BitTorrent.exe" [2008-01-07 07:11 588080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [ ]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [ ]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [ ]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [ ]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [ ]
"Opware12"="C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [ ]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Tweak UI"="TWEAKUI.CPL" [2003-03-25 04:49 106544 C:\WINDOWS\system32\tweakui.cpl]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-07 07:11 620152]
"LtMoh"="C:\Program Files\OLITEC\MOH\Ltmoh.exe" [ ]
"Logitech BT Wizard"="LBTWiz.exe" []
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"ProfilerU"="C:\Program Files\Saitek\SD6\Software\ProfilerU.exe" [ ]
"SaiMfd"="C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" [ ]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 21:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"nTrayFw"="C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"NaturalPoint"="" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [ ]
"InCD"="C:\lecteur G\--=Important=-- Programs\Nero 6.0\InCD 4\sharedNT\InCD.exe" [ ]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [ ]
"GamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [ ]
"GameFace Messenger"="C:\Program Files\GameFace Messenger\GameFace.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"Anti-Blaxx Manager"="C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe" [ ]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [ ]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE" [ ]
"AcctMgr"="C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2005-09-09 14:21 263824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 22:37:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 12:00 69632]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-01-30 02:15 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Damien Nussbaum^Start Menu^Programs^Startup^Ubisoft register.lnk]
path=C:\Documents and Settings\Damien Nussbaum\Start Menu\Programs\Startup\ubisoft register.lnk
backup=C:\WINDOWS\pss\ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NPFMntor"=2 (0x2)
"SBService"=2 (0x2)
"ccPwdSvc"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 09:03:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-10 9:15:01
ComboFix-quarantined-files.txt 2008-01-10 08:14:18
ComboFix2.txt 2008-01-08 20:33:09
.
2007-12-22 02:03:30 --- E O F ---


(iii) Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41:27, on 10/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evc.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.fr/"); (C:\Documents and Settings\DAMIEN NUSSBAUM\Application Data\Mozilla\Profiles\default\fiouh0h9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\DAMIEN NUSSBAUM\Application Data\Mozilla\Profiles\default\fiouh0h9.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\OLITEC\MOH\Ltmoh.exe
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [InCD] C:\lecteur G\--=Important=-- Programs\Nero 6.0\InCD 4\sharedNT\InCD.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SaitekInstall] "D:\My Safe\My Drivers\Drivers Win XP\FlightYokeQV1.1 (E)\x86\Setup.exe" -S0 -R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [SaitekInstall] "D:\My Safe\My Drivers\Drivers Win XP\FlightYokeQV1.1 (E)\x86\Setup.exe" -S0 -R (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-484763869-606747145-682003330-1003 Startup: Alcohol 120%.lnk = C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe (User '?')
O4 - S-1-5-21-484763869-606747145-682003330-1003 Startup: Shortcut to CMStart.lnk = D:\My Safe\My Drivers\Drivers Win XP\driver CH Pro Pedals USB Win XP\chstart\CMStart.exe (User '?')
O4 - S-1-5-21-484763869-606747145-682003330-1003 Startup: TrackIR.lnk = C:\Program Files\Naturalpoint\TrackIR4\TrackIR.exe (User '?')
O4 - Startup: Alcohol 120%.lnk = C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
O4 - Startup: Shortcut to CMStart.lnk = D:\My Safe\My Drivers\Drivers Win XP\driver CH Pro Pedals USB Win XP\chstart\CMStart.exe
O4 - Startup: TrackIR.lnk = C:\Program Files\Naturalpoint\TrackIR4\TrackIR.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ajouter au fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir la sélection en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la sélection en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir les liens sélectionnés en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Tout télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://externe.ofivalmo.fr/iNotes6.cab,Dan...101.12,CT=java+
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105167911843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DirectX Service (DirectRopf) - Unknown owner - c:\windows\system32\directx.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: svchosl - Unknown owner - C:\Documents and Settings\Administrator\srvyce.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 19040 bytes




(iv)
Ran on 10/01/2008 - 20:41:37,25

----a-w		 1,517,568 2008-01-01 14:04:31  C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol .exe
----a-w		   180,269 2007-12-30 12:05:12  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			49,152 2008-01-01 14:04:04  C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
----a-w		   122,880 2008-01-01 14:05:07  C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe
----a-w		   157,592 2008-01-01 14:05:05  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   290,112 2007-12-26 17:17:04  C:\Program Files\DNA\btdna .exe
----a-w		   132,496 2007-12-30 10:35:06  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   132,496 2008-01-01 14:05:30  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			77,824 2008-01-01 14:05:52  C:\Program Files\Logitech\Profiler\lwemon .exe
----a-w		 1,200,128 2007-12-25 14:40:24  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w			81,920 2007-12-25 14:40:22  C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd .exe
----a-w		   155,648 2007-12-25 14:40:00  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   233,472 2008-01-01 14:05:32  C:\Program Files\Saitek\SD6\Software\ProfilerU .exe
----a-w		   131,072 2008-01-01 14:05:33  C:\Program Files\Saitek\SD6\Software\SaiMfd .exe
----a-w		   159,744 2008-01-01 14:04:56  C:\Program Files\Saitek\Software\Profiler .exe
----a-w			98,304 2008-01-01 14:04:54  C:\Program Files\Saitek\Software\SaiSmart .exe
----a-w			49,152 2008-01-01 14:05:01  C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12 .exe
----a-w			40,960 2008-01-01 14:04:48  C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
----a-w			57,393 2008-01-01 14:04:59  C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
----a-w		 1,460,560 2008-01-01 14:05:40  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 3,112,960 2008-01-01 14:04:28  C:\Program Files\Trend Micro\Internet Security 2007\PccGuide .exe
----a-w		   315,392 2007-12-25 10:24:52  C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon .exe
----a-w			90,112 2008-01-01 14:05:12  C:\WINDOWS\UpdReg .EXE
----a-w		   155,648 2007-12-25 20:25:11  C:\WINDOWS\system32\NeroCheck .exe

 Entries:			   24  (24)
 Directories:			0  Files:			24
 Bytes:		 10,002,854  Blocks:	   19,540


Thank you very much for your kind assistance.

Kind regards,
Dan

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:24 AM

Posted 10 January 2008 - 05:07 PM

Hi CaptainKillgore,

I see you previously downloaded RegCleaner.
I do not recommend registry cleaners, as they may damage rather than fix your registry.
Use a "registry cleaner" only if you have a good knowledge of registry and know if a certian key/value is safe to remove. Cleaning registry will not improve system performance even though there is a lot of orphaned keys. IMHO, if Microsoft thought a registry cleaner was necessary, it would have built one in to Windows XP.

In summary, use a registry cleaner at your own risk. If you corrupt the registry, then you corrupt Windows.

Read this: Should I use a Registry Cleaner? : http://aumha.net/viewtopic.php?t=28099 net/viewtopiif yo t th

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

O23 - Service: DirectX Service (DirectRopf) - Unknown owner - c:\windows\system32\directx.exe (file missing)


Lets delete the bad service:
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixService.bat


@echo off
sc stop DirectRopf
sc delete DirectRopf
exit

Double click FixService.bat.
A window will open and close. This is normal.


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.


*******************************************

Reboot your computer


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


************************************

Open NOTEPAD.exe and copy/paste the text in the code box below into it:

C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe
C:\Program Files\DAEMON Tools\daemon .exe
C:\Program Files\DNA\btdna .exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Logitech\Profiler\lwemon .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd .exe
C:\Program Files\QuickTime\qttask	 .exe
C:\Program Files\Saitek\SD6\Software\ProfilerU .exe
C:\Program Files\Saitek\SD6\Software\SaiMfd .exe
C:\Program Files\Saitek\Software\Profiler .exe
C:\Program Files\Saitek\Software\SaiSmart .exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12 .exe
C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Trend Micro\Internet Security 2007\PccGuide .exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon .exe
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\system32\NeroCheck .exe


Save this as Log.txt


Posted Image


Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 CaptainKillgore

CaptainKillgore
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 11 January 2008 - 02:50 AM

Hi SifuMike-

As per your instructions, please find belwo for your review the following logs:-
(i) ComboFix log;
(ii) HijackThis log; and
(iii) Renv.exe log.

It seems that we are close to being done with the infestation... :thumbsup:

Thank you very much for your kind assistance in this matter.

Kind regards,
C.Killgore

(i) ComboFix 08-01-08.4 - Damien Nussbaum 2008-01-11 8:27:37.6 - NTFSx86

Running from: C:\Documents and Settings\Damien Nussbaum\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Damien Nussbaum\Desktop\CFScript[2008.01.11].txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\cyonffax.dll.bad
C:\VundoFix Backups\DivX.dll.bad
C:\VundoFix Backups\dlavxxqj.ini.bad
C:\VundoFix Backups\elqrcdim.dll.bad
C:\VundoFix Backups\jeiujymh.dll.bad
C:\VundoFix Backups\jkklk.dll.bad
C:\VundoFix Backups\jkklk.exe.bad
C:\VundoFix Backups\jqxxvald.dll.bad
C:\VundoFix Backups\klkkj.ini.bad
C:\VundoFix Backups\klkkj.ini2.bad
C:\VundoFix Backups\nmngukkw.dll.bad
C:\VundoFix Backups\nmrgkuvx.dll.bad
C:\VundoFix Backups\rngjlorq.dll.bad
C:\VundoFix Backups\yjxqpsad.dll.bad
C:\VundoFix Backups\ylamqghe.ini.bad

.
((((((((((((((((((((((((( Files Created from 2007-12-11 to 2008-01-11 )))))))))))))))))))))))))))))))
.

2008-01-09 08:18 . 2008-01-09 08:18 <DIR> d-------- C:\Program Files\CCleaner
2008-01-08 20:51 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 16:41 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-06 16:41 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-06 16:41 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-06 16:41 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-06 16:41 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2008-01-05 09:14 . 2008-01-05 09:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 21:35 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-02 13:22 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-01-01 18:46 . 2008-01-05 09:27 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-01 18:46 . 2008-01-05 09:27 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-01 18:46 . 2008-01-05 09:27 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-01 18:44 . 2008-01-05 14:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-01 18:27 . 2008-01-03 08:21 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\.housecall6.6
2008-01-01 17:04 . 2008-01-01 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2008-01-01 16:55 . 2008-01-01 16:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 13:57 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-01 13:56 . 2003-03-02 02:28 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-01 13:55 . 2003-03-02 02:27 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2008-01-01 13:54 . 2003-03-02 02:27 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-01 13:53 . 2003-03-02 02:27 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-01 13:52 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-01 13:51 . 2003-03-02 02:29 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll
2008-01-01 13:51 . 2003-03-02 02:28 94,720 --a--c--- C:\WINDOWS\system32\dllcache\certmap.ocx
2008-01-01 13:51 . 2003-03-02 02:29 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-01-01 13:51 . 2003-03-02 02:29 14,336 --a--c--- C:\WINDOWS\system32\dllcache\iisreset.exe
2008-01-01 13:51 . 2003-03-02 02:29 7,680 --a--c--- C:\WINDOWS\system32\dllcache\inetmgr.exe
2008-01-01 13:51 . 2003-03-02 02:29 6,144 --a--c--- C:\WINDOWS\system32\dllcache\ftpsapi2.dll
2008-01-01 13:51 . 2003-03-02 02:29 5,632 --a--c--- C:\WINDOWS\system32\dllcache\iisrstap.dll
2008-01-01 13:16 . 2008-01-11 07:57 <DIR> d-------- C:\Program Files\MSECACHE
2008-01-01 12:43 . 2008-01-01 12:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Saitek
2007-12-30 14:37 . 2008-01-11 08:16 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-12-30 11:20 . 2007-12-30 11:20 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe.tmp
2007-12-30 11:20 . 2007-12-30 11:20 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2007-12-26 22:21 . 2007-12-26 23:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-12-26 20:22 . 2007-12-16 20:49 97 --a------ C:\fixit.bat
2007-12-26 13:00 . 2007-12-26 13:21 <DIR> d-------- C:\Program Files\RegCleaner
2007-12-25 22:24 . 2008-01-02 21:29 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-25 20:28 . 2007-12-25 20:28 <DIR> d-------- C:\Program Files\Software by Design
2007-12-25 20:28 . 2005-05-25 06:00 90,112 --------- C:\WINDOWS\SDUnInst.exe
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\Grisoft
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\Grisoft
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2007-12-25 16:11 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-25 15:23 . 2008-01-03 21:09 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\HouseCall 6.6
2007-12-25 15:23 . 2008-01-03 21:09 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\HouseCall 6.6
2007-12-21 20:51 . 2008-01-02 08:36 <DIR> d-------- C:\Program Files\DNA
2007-12-21 20:51 . 2007-12-25 11:19 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\DNA
2007-12-21 20:51 . 2007-12-25 11:19 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\DNA
2007-12-21 20:42 . 2008-01-01 15:05 90,112 --a------ C:\WINDOWS\UpdReg .EXE
2007-12-21 20:41 . 2007-12-25 21:25 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-21 20:15 . 2007-12-21 20:15 3,932,214 --a------ C:\WINDOWS\InvaderDark1280.bmp
2007-12-19 22:44 . 2007-12-19 22:44 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\Windows Desktop Search
2007-12-19 22:44 . 2007-12-19 22:44 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\Windows Desktop Search
2007-12-19 22:43 . 2008-01-05 14:04 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-12-18 23:16 . 2007-12-18 23:16 <DIR> d-------- C:\Program Files\SysTools Software
2007-12-18 23:16 . 2007-10-21 08:22 1,458,688 --a------ C:\WINDOWS\system32\osenxpsuite2007.ocx
2007-12-18 23:16 . 2007-10-21 07:54 718,848 --a------ C:\WINDOWS\system32\osenxpzuite2007.dll
2007-12-18 23:16 . 2007-10-21 08:00 247,296 --a------ C:\WINDOWS\system32\osenxpsuite2007.dll
2007-12-18 23:16 . 2004-01-09 03:35 212,892 --a------ C:\WINDOWS\system32\domobj.tlb
2007-12-17 23:54 . 2007-12-17 23:57 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Citrix
2007-12-17 23:54 . 2007-12-17 23:54 81 --a------ C:\CTX.DAT
2007-12-16 17:49 . 1998-06-17 18:07 57,344 --a------ C:\WINDOWS\system32\Mfc42loc.dll
2007-12-16 17:49 . 2004-04-14 11:08 44,064 --a------ C:\WINDOWS\system32\drivers\WmXlCore.sys
2007-12-16 17:49 . 2004-04-14 11:08 21,280 --a------ C:\WINDOWS\system32\drivers\WmFilter.sys
2007-12-16 17:49 . 2004-04-14 11:08 10,144 --a------ C:\WINDOWS\system32\drivers\WmBEnum.sys
2007-12-16 17:49 . 2004-04-14 11:08 5,600 --a------ C:\WINDOWS\system32\drivers\WmVirHid.sys
2007-12-16 00:03 . 2007-12-16 00:03 15,781 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-12-15 21:58 . 2007-12-15 21:58 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Bluetooth Software
2007-12-15 21:53 . 2007-12-15 21:53 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Logitech
2007-12-15 21:50 . 2007-12-15 21:50 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-12-15 21:49 . 2007-12-15 21:56 <DIR> d-------- C:\Documents and Settings\Damien Nussbaum\Application Data\Logitech
2007-12-15 21:49 . 2007-12-15 21:56 <DIR> d-------- C:\DOCUME~1\DAMIEN~1\APPLIC~1\Logitech
2007-12-15 21:49 . 2005-10-05 12:00 47,104 --a------ C:\WINDOWS\system32\drivers\vserial.sys
2007-12-15 21:49 . 2005-10-05 12:00 18,167 --a------ C:\WINDOWS\system32\drivers\vsb.sys
2007-12-15 21:47 . 2007-12-15 21:47 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-12-15 21:47 . 2007-12-15 21:47 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-12-15 21:46 . 2007-01-23 15:45 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-12-15 21:46 . 2007-01-23 15:44 101,136 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-12-15 21:46 . 2007-01-23 15:45 78,864 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-12-15 21:46 . 2007-01-23 15:44 62,992 --a------ C:\WINDOWS\system32\drivers\L8042mou.Sys
2007-12-15 21:46 . 2007-01-23 15:45 34,576 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2007-12-15 21:46 . 2007-01-23 15:45 33,296 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2007-12-15 21:46 . 2007-01-23 15:44 20,496 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.sys
2007-12-15 21:45 . 2007-12-16 17:49 <DIR> d-------- C:\Program Files\Logitech
2007-12-15 21:45 . 2007-12-16 17:49 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-12-15 21:45 . 2007-12-15 21:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-12-15 21:45 . 2006-12-04 13:32 290,881 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2007-12-15 21:45 . 2007-01-30 01:46 163,840 --a------ C:\WINDOWS\system32\kemutb.dll
2007-12-15 21:45 . 2007-01-30 01:46 135,168 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-12-15 21:45 . 2007-01-30 01:46 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-12-15 21:45 . 2007-01-30 01:46 69,632 --a------ C:\WINDOWS\system32\KemXML.dll
2007-12-15 21:44 . 2007-12-15 21:44 <DIR> d-------- C:\Program Files\WIDCOMM
2007-12-15 21:44 . 2006-12-04 22:33 863,402 --a------ C:\WINDOWS\system32\drivers\btkrnl.sys
2007-12-15 21:44 . 2006-12-04 22:33 329,901 --a------ C:\WINDOWS\system32\drivers\btaudio.sys
2007-12-15 21:44 . 2006-12-04 22:33 106,557 --a------ C:\WINDOWS\system32\btw_ci.dll
2007-12-15 21:44 . 2006-12-04 22:33 67,672 --a------ C:\WINDOWS\system32\drivers\btwusb.sys
2007-12-15 21:44 . 2006-12-04 22:33 47,907 --a------ C:\WINDOWS\system32\drivers\btwhid.sys
2007-12-15 21:44 . 2006-12-04 22:33 30,459 --a------ C:\WINDOWS\system32\drivers\btport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 07:29 --------- d-----w C:\Documents and Settings\Damien Nussbaum\Application Data\BitTorrent
2008-01-11 07:29 --------- d-----w C:\DOCUME~1\DAMIEN~1\APPLIC~1\BitTorrent
2008-01-11 07:22 --------- d-----w C:\Program Files\FlashGet
2008-01-10 01:06 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-01-08 20:02 --------- d-----w C:\Program Files\BitTorrent
2008-01-08 20:01 --------- d-----w C:\Program Files\GameFace Messenger
2008-01-08 20:01 --------- d-----w C:\Program Files\Anti-Blaxx
2008-01-08 19:02 --------- d-----w C:\Program Files\mIRC
2008-01-05 11:14 --------- d-----w C:\Program Files\AlienGUIse
2008-01-03 07:09 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-02 11:05 --------- d-----w C:\Program Files\QuickTime
2008-01-02 07:39 --------- d-----w C:\Program Files\eMule
2008-01-02 07:33 --------- d-----w C:\Program Files\DAEMON Tools
2008-01-02 04:34 --------- d-----w C:\Program Files\Maplom
2008-01-02 04:34 --------- d-----w C:\Program Files\MagicISO
2008-01-01 11:43 --------- d-----w C:\Program Files\Saitek
2007-12-30 10:46 --------- d-----w C:\Program Files\Java
2007-12-30 10:20 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
2007-12-30 08:31 --------- d-----w C:\Program Files\Netscape
2007-12-30 08:31 --------- d-----w C:\Documents and Settings\Damien Nussbaum\Application Data\Netscape
2007-12-30 08:31 --------- d-----w C:\DOCUME~1\DAMIEN~1\APPLIC~1\Netscape
2007-12-25 19:31 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-25 12:55 --------- d-----w C:\Program Files\Trend Micro
2007-12-24 07:13 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-12-21 06:52 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-12-18 22:31 --------- d-----w C:\Program Files\XitNotes
2007-12-16 16:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-16 07:32 --------- d-----w C:\Program Files\OLITEC
2007-12-04 07:09 --------- d-----w C:\Program Files\SoftwareForLitSupport
2007-11-27 10:12 --------- d-----w C:\Program Files\Olifax
2007-11-26 18:35 --------- d-----w C:\Program Files\MSN Messenger
2007-11-18 10:42 461,952 ----a-w C:\WINDOWS\system32\drivers\MRVW245.sys
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-08-21 03:25 460,928 ----a-w C:\WINDOWS\inf\WN111\Mrvw245.sys
2007-05-24 13:58 249,856 ----a-w C:\WINDOWS\inf\WN111\InsDrv2k.exe
2006-07-05 10:21 212,992 ----a-w C:\WINDOWS\inf\WN111\CopyWHQLDriver.exe
2006-01-07 12:05 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-11-17 14:46 845,736 ----a-w C:\WINDOWS\inf\WN111\DPInst.exe
2003-03-16 01:00 7,216 ----a-w C:\WINDOWS\inf\RAMDISK.SYS
1998-04-26 22:00 570,128 ----a-w C:\Program Files\Common Files\DAO350.dll
2005-01-08 10:08 61 --sh--w C:\WINDOWS\cnerolf.dat
.
<pre>
----a-w		 1,517,568 2008-01-01 14:04:31  C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol .exe
----a-w		   180,269 2007-12-30 12:05:12  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			49,152 2008-01-01 14:04:04  C:\Program Files\Creative\Shared Files\Module Loader\DLLML .exe
----a-w		   122,880 2008-01-01 14:05:07  C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu .exe
----a-w		   157,592 2008-01-01 14:05:05  C:\Program Files\DAEMON Tools\daemon .exe
----a-w		   290,112 2007-12-26 17:17:04  C:\Program Files\DNA\btdna .exe
----a-w		   132,496 2007-12-30 10:35:06  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w		   132,496 2008-01-01 14:05:30  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			77,824 2008-01-01 14:05:52  C:\Program Files\Logitech\Profiler\lwemon .exe
----a-w		 1,200,128 2007-12-25 14:40:24  C:\Program Files\Microsoft ActiveSync\wcescomm .exe
----a-w			81,920 2007-12-25 14:40:22  C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd .exe
----a-w		   155,648 2007-12-25 14:40:00  C:\Program Files\QuickTime\qttask	 .exe
----a-w		   233,472 2008-01-01 14:05:32  C:\Program Files\Saitek\SD6\Software\ProfilerU .exe
----a-w		   131,072 2008-01-01 14:05:33  C:\Program Files\Saitek\SD6\Software\SaiMfd .exe
----a-w		   159,744 2008-01-01 14:04:56  C:\Program Files\Saitek\Software\Profiler .exe
----a-w			98,304 2008-01-01 14:04:54  C:\Program Files\Saitek\Software\SaiSmart .exe
----a-w			49,152 2008-01-01 14:05:01  C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12 .exe
----a-w			40,960 2008-01-01 14:04:48  C:\Program Files\ScanSoft\PaperPort\IndexSearch .exe
----a-w			57,393 2008-01-01 14:04:59  C:\Program Files\ScanSoft\PaperPort\pptd40nt .exe
----a-w		 1,460,560 2008-01-01 14:05:40  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 3,112,960 2008-01-01 14:04:28  C:\Program Files\Trend Micro\Internet Security 2007\PccGuide .exe
----a-w		   315,392 2007-12-25 10:24:52  C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon .exe
----a-w			90,112 2008-01-01 14:05:12  C:\WINDOWS\UpdReg .EXE
----a-w		   155,648 2007-12-25 20:25:11  C:\WINDOWS\system32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-10_ 9.07.23,84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-08 20:08:49 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-01-11 07:20:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-01-08 20:08:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-01-11 07:20:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-01-08 20:08:49 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-11 07:20:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-09 07:48:07 80,458 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-11 07:22:19 80,962 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-09 07:48:07 442,908 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-11 07:22:19 443,796 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-11 07:20:06 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_480.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [ ]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [ ]
"ASUS SmartDoctor"="C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\BitTorrent.exe" [2008-01-07 07:11 588080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [ ]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [ ]
"SaiSmart"="C:\Program Files\Saitek\Software\SaiSmart.exe" [ ]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [ ]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [ ]
"Opware12"="C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [ ]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [ ]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43 8466432]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"Tweak UI"="TWEAKUI.CPL" [2003-03-25 04:49 106544 C:\WINDOWS\system32\tweakui.cpl]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-07 07:11 620152]
"LtMoh"="C:\Program Files\OLITEC\MOH\Ltmoh.exe" [ ]
"Logitech BT Wizard"="LBTWiz.exe" []
"Easy Synchronization"="C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"ProfilerU"="C:\Program Files\Saitek\SD6\Software\ProfilerU.exe" [ ]
"SaiMfd"="C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" [ ]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 21:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"nTrayFw"="C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe" [ ]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"NaturalPoint"="" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [ ]
"InCD"="C:\lecteur G\--=Important=-- Programs\Nero 6.0\InCD 4\sharedNT\InCD.exe" [ ]
"GhostStartTrayApp"="C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [ ]
"GamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [ ]
"GameFace Messenger"="C:\Program Files\GameFace Messenger\GameFace.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"Anti-Blaxx Manager"="C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe" [ ]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [ ]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE" [ ]
"AcctMgr"="C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2005-09-09 14:21 263824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 08:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 22:37:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"= C:\Program Files\Logitech\Easy Synchronization\shellexecutehook.dll [2005-10-05 12:00 69632]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-01-30 02:15 65536 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWlgn.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 22:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Damien Nussbaum^Start Menu^Programs^Startup^Ubisoft register.lnk]
path=C:\Documents and Settings\Damien Nussbaum\Start Menu\Programs\Startup\ubisoft register.lnk
backup=C:\WINDOWS\pss\ubisoft register.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NPFMntor"=2 (0x2)
"SBService"=2 (0x2)
"ccPwdSvc"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 08:37:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-11 8:39:31
ComboFix-quarantined-files.txt 2008-01-11 07:39:01
ComboFix2.txt 2008-01-10 08:15:12
ComboFix3.txt 2008-01-08 20:33:09
.
2007-12-22 02:03:30 --- E O F ---




(ii) Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:44:25, on 11/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BitTorrent\BitTorrent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evc.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.fr/"); (C:\Documents and Settings\DAMIEN NUSSBAUM\Application Data\Mozilla\Profiles\default\fiouh0h9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CNetscape_France.src"); (C:\Documents and Settings\DAMIEN NUSSBAUM\Application Data\Mozilla\Profiles\default\fiouh0h9.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\OLITEC\MOH\Ltmoh.exe
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [InCD] C:\lecteur G\--=Important=-- Programs\Nero 6.0\InCD 4\sharedNT\InCD.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe"
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start (User '?')
O4 - HKUS\S-1-5-21-484763869-606747145-682003330-1003\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\BitTorrent.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - S-1-5-21-484763869-606747145-682003330-1003 Startup: Alcohol 120%.lnk = C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe (User '?')
O4 - S-1-5-21-484763869-606747145-682003330-1003 Startup: Shortcut to CMStart.lnk = D:\My Safe\My Drivers\Drivers Win XP\driver CH Pro Pedals USB Win XP\chstart\CMStart.exe (User '?')
O4 - S-1-5-21-484763869-606747145-682003330-1003 Startup: TrackIR.lnk = C:\Program Files\Naturalpoint\TrackIR4\TrackIR.exe (User '?')
O4 - Startup: Alcohol 120%.lnk = C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
O4 - Startup: Shortcut to CMStart.lnk = D:\My Safe\My Drivers\Drivers Win XP\driver CH Pro Pedals USB Win XP\chstart\CMStart.exe
O4 - Startup: TrackIR.lnk = C:\Program Files\Naturalpoint\TrackIR4\TrackIR.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Ajouter au fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la cible du lien en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir la sélection en Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir la sélection en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir les liens sélectionnés en un fichier PDF existant - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Tout télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://externe.ofivalmo.fr/iNotes6.cab,Dan...101.12,CT=java+
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105167911843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Speed Disk service - Unknown owner - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: svchosl - Unknown owner - C:\Documents and Settings\Administrator\srvyce.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 18652 bytes





(iii)
Ran on 11/01/2008 -  8:45:14,67

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0


#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:24 AM

Posted 11 January 2008 - 01:08 PM

Hi CaptainKillgore,

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. When the scan is complete choose save the results by clicking "Save Report As HTML" Give the Report a name and save it to your desktop. If you have any problem saving the report, copy its text to the clipboard, then paste it into an empty Notepad and save it to your desktop.
9. Post the Kaspersky scan results in your next reply. You can attach the scan if it is too big to post.

Edited by SifuMike, 11 January 2008 - 01:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 CaptainKillgore

CaptainKillgore
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 16 January 2008 - 06:24 PM

Hi SifuMike,

I hope this post finds you well.

As per your request and instructions, please find below for your review the Kaspersky Webscan log:-

KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 16, 2008 9:04:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/01/2008
Kaspersky Anti-Virus database records: 512458
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 761840
Number of viruses found 35
Number of infected objects 135
Number of suspicious objects 5
Duration of the scan process 16:12:15

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.27.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy292.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_a40.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3EBC1521 Infected: Trojan-Dropper.VBS.Inor.cz skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:51:47 +0100]/UNNAMED/[From Jean-Louis ... /[From "ros ... / ... /[From koufoguang11@sina.com][Date Thu, 11 Oct ... /idjfjfsGP/GPassLite.exe Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:51:47 +0100]/UNNAMED/[From Jean-Louis ... /[From "ros ... / ... /[From koufoguang11@sina.com][Date Thu, 11 Oct 2007 03:23 ... /wazcgxzv.zip Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:51:47 +0100]/UNNAMED/[From Jean-Louis ... /[From "ros ... / ... /[From koufoguang11@sina.com][Date Thu, 11 Oct 2007 03:23:57 +0800]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:51:47 +0100]/UNNAMED/[From Jean-Louis ... /[From "ros ... /[From Burgess" ][Date 10 Oct 2007 12:42:12 +0200]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:51:47 +0100]/UNNAMED/[From Jean-Louis ... /[From "roslyn Kukkonen" ][Date Wed, 10 Oct 2007 16:48:08 +0200]/text Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:51:47 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:56:13 +0100]/text Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text/[From Jean-Louis Nussbaum ][Date Tue, 30 Nov 2004 09:51:47 +0100]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED/[From "philippe" ][Date Fri, 26 Nov 2004 23:24:16 +0100]/text Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED/[From Jean-Louis Nussbaum ][Date Fri, 26 Nov 2004 12:04:04 +0100]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox/[From Brigitte Longuet ][Date Tue, 16 nov 2004 18:33:35 +0100]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Inbox Mail Berkeley mbox: infected - 10 skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED/[From "Ignacio Mcbride" Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED/[From "Ignacio Mcbride" Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED/[From "Ignacio Mcbride" Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED/[From "Ignacio Mcbride" ][Date Wed, 10 Oct 2007 11:37:22 +0700]/text Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED/[From "Ignacio Mcbride" ][Date 26 Nov 2006 19:47:48 -0060]/text Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED/[From "Ignacio Mcbride" ][Date 26 Nov 2006 19:14:37 +0100]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED/[From "Ignacio Mcbride" ][Date Sun, 26 Nov 2006 09:53:34 +0500]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text/[From "Kip Parham" ][Date 26 Nov 2006 12:48:58 -0060]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text/[From Antivirus ][Date Wed, 22 Nov 2006 23:24:30 +0100]/text Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED/[From Antivirus ][Date Fri, 24 Nov 2006 18:02:52 +0100]/text Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk/[From "Ilene Milligan" ][Date 25 Nov 2006 18:58:14 -0060]/UNNAMED Infected: not-a-virus:Server-Proxy.Win32.GPass.a skipped
C:\Documents and Settings\Damien Nussbaum\Application Data\Thunderbird\Profiles\jvb946lf.default\Mail\pop3.evc.net\Junk Mail Berkeley mbox: infected - 11 skipped
C:\Documents and Settings\Damien Nussbaum\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\DAN PocketPC\3.PocketPC.ARM.Games.Appz.By.EnEsBe\3.PocketPC.ARM.Games.Appz.By.EnEsBe\www.pda365.com 3\Resco Keyboard PRO v4.33 PPC\r-000633-2005-04-13.rar Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\FlashGet v1.80 Final + Tweaker\fg180en.exe/data.rar/patch.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\FlashGet v1.80 Final + Tweaker\fg180en.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.jm skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\FlashGet v1.80 Final + Tweaker\fg180en.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker)\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker).zip/Kaspersky keys.rar/KAVblackList.exe Infected: HackTool.Win32.Agent.cx skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker)\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker).zip/Kaspersky keys.rar/KeyMon.exe Infected: HackTool.Win32.Agent.cx skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker)\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker).zip/Kaspersky keys.rar/KeyMon_nonUPX.exe Infected: HackTool.Win32.Agent.cx skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker)\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker).zip/Kaspersky keys.rar Infected: HackTool.Win32.Agent.cx skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker)\KASPERSKY AntiVirus7.0.1.321FINAL(with keys pack-key checker).zip ZIP: infected - 4 skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Professional_SP2_DVD(2nd_January,_2006)\Windows.XP.Pro.SP2.2006-01-02.DVD.iso/$OEM$/$$/SYSTEM32/CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Professional_SP2_DVD(2nd_January,_2006)\Windows.XP.Pro.SP2.2006-01-02.DVD.iso/$OEM$/$1/INSTALL/WPI/COMMON/CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Professional_SP2_DVD(2nd_January,_2006)\Windows.XP.Pro.SP2.2006-01-02.DVD.iso/WINXP/PRO/$OEM$/$$/SYSTEM32/CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Professional_SP2_DVD(2nd_January,_2006)\Windows.XP.Pro.SP2.2006-01-02.DVD.iso/WINXP/PRO/$OEM$/$1/INSTALL/WPI/COMMON/CMDOW.EXE Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Professional_SP2_DVD(2nd_January,_2006)\Windows.XP.Pro.SP2.2006-01-02.DVD.iso ISOimage: infected - 4 skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Ultimate_(by Johnny)_[August2007-R2]\Windows XP Ultimate (by Johnny) [August2007-R2].iso/$OEM$/$$/System32/Repair/sfr.exe/4 Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Ultimate_(by Johnny)_[August2007-R2]\Windows XP Ultimate (by Johnny) [August2007-R2].iso/$OEM$/$$/System32/Repair/sfr.exe Infected: not-a-virus:RiskTool.Win32.WFPDisabler.a skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Ultimate_(by Johnny)_[August2007-R2]\Windows XP Ultimate (by Johnny) [August2007-R2].iso/updates/Nero/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Microsoft_Windows_XP_Ultimate_(by Johnny)_[August2007-R2]\Windows XP Ultimate (by Johnny) [August2007-R2].iso ISOimage: infected - 3 skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Trend Micro PC cillin Internet Security 2007 + Keymaker\Trend Micro PC cillin Internet Security 2007 + Keymaker.zip Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Trend Micro™ PC-cillin™ Internet Security 2007 - Vista Compatible\PC-Cilin\PCCillin15001329_KG_ONLY\keygen.exe Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Desktop\Torrent\downloads\Trend Micro™ PC-cillin™ Internet Security 2007 - Vista Compatible\PC-Cilin\PCCillin15001329_KG_ONLY.rar Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Local Settings\History\History.IE5\MSHist012008011520080116\index.dat Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\ntuser.dat Object is locked skipped
C:\Documents and Settings\Damien Nussbaum\ntuser.dat.LOG Object is locked skipped
C:\lecteur G\Flash Get Downloads\Intervideo.WinDVD.Platinum.5.x.keygen\Intervideo.WinDVD.Platinum.5.x.keygen.exe Object is locked skipped
C:\lecteur G\Flash Get Downloads\Intervideo.WinDVD.Platinum.5.x.keygen.rar Object is locked skipped
C:\lecteur G\Flash Get Downloads\PIDchanger.zip Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-01-11.08-16-13.log Object is locked skipped
C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\mIRC\backup\mirc32.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.507 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\mIRC Power Pack\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\10.tmp/operation flashpoint resistance pl.exe Infected: Email-Worm.Win32.Bagle.hk skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\10.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\10.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\18.tmp/stream/data0004 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\18.tmp/stream Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\18.tmp NSIS: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\18.tmp UPX: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\18.tmp CryptFF.b: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2334.tmp/Vietcong Fist Alpha patch 1.6.exe Infected: Email-Worm.Win32.Bagle.hr skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2334.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2334.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\292.tmp/familykeylogger/crack/ctfmon.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.271 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\292.tmp/familykeylogger/FamilyKeyLogger-setup.exe/data0008 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.283 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\292.tmp/familykeylogger/FamilyKeyLogger-setup.exe/data0010 Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.170 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\292.tmp/familykeylogger/FamilyKeyLogger-setup.exe/data0011 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\292.tmp/familykeylogger/FamilyKeyLogger-setup.exe Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\292.tmp RAR: infected - 5 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\292.tmp CryptFF.b: infected - 5 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2A0.tmp/familykeylogger/crack/ctfmon.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.271 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2A0.tmp/familykeylogger/FamilyKeyLogger-setup.exe/data0008 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.283 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2A0.tmp/familykeylogger/FamilyKeyLogger-setup.exe/data0010 Infected: not-a-virus:Monitor.Win32.HomeKeyLogger.170 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2A0.tmp/familykeylogger/FamilyKeyLogger-setup.exe/data0011 Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2A0.tmp/familykeylogger/FamilyKeyLogger-setup.exe Infected: not-a-virus:Monitor.Win32.GoldenKeylogger.130 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2A0.tmp RAR: infected - 5 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\2A0.tmp CryptFF.b: infected - 5 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\33.tmp/PowerISO v.3.8 + KeyGen_DnGnMsTr/keygen.exe Infected: Trojan.Win32.ShipUp.n skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\33.tmp RAR: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\33.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\4.tmp/setup.exe Infected: P2P-Worm.Win32.Kapucen.b skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\4.tmp RAR: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\4.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\BA.tmp/file23 Infected: Trojan.Win32.Hooker.j skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\BA.tmp Inno: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\BA.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\BB.tmp/goldeneyekeylog/gesetup.exe/file23 Infected: Trojan.Win32.Hooker.j skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\BB.tmp/goldeneyekeylog/gesetup.exe Infected: Trojan.Win32.Hooker.j skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\BB.tmp RAR: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\BB.tmp CryptFF.b: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\C.tmp/setup.exe Infected: P2P-Worm.Win32.Kapucen.b skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\C.tmp RAR: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\C.tmp CryptFF.b: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1E4FF661-C311-4BD3-83AC-E4394953637B}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1EEE2BD6-4D39-448C-A818-7C6016FBAC1C}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\madCHook.dll Infected: not-a-virus:RiskTool.Win32.Hooker.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_480.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\My Safe\My Games\Simulation\Janes FA-18\TSH Hi-Res\TEAM SUPER HORNET\HiRes-Wideview\F18.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\My Safe\My Games\Simulation\Janes FA-18\TSH Hi-Res\TEAM SUPER HORNET\Wideview\F18.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\My Safe\My Games\Simulation\Janes FA-18\TSHv1H.exe/TEAM SUPER HORNET\Wideview\F18.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\My Safe\My Games\Simulation\Janes FA-18\TSHv1H.exe/TEAM SUPER HORNET\HiRes-Wideview\F18.exe Suspicious: Packed.Win32.PePatch.dk skipped
D:\My Safe\My Games\Simulation\Janes FA-18\TSHv1H.exe ClickTeamPro: suspicious - 2 skipped
D:\My Safe\My Programs for WinXP\AnyDVD3201\tmganydv.rar Object is locked skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0056/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0056/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0056 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0057/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ae skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0057/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0057/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0057/data0002.cab/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow.h skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0057/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bu skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0057/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bu skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe/data0057 Infected: not-a-virus:AdWare.Win32.SaveNow.bu skipped
D:\My Safe\My Programs for WinXP\Downloading Program NetPumper\netpumper-1.10.2-setup.exe Inno: infected - 10 skipped
D:\My Safe\My Programs for WinXP\Flashget v.1.40 + SN\fgf140.exe/WISE0018.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\My Safe\My Programs for WinXP\Flashget v.1.40 + SN\fgf140.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\My Safe\My Programs for WinXP\Flashget v.1.40 + SN\fgf140.exe WiseSFX: infected - 2 skipped
D:\My Safe\My Programs for WinXP\Golden Eye v.3\gesetup.exe/data0005 Infected: Trojan-Spy.Win32.SpyAnyTime.a skipped
D:\My Safe\My Programs for WinXP\Golden Eye v.3\gesetup.exe/data0025 Infected: Trojan.Win32.Hooker.j skipped
D:\My Safe\My Programs for WinXP\Golden Eye v.3\gesetup.exe Inno: infected - 2 skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla-2.exe/data0033 Infected: not-a-virus:AdWare.Win32.EZula.bh skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla-2.exe Inno: infected - 1 skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla.exe/data0033 Infected: not-a-virus:AdWare.Win32.EZula.bh skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla.exe Inno: infected - 1 skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla123.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Aureate skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla123.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.Aureate skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla123.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla123.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla123.exe/WISE0029.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla123.exe/WISE0112.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla123.exe WiseSFX: infected - 6 skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla2.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Aureate skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla2.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.Aureate skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla2.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla2.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla2.exe/WISE0029.BIN Infected: not-a-virus:AdWare.Win32.Aureate.a skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla2.exe/WISE0112.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
D:\My Safe\My Programs for WinXP\gozilla\gozilla2.exe WiseSFX: infected - 6 skipped
D:\My Safe\My Programs for WinXP\Mirc 6.16\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\My Safe\My Programs for WinXP\Mirc 6.16\mirc616.exe mIRC: infected - 1 skipped
D:\My Safe\My Programs for WinXP\pidchanger_winxp\PIDchanger.zip Object is locked skipped
D:\My Safe\My Programs for WinXP\webcelerator\webcelerator_setup-r.exe/proxy.exe Infected: not-a-virus:Server-Proxy.Win32.Acceleration skipped
D:\My Safe\My Programs for WinXP\webcelerator\webcelerator_setup-r.exe ZIP: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1E4FF661-C311-4BD3-83AC-E4394953637B}\RP9\change.log Object is locked skipped
G:\-==Fully Downloaded Files==-\PC-Faces.of.War.EMUDVD-Unleashed\FOW\FOW.iso/setup.exe Infected: Trojan-Downloader.Win32.Agent.ayi skipped
G:\-==Fully Downloaded Files==-\PC-Faces.of.War.EMUDVD-Unleashed\FOW\FOW.iso ISOimage: infected - 1 skipped
G:\-==Fully Downloaded Files==-\PC-Strategic.Command.2.Blitzkrieg[English]\gly-sc2b\gly-sc2b.iso/GLAMOURY/Strategic_Command_2_Blitzkrieg_v104_Patch.exe Infected: Trojan-Downloader.Win32.Agent.ayi skipped
G:\-==Fully Downloaded Files==-\PC-Strategic.Command.2.Blitzkrieg[English]\gly-sc2b\gly-sc2b.iso ISOimage: infected - 1 skipped
G:\-==Fully Downloaded Files==-\Star.Wars.Empire.At.War.BWClone-MiRROR\CureROM_130b_Setup.rar Object is locked skipped
G:\-==Fully Downloaded Files==-\War.Front.Turning.Point-RELOADED.wWw.GaMesFive.NeT\War.Front.Turning.Point.KEYGEN-RELOADED\rld-wfkg.rar Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\EMULE_INCOMING\DAN Music (MP3s)\les-duos-de-marc---marc-lavoine-[-full-album-].zip Object is locked skipped
H:\EMULE_INCOMING\FlashGet v1.80 Final Incl Patch by TE.rar Object is locked skipped
H:\EMULE_INCOMING\MagicISO.Maker.v5.4.Build.0239.Incl.Key.WinAll-FYSP.rar Object is locked skipped
H:\EMULE_INCOMING\[DAN] Pocket PC SPV M1000 (Qtek 2020)\PocketPC - 18 Pocket PC Applications.zip/Pocket PC Software/Area Code Reverse Lookup Install File (PocketPC).exe/data0004 Infected: not-a-virus:AdWare.Win32.OnFlow skipped
H:\EMULE_INCOMING\[DAN] Pocket PC SPV M1000 (Qtek 2020)\PocketPC - 18 Pocket PC Applications.zip/Pocket PC Software/Area Code Reverse Lookup Install File (PocketPC).exe Infected: not-a-virus:AdWare.Win32.OnFlow skipped
H:\EMULE_INCOMING\[DAN] Pocket PC SPV M1000 (Qtek 2020)\PocketPC - 18 Pocket PC Applications.zip ZIP: infected - 2 skipped
H:\My Safe\TEMP\getrgt.exe/WISE0032.BIN Infected: not-a-virus:AdWare.Win32.TimeSinc skipped
H:\My Safe\TEMP\getrgt.exe WiseSFX: infected - 1 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.


Thank you very much for your kind assistance in this matter.
Your help is much appreciated :thumbsup:

Best regards,
Captain Killgore

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:24 AM

Posted 16 January 2008 - 07:49 PM

Hi CaptainKillgore,

BitDefender should remove the malware, so lets run it.

You will need to use Internet Explorer for this scan.

Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.
By default, BitDefender Online Scanner will scan your entire computer.
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 CaptainKillgore

CaptainKillgore
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 17 January 2008 - 03:05 PM

Hi SifuMike-

Thank you for your post below.

As per your instructions, please find below for your review and comments a BitDefender Online Scanner log.



BitDefender Online Scanner - Real Time Virus Report







Generated at: Thu, Jan 17, 2008 - 20:50:26









Scan Info







Scanned Files


2984649

Infected Files


34















Virus Detected







Trojan.Keylogger.AO


2

Trojan.Downloader.IstBar.OK


1

Trojan.Keylogger.143


2

Trojan.Mewpacked.Z


1

Trojan.Keylogger.Famlog.A


2

Generic.Qhost.4CD0D825


2

Trojan.Hooker.J


3

MemScan:Trojan.Agent.YE


2

Adware.CyDoor


1

Win32.Worm.P2P.Puce.G


2

Trojan.Downloader.Istbar.VH


1

Trojan.Horse3.FXI


1

Trojan.Keylogger.IP


2

Trojan.Spy.Keylogger.Y


1

Trojan.Peed.Gen


1

Trojan.Downloader.Agent.ASC


2

Win32.Bagle.HK@mm


1

Trojan.Spy.Proagent.T


1

Trojan.Progent.C


1

Trojan.Dropper.Agent.ES


2

Win32.Bagle.HI@mm


1

Packer.Enigma.B


1

Packer.PESpin.A


1























This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.








Thank you very much for your kind assistance in this matter.
Your help is much appreciated thumbup2.gif

Best regards,
Captain Killgore

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:24 AM

Posted 17 January 2008 - 03:28 PM

Hi CaptainKillgore,

That report looks very short. I think you may have posted only the top portion.
It should show the locations of everything it deleted.


The report should look something like this:

BitDefender Online Scanner
Scan report generated at: Thu, Dec 27, 2007 - 16:13:41
Scan path: A:\;C:\;D:\;E:\;F:\;G:\;
Statistics

Time
04:06:32

Files
751567

Folders
25447

Boot Sectors
5

Archives
14183

Packed Files
17976

Results

Identified Viruses
2

Infected Files
2

Suspect Files
1

Warnings
0

Disinfected
0

Deleted Files
4
Engines Info

Virus Definitions
884409

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24B458EE.exe=>(Quarantine-2)
Infected with: Generic.Dialer.D4637DC7

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24B458EE.exe=>(Quarantine-2)
Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\24B458EE.exe=>(Quarantine-2)
Deleted

C:\Program Files\BTopenworld\Launch.exe
Infected with: Trojan.Click.IL

C:\Program Files\BTopenworld\Launch.exe
Disinfection failed

C:\Program Files\BTopenworld\Launch.exe
Deleted

C:\Program Files\BTopenworld\PostReg.exe
Suspected of: BehavesLike:Trojan.HangUp

C:\Program Files\BTopenworld\PostReg.exe
Disinfection failed

C:\Program Files\BTopenworld\PostReg.exe
Deleted



Please see if you can post the entire report. Thanks. :thumbsup:

Edited by SifuMike, 17 January 2008 - 05:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 CaptainKillgore

CaptainKillgore
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 21 January 2008 - 01:47 AM

Hi SifuMike,
You will find below for your review the entire BitDefender Online Scanner log. Note that I had to reformat it somewhat.
Please let me know if you want me to rerun BitDefender Online Scanner.
Thank you for your kind assistance.
Kind regards,
Captain Killgore
-----------------------------------------------------------

BitDefender Online Scanner - Real Time Virus Report
Generated at: Thu, Jan 17, 2008 - 20:50:26

Scan Info
Scanned Files
2984649
Infected Files
34
Virus Detected
Trojan.Keylogger.AO
2
Trojan.Downloader.IstBar.OK
1
Trojan.Keylogger.143
2
Trojan.Mewpacked.Z
1
Trojan.Keylogger.Famlog.A
2
Generic.Qhost.4CD0D825
2
Trojan.Hooker.J
3
MemScan:Trojan.Agent.YE
2
Adware.CyDoor
1
Win32.Worm.P2P.Puce.G
2
Trojan.Downloader.Istbar.VH
1
Trojan.Horse3.FXI
1
Trojan.Keylogger.IP
2
Trojan.Spy.Keylogger.Y
1
Trojan.Peed.Gen
1
Trojan.Downloader.Agent.ASC
2
Win32.Bagle.HK@mm
1
Trojan.Spy.Proagent.T
1
Trojan.Progent.C
1
Trojan.Dropper.Agent.ES
2
Win32.Bagle.HI@mm
1
Packer.Enigma.B
1
Packer.PESpin.A
1
This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users