Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.dll


  • This topic is locked This topic is locked
8 replies to this topic

#1 pheap

pheap

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 08 June 2008 - 02:01 PM

Hi forum members,

Could someone help me with this issue. I have tried Spybot and it removal process, but it keeps coming back. I don't have any pop-ups yet, but notice a little system lag.

Thanks in advance,
Pheap

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:10 AM, on 6/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BMc3abc83c] Rundll32.exe "C:\WINDOWS\system32\nsvcabbo.dll",s
O4 - HKLM\..\Run: [c098fba0] rundll32.exe "C:\WINDOWS\system32\tqvxpkvl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212376485515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 8149 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 AM

Posted 09 June 2008 - 03:36 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 pheap

pheap
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 09 June 2008 - 08:29 PM

Hi miekiemoes,

Thanks for your prompt support. Please let me know if it neccessary to install Recovery Tool, since I still have the original Windows XP CD to boot from. Here are my logs.

Thanks again,
Pheap

ComboFix 08-06-07.1 - SNhem 2008-06-09 18:14:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2534 [GMT -7:00]
Running from: C:\Documents and Settings\SNhem\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMc3abc83c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\akyifxeu.dll
C:\WINDOWS\system32\awtrOefD.dll
C:\WINDOWS\system32\DfeOrtwa.ini
C:\WINDOWS\system32\DfeOrtwa.ini2
C:\WINDOWS\system32\frnlcxjq.ini
C:\WINDOWS\system32\lvkpxvqt.ini
C:\WINDOWS\system32\nmoxwpdk.dll
C:\WINDOWS\system32\nsvcabbo.dll
C:\WINDOWS\system32\qjxclnrf.dll
C:\WINDOWS\system32\tqvxpkvl.dll
C:\WINDOWS\system32\tyqfsdov.dll
C:\WINDOWS\system32\xwaktxxe.dll
C:\WINDOWS\system32\yHgOrtwa.ini
C:\WINDOWS\system32\yHgOrtwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-08 11:54 . 2008-04-13 11:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-07 17:55 . 2008-06-07 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 13:03 . 2008-06-07 13:03 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Publish Providers
2008-06-07 12:59 . 2008-06-07 12:59 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Sony
2008-06-07 12:54 . 2008-06-07 12:54 <DIR> d-------- C:\Program Files\Vstplugins
2008-06-07 12:54 . 2008-06-07 12:58 <DIR> d-------- C:\Program Files\Sony
2008-06-07 12:53 . 2008-06-07 12:53 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-07 12:53 . 2008-06-07 12:53 56,320 --a------ C:\WINDOWS\system32\geBrqpQJ.dll
2008-06-07 12:47 . 2008-06-07 12:47 56,320 --a------ C:\WINDOWS\system32\iifcAPHX.dll
2008-06-07 12:42 . 2008-06-07 12:42 <DIR> d-------- C:\Program Files\WinISO
2008-06-06 23:30 . 2008-06-06 23:30 <DIR> d-------- C:\WINDOWS\Logs
2008-06-06 19:02 . 2008-06-06 19:02 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-06 18:50 . 2008-06-06 18:50 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-06-06 18:50 . 2008-06-06 19:02 35,412 --a------ C:\WINDOWS\DIIUnin.dat
2008-06-06 18:50 . 2008-06-06 18:50 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-06-06 18:42 . 2008-06-06 19:05 <DIR> d-------- C:\Program Files\Diablo II
2008-06-06 16:51 . 2008-06-06 16:51 <DIR> d-------- C:\WINDOWS\nview
2008-06-06 16:51 . 2008-06-06 16:51 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-06 16:51 . 2008-03-24 16:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-06 16:51 . 2008-06-09 18:19 175,033 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-06 16:51 . 2008-03-24 16:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-06 16:50 . 2008-03-24 11:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-04 19:08 . 2008-06-04 19:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-03 23:07 . 2008-06-03 23:07 <DIR> d-------- C:\EbuDllTmpDir
2008-06-02 19:50 . 2008-06-02 19:50 <DIR> dr------- C:\Documents and Settings\SNhem\Application Data\Brother
2008-06-02 01:56 . 2008-01-19 00:45 333,203 -rahs---- C:\bootmgr
2008-06-02 01:49 . 2008-06-02 01:56 <DIR> d--hs---- C:\Boot
2008-06-02 01:06 . 2008-06-02 01:06 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-06-02 00:19 . 2008-06-02 00:29 <DIR> d-------- C:\Program Files\RealFlightG3
2008-06-02 00:19 . 2008-06-02 00:19 <DIR> d-------- C:\Program Files\Common Files\KnifeEdge
2008-06-02 00:00 . 2008-06-02 00:00 <DIR> d-------- C:\Program Files\Ultrasoft
2008-06-02 00:00 . 2008-06-02 00:00 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Ultrasoft
2008-06-01 23:37 . 2008-06-01 23:46 <DIR> d-------- C:\Program Files\Microsoft Money 2007
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\QuickTime
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\iTunes
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\iPod
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\Bonjour
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Apple Computer
2008-06-01 23:34 . 2008-06-01 23:34 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-01 23:34 . 2008-06-01 23:34 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-01 23:34 . 2008-06-01 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-01 23:34 . 2008-06-01 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-01 23:14 . 2008-06-01 23:14 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 23:14 . 2008-06-01 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-01 23:12 . 2008-06-07 12:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-01 23:06 . 2008-06-01 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-01 23:04 . 2008-06-01 23:05 <DIR> d-------- C:\Program Files\CyberLink
2008-06-01 23:01 . 2008-06-07 16:18 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\VMware
2008-06-01 22:54 . 2008-06-01 22:54 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Roxio
2008-06-01 22:54 . 2008-06-01 22:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-06-01 22:53 . 2008-06-01 22:53 <DIR> d-------- C:\Program Files\InterActual
2008-06-01 22:51 . 2008-06-01 22:53 <DIR> d-------- C:\WINDOWS\system32\DLA
2008-06-01 22:51 . 2008-06-01 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-01 22:51 . 2006-08-08 09:18 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-06-01 22:51 . 2006-08-08 09:18 56,056 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2008-06-01 22:51 . 2006-08-01 19:46 51,800 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2008-06-01 22:51 . 2006-08-01 20:06 28,216 --a------ C:\WINDOWS\system32\drivers\DLARTL_M.SYS
2008-06-01 22:51 . 2006-08-01 20:06 12,952 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2008-06-01 22:50 . 2008-06-01 22:50 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-06-01 22:50 . 2008-06-01 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-06-01 22:49 . 2008-06-01 22:49 <DIR> d-------- C:\Program Files\Xingtone
2008-06-01 22:48 . 2008-06-01 22:49 <DIR> d-------- C:\Program Files\SightSpeed
2008-06-01 22:46 . 2008-06-01 22:51 <DIR> d-------- C:\Program Files\Roxio
2008-06-01 22:46 . 2008-06-01 22:46 <DIR> d-------- C:\Program Files\DivX
2008-06-01 22:46 . 2008-06-01 22:50 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-01 22:46 . 2008-06-01 22:47 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2008-06-01 22:46 . 2008-06-01 22:47 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-01 22:46 . 2008-06-01 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-01 22:42 . 2008-06-08 02:48 481 --a------ C:\WINDOWS\wininit.ini
2008-06-01 22:31 . 2008-06-01 22:31 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Ahead
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Program Files\Nero
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-01 22:22 . 2008-06-01 22:22 <DIR> d-------- C:\Program Files\CloneDVD
2008-06-01 22:22 . 2008-06-01 22:22 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Vso
2008-06-01 22:22 . 2008-06-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVDXStudio
2008-06-01 22:22 . 2008-06-01 22:22 81,920 --a------ C:\Documents and Settings\SNhem\Application Data\ezpinst.exe
2008-06-01 22:22 . 2008-06-01 22:22 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-01 22:22 . 2008-06-01 22:22 47,360 --a------ C:\Documents and Settings\SNhem\Application Data\pcouffin.sys
2008-06-01 22:21 . 2008-06-09 18:18 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-01 22:20 . 2008-06-09 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-06-01 22:20 . 2007-04-13 05:48 391,984 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-06-01 22:20 . 2007-04-13 05:48 142,128 --a------ C:\WINDOWS\system32\vmnat.exe
2008-06-01 22:20 . 2007-04-13 05:48 113,456 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-06-01 22:20 . 2007-04-13 05:49 22,576 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-06-01 22:18 . 2008-06-01 22:18 <DIR> d-------- C:\Program Files\VMware
2008-06-01 22:18 . 2008-06-01 22:18 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-06-01 22:15 . 2008-06-01 22:15 <DIR> d-------- C:\Program Files\MagicDisc
2008-06-01 22:15 . 2008-05-27 12:11 96,896 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-06-01 22:10 . 2008-06-01 22:10 <DIR> d-------- C:\Program Files\PowerISO
2008-06-01 22:07 . 2008-06-01 22:07 <DIR> d-------- C:\Program Files\MagicISO
2008-06-01 22:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-01 22:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-01 21:46 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-01 21:46 . 2008-04-13 11:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-01 21:45 . 2008-06-01 21:45 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-06-01 21:45 . 2008-06-01 21:45 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-01 21:44 . 2008-06-01 21:44 <DIR> d-------- C:\Program Files\HP
2008-06-01 21:44 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-06-01 21:44 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-06-01 21:44 . 2008-06-01 21:45 106,279 --a------ C:\WINDOWS\hpoins07.dat
2008-06-01 21:44 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-06-01 21:44 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-06-01 21:44 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-06-01 21:44 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-06-01 21:44 . 2005-06-21 19:19 17,505 --------- C:\WINDOWS\hpomdl07.dat
2008-06-01 21:35 . 2008-06-01 21:35 0 --a------ C:\WINDOWS\VPC32.INI
2008-06-01 21:17 . 2008-06-01 21:17 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-01 20:00 . 2008-06-01 20:00 <DIR> d-------- C:\Program Files\AngelPotion Video Codec V1
2008-06-01 20:00 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-01 20:00 . 2000-08-09 21:26 177,241 --a------ C:\WINDOWS\system32\APmpg4v1.apl
2008-06-01 20:00 . 2000-08-23 07:26 106,496 --a------ C:\WINDOWS\system32\APmpg4v1.dll
2008-06-01 19:59 . 2008-06-01 19:59 <DIR> d-------- C:\Program Files\SLD Codec Pack
2008-06-01 19:39 . 2008-06-01 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-01 19:36 . 2008-06-07 12:45 <DIR> d-------- C:\Program Files\WinAce
2008-06-01 19:27 . 2008-06-01 19:27 <DIR> d-------- C:\Program Files\TightVNC
2008-06-01 19:27 . 2008-06-01 19:31 <DIR> d-------- C:\Program Files\No-IP
2008-06-01 19:26 . 2008-06-01 19:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 19:26 . 2008-06-01 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 19:10 . 2007-08-21 01:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-06-01 19:09 . 2008-06-01 19:10 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-06-01 19:08 . 2008-06-01 19:09 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-06-01 19:05 . 2008-04-13 11:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-01 19:05 . 2008-04-13 11:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-06-01 19:01 . 2008-06-01 19:01 <DIR> d-------- C:\Program Files\Brownie

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 00:01 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-01 23:59 --------- d-----w C:\Program Files\Intel
2008-06-01 23:51 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-01 23:37 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 00:13 40,840 ------w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ------w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ------w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ------w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 451,072 ------w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-13 19:28 175,744 ------w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ------w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ------w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ------w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ------w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ------w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ------w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ------w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:17 83,072 ------w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ------w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ------w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ------w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ------w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ------w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ------w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ------w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ------w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ------w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ------w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ------w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ------w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ------w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ------w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ------w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ------w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ------w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ------w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ------w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ------w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ------w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ------w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ------w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ------w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ------w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ------w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ------w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ------w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ------w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ------w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ------w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:46 61,696 ------w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ------w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ------w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ------w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ------w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ------w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ------w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ------w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ------w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ------w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ------w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ------w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ------w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ------w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ------w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 18:39 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-13 18:38 71,168 ------w C:\WINDOWS\system32\drivers\dxg.sys
2008-04-13 18:34 163,584 ------w C:\WINDOWS\system32\drivers\nwrdr.sys
2008-04-13 18:33 44,544 ------w C:\WINDOWS\system32\drivers\fips.sys
2008-04-13 18:32 66,048 ------w C:\WINDOWS\system32\drivers\udfs.sys
2008-04-13 18:32 30,848 ------w C:\WINDOWS\system32\drivers\npfs.sys
2008-04-13 18:32 196,224 ------w C:\WINDOWS\system32\drivers\rdpdr.sys
2008-04-13 18:32 19,072 ------w C:\WINDOWS\system32\drivers\msfs.sys
2008-04-13 18:32 180,608 ------w C:\WINDOWS\system32\drivers\mrxdav.sys
2008-04-13 18:32 129,792 ------w C:\WINDOWS\system32\drivers\fltmgr.sys
2008-04-13 18:31 92,288 ------w C:\WINDOWS\system32\drivers\ksecdd.sys
2008-04-13 18:31 42,752 ------w C:\WINDOWS\system32\drivers\p3.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_17.08.26.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 00:06:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 01:18:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 00:11:49 125,952 -c--a-w C:\WINDOWS\system32\dllcache\apphelp.dll
+ 2008-04-14 00:11:58 71,680 -c--a-w C:\WINDOWS\system32\dllcache\msacm32.dll
+ 2008-04-14 00:11:59 15,360 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
+ 2008-04-14 00:12:29 42,496 -c--a-w C:\WINDOWS\system32\dllcache\net.exe
+ 2008-04-14 00:12:03 23,040 -c--a-w C:\WINDOWS\system32\dllcache\psapi.dll
+ 2008-04-14 00:12:04 64,000 -c--a-w C:\WINDOWS\system32\dllcache\samlib.dll
+ 2008-04-14 00:12:05 8,461,312 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2008-04-14 00:12:08 727,040 -c--a-w C:\WINDOWS\system32\dllcache\userenv.dll
+ 2008-04-14 00:12:45 146,432 -c--a-w C:\WINDOWS\system32\dllcache\winspool.drv
+ 2008-04-14 00:12:10 82,432 -c--a-w C:\WINDOWS\system32\dllcache\ws2_32.dll
+ 2008-04-14 00:12:10 19,968 -c--a-w C:\WINDOWS\system32\dllcache\ws2help.dll
+ 2008-04-13 18:45:38 26,368 ----a-w C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2008-06-10 01:18:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_588.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45CF7A09-1A12-43C3-89F6-8804AA040F7D}]
C:\WINDOWS\system32\awtrOgHy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97C15C81-5130-400A-A96F-03178C4D19A0}]
C:\WINDOWS\system32\tuvSiiFV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D76234BF-8163-4F4D-BCCF-8303D3A024BF}]
C:\WINDOWS\system32\wvUlKcCS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
2008-06-07 12:47 56320 --a------ C:\WINDOWS\system32\iifcAPHX.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-27 21:22 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-27 21:21 162584]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [2007-05-07 19:28 589824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 16:52 13524992]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 16:52 86016]

C:\Documents and Settings\SNhem\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2008-06-01 19:27:37 1172992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"= C:\WINDOWS\system32\iifcAPHX.dll [2008-06-07 12:47 56320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcAPHX]
iifcAPHX.dll 2008-06-07 12:47 56320 C:\WINDOWS\system32\iifcAPHX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.AP41"= APmpg4v1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2006-10-22 23:24 620152 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2007-06-27 21:17 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2006-08-14 01:07 102400 C:\Program Files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2007-02-07 16:21 54832 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 00:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-02-07 16:24 71216 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-07-31 09:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-08-10 12:10 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-06-27 21:17 16132608 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 18:19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iifcAPHX.dll
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-09 18:21:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 01:20:53
ComboFix2.txt 2008-06-08 01:10:08

Pre-Run: 56,808,718,336 bytes free
Post-Run: 56,802,922,496 bytes free

396


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:31 PM, on 6/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {45CF7A09-1A12-43C3-89F6-8804AA040F7D} - C:\WINDOWS\system32\awtrOgHy.dll (file missing)
O2 - BHO: (no name) - {97C15C81-5130-400A-A96F-03178C4D19A0} - C:\WINDOWS\system32\tuvSiiFV.dll (file missing)
O2 - BHO: (no name) - {D76234BF-8163-4F4D-BCCF-8303D3A024BF} - C:\WINDOWS\system32\wvUlKcCS.dll (file missing)
O2 - BHO: (no name) - {E23136A1-1AC4-4D1B-926F-5D537CFFF359} - C:\WINDOWS\system32\iifcAPHX.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212376485515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: iifcAPHX - C:\WINDOWS\SYSTEM32\iifcAPHX.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 8266 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 AM

Posted 10 June 2008 - 12:05 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\iifcAPHX.dll
C:\WINDOWS\system32\geBrqpQJ.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45CF7A09-1A12-43C3-89F6-8804AA040F7D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97C15C81-5130-400A-A96F-03178C4D19A0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D76234BF-8163-4F4D-BCCF-8303D3A024BF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E23136A1-1AC4-4D1B-926F-5D537CFFF359}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E23136A1-1AC4-4D1B-926F-5D537CFFF359}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcAPHX]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 pheap

pheap
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 10 June 2008 - 05:44 AM

Hi,

ComboFix 08-06-07.1 - SNhem 2008-06-10 3:27:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2541 [GMT -7:00]
Running from: C:\Documents and Settings\SNhem\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SNhem\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\geBrqpQJ.dll
C:\WINDOWS\system32\iifcAPHX.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\geBrqpQJ.dll
C:\WINDOWS\system32\iifcAPHX.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
.

2008-06-08 11:54 . 2008-04-13 11:45 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-07 17:55 . 2008-06-07 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 13:03 . 2008-06-07 13:03 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Publish Providers
2008-06-07 12:59 . 2008-06-07 12:59 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Sony
2008-06-07 12:54 . 2008-06-07 12:54 <DIR> d-------- C:\Program Files\Vstplugins
2008-06-07 12:54 . 2008-06-07 12:58 <DIR> d-------- C:\Program Files\Sony
2008-06-07 12:53 . 2008-06-07 12:53 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-07 12:42 . 2008-06-07 12:42 <DIR> d-------- C:\Program Files\WinISO
2008-06-06 23:30 . 2008-06-06 23:30 <DIR> d-------- C:\WINDOWS\Logs
2008-06-06 19:02 . 2008-06-06 19:02 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-06 18:50 . 2008-06-06 18:50 94,208 --a------ C:\WINDOWS\DIIUnin.exe
2008-06-06 18:50 . 2008-06-06 19:02 35,412 --a------ C:\WINDOWS\DIIUnin.dat
2008-06-06 18:50 . 2008-06-06 18:50 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-06-06 18:42 . 2008-06-06 19:05 <DIR> d-------- C:\Program Files\Diablo II
2008-06-06 16:51 . 2008-06-06 16:51 <DIR> d-------- C:\WINDOWS\nview
2008-06-06 16:51 . 2008-06-06 16:51 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-06 16:51 . 2008-03-24 16:52 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-06 16:51 . 2008-06-10 03:31 175,033 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-06 16:51 . 2008-03-24 16:52 17,937 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-06 16:50 . 2008-03-24 11:27 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-04 19:08 . 2008-06-04 19:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-03 23:07 . 2008-06-03 23:07 <DIR> d-------- C:\EbuDllTmpDir
2008-06-02 19:50 . 2008-06-02 19:50 <DIR> dr------- C:\Documents and Settings\SNhem\Application Data\Brother
2008-06-02 01:56 . 2008-01-19 00:45 333,203 -rahs---- C:\bootmgr
2008-06-02 01:49 . 2008-06-02 01:56 <DIR> d--hs---- C:\Boot
2008-06-02 01:06 . 2008-06-02 01:06 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-06-02 00:19 . 2008-06-02 00:29 <DIR> d-------- C:\Program Files\RealFlightG3
2008-06-02 00:19 . 2008-06-02 00:19 <DIR> d-------- C:\Program Files\Common Files\KnifeEdge
2008-06-02 00:00 . 2008-06-02 00:00 <DIR> d-------- C:\Program Files\Ultrasoft
2008-06-02 00:00 . 2008-06-02 00:00 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Ultrasoft
2008-06-01 23:37 . 2008-06-01 23:46 <DIR> d-------- C:\Program Files\Microsoft Money 2007
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\QuickTime
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\iTunes
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\iPod
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Program Files\Bonjour
2008-06-01 23:35 . 2008-06-01 23:35 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Apple Computer
2008-06-01 23:34 . 2008-06-01 23:34 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-01 23:34 . 2008-06-01 23:34 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-01 23:34 . 2008-06-01 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-01 23:34 . 2008-06-01 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-01 23:14 . 2008-06-01 23:14 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-06-01 23:14 . 2008-06-01 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-01 23:12 . 2008-06-07 12:28 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-01 23:06 . 2008-06-01 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-01 23:04 . 2008-06-01 23:05 <DIR> d-------- C:\Program Files\CyberLink
2008-06-01 23:01 . 2008-06-07 16:18 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\VMware
2008-06-01 22:54 . 2008-06-01 22:54 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Roxio
2008-06-01 22:54 . 2008-06-01 22:54 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-06-01 22:53 . 2008-06-01 22:53 <DIR> d-------- C:\Program Files\InterActual
2008-06-01 22:51 . 2008-06-01 22:53 <DIR> d-------- C:\WINDOWS\system32\DLA
2008-06-01 22:51 . 2008-06-01 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-06-01 22:51 . 2006-08-08 09:18 92,920 --a------ C:\WINDOWS\DLA.EXE
2008-06-01 22:51 . 2006-08-08 09:18 56,056 --a------ C:\WINDOWS\system32\DLAAPI_W.DLL
2008-06-01 22:51 . 2006-08-01 19:46 51,800 --a------ C:\WINDOWS\system32\drivers\DRVNDDM.SYS
2008-06-01 22:51 . 2006-08-01 20:06 28,216 --a------ C:\WINDOWS\system32\drivers\DLARTL_M.SYS
2008-06-01 22:51 . 2006-08-01 20:06 12,952 --a------ C:\WINDOWS\system32\drivers\DLACDBHM.SYS
2008-06-01 22:50 . 2008-06-01 22:50 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-06-01 22:50 . 2008-06-01 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-06-01 22:49 . 2008-06-01 22:49 <DIR> d-------- C:\Program Files\Xingtone
2008-06-01 22:48 . 2008-06-01 22:49 <DIR> d-------- C:\Program Files\SightSpeed
2008-06-01 22:46 . 2008-06-01 22:51 <DIR> d-------- C:\Program Files\Roxio
2008-06-01 22:46 . 2008-06-01 22:46 <DIR> d-------- C:\Program Files\DivX
2008-06-01 22:46 . 2008-06-01 22:50 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-01 22:46 . 2008-06-01 22:47 <DIR> d-------- C:\Program Files\Common Files\SightSpeed
2008-06-01 22:46 . 2008-06-01 22:47 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-06-01 22:46 . 2008-06-01 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-06-01 22:42 . 2008-06-08 02:48 481 --a------ C:\WINDOWS\wininit.ini
2008-06-01 22:31 . 2008-06-01 22:31 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Ahead
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Program Files\Nero
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-01 22:22 . 2008-06-01 22:22 <DIR> d-------- C:\Program Files\CloneDVD
2008-06-01 22:22 . 2008-06-01 22:22 <DIR> d-------- C:\Documents and Settings\SNhem\Application Data\Vso
2008-06-01 22:22 . 2008-06-01 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVDXStudio
2008-06-01 22:22 . 2008-06-01 22:22 81,920 --a------ C:\Documents and Settings\SNhem\Application Data\ezpinst.exe
2008-06-01 22:22 . 2008-06-01 22:22 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-01 22:22 . 2008-06-01 22:22 47,360 --a------ C:\Documents and Settings\SNhem\Application Data\pcouffin.sys
2008-06-01 22:21 . 2008-06-10 03:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\VMware
2008-06-01 22:20 . 2008-06-10 03:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-06-01 22:20 . 2007-04-13 05:48 391,984 --a------ C:\WINDOWS\system32\vnetlib.dll
2008-06-01 22:20 . 2007-04-13 05:48 142,128 --a------ C:\WINDOWS\system32\vmnat.exe
2008-06-01 22:20 . 2007-04-13 05:48 113,456 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2008-06-01 22:20 . 2007-04-13 05:49 22,576 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2008-06-01 22:18 . 2008-06-01 22:18 <DIR> d-------- C:\Program Files\VMware
2008-06-01 22:18 . 2008-06-01 22:18 <DIR> d-------- C:\Program Files\Common Files\VMware
2008-06-01 22:15 . 2008-06-01 22:15 <DIR> d-------- C:\Program Files\MagicDisc
2008-06-01 22:15 . 2008-05-27 12:11 96,896 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-06-01 22:10 . 2008-06-01 22:10 <DIR> d-------- C:\Program Files\PowerISO
2008-06-01 22:07 . 2008-06-01 22:07 <DIR> d-------- C:\Program Files\MagicISO
2008-06-01 22:07 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-01 22:07 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-01 21:46 . 2008-04-13 11:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-01 21:46 . 2008-04-13 11:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-01 21:45 . 2008-06-01 21:45 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-06-01 21:45 . 2008-06-01 21:45 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-06-01 21:44 . 2008-06-01 21:44 <DIR> d-------- C:\Program Files\HP
2008-06-01 21:44 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-06-01 21:44 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-06-01 21:44 . 2008-06-01 21:45 106,279 --a------ C:\WINDOWS\hpoins07.dat
2008-06-01 21:44 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-06-01 21:44 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-06-01 21:44 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-06-01 21:44 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-06-01 21:44 . 2005-06-21 19:19 17,505 --------- C:\WINDOWS\hpomdl07.dat
2008-06-01 21:35 . 2008-06-01 21:35 0 --a------ C:\WINDOWS\VPC32.INI
2008-06-01 21:17 . 2008-06-01 21:17 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-06-01 20:00 . 2008-06-01 20:00 <DIR> d-------- C:\Program Files\AngelPotion Video Codec V1
2008-06-01 20:00 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-01 20:00 . 2000-08-09 21:26 177,241 --a------ C:\WINDOWS\system32\APmpg4v1.apl
2008-06-01 20:00 . 2000-08-23 07:26 106,496 --a------ C:\WINDOWS\system32\APmpg4v1.dll
2008-06-01 19:59 . 2008-06-01 19:59 <DIR> d-------- C:\Program Files\SLD Codec Pack
2008-06-01 19:39 . 2008-06-01 19:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-06-01 19:36 . 2008-06-07 12:45 <DIR> d-------- C:\Program Files\WinAce
2008-06-01 19:27 . 2008-06-01 19:27 <DIR> d-------- C:\Program Files\TightVNC
2008-06-01 19:27 . 2008-06-01 19:31 <DIR> d-------- C:\Program Files\No-IP
2008-06-01 19:26 . 2008-06-01 19:26 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-01 19:26 . 2008-06-01 21:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-01 19:10 . 2007-08-21 01:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-06-01 19:09 . 2008-06-01 19:10 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2008-06-01 19:08 . 2008-06-01 19:09 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-06-01 19:05 . 2008-04-13 11:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-06-01 19:05 . 2008-04-13 11:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-06-01 19:01 . 2008-06-01 19:01 <DIR> d-------- C:\Program Files\Brownie
2008-06-01 19:01 . 2008-06-01 19:01 <DIR> d-------- C:\Program Files\Brother
2008-06-01 18:59 . 2005-04-08 00:51 606,208 --a------ C:\WINDOWS\system32\hpotscl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 00:01 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-06-01 23:59 --------- d-----w C:\Program Files\Intel
2008-06-01 23:51 --------- d-----w C:\Program Files\MSXML 4.0
2008-06-01 23:37 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-14 00:13 40,840 ------w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ------w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ------w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ------w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ------w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ------w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ------w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ------w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ------w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ------w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ------w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ------w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ------w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ------w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ------w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:17 83,072 ------w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ------w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ------w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ------w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ------w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ------w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ------w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ------w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ------w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ------w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ------w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ------w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ------w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ------w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ------w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ------w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ------w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ------w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ------w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ------w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ------w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ------w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ------w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ------w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ------w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ------w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ------w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ------w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ------w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ------w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ------w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ------w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:46 61,696 ------w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ------w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ------w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ------w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ------w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ------w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ------w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ------w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ------w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ------w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ------w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ------w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ------w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 18:39 4,352 ------w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 18:39 384,768 ------w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 18:39 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 18:39 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 18:39 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_17.08.26.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-08 00:06:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-10 10:31:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-14 00:11:49 125,952 -c--a-w C:\WINDOWS\system32\dllcache\apphelp.dll
+ 2008-04-14 00:11:50 32,768 -c--a-w C:\WINDOWS\system32\dllcache\ativtmxx.dll
+ 2008-04-14 00:11:52 33,792 -c--a-w C:\WINDOWS\system32\dllcache\eapsvc.dll
+ 2008-04-14 00:09:55 6,144 -c--a-w C:\WINDOWS\system32\dllcache\kbdnepr.dll
+ 2008-04-14 00:11:58 71,680 -c--a-w C:\WINDOWS\system32\dllcache\msacm32.dll
+ 2008-04-14 00:11:59 15,360 -c--a-w C:\WINDOWS\system32\dllcache\msisip.dll
+ 2008-04-14 00:12:29 42,496 -c--a-w C:\WINDOWS\system32\dllcache\net.exe
+ 2008-04-14 00:11:24 706,048 -c--a-w C:\WINDOWS\system32\dllcache\ntdll.dll
+ 2008-04-14 00:12:03 23,040 -c--a-w C:\WINDOWS\system32\dllcache\psapi.dll
+ 2008-04-14 00:12:04 64,000 -c--a-w C:\WINDOWS\system32\dllcache\samlib.dll
+ 2008-04-14 00:12:05 8,461,312 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2008-04-14 00:12:08 727,040 -c--a-w C:\WINDOWS\system32\dllcache\userenv.dll
+ 2008-04-14 00:12:45 146,432 -c--a-w C:\WINDOWS\system32\dllcache\winspool.drv
+ 2008-04-14 00:12:10 82,432 -c--a-w C:\WINDOWS\system32\dllcache\ws2_32.dll
+ 2008-04-14 00:12:10 19,968 -c--a-w C:\WINDOWS\system32\dllcache\ws2help.dll
+ 2008-04-13 18:45:38 26,368 ----a-w C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2008-06-10 10:31:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_578.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 17:12 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-27 21:22 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-27 21:21 162584]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2002-07-30 11:35 77824]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 12:01 1037736]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [2007-05-07 19:28 589824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 16:52 13524992]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 16:52 86016]

C:\Documents and Settings\SNhem\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2008-06-01 19:27:37 1172992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.AP41"= APmpg4v1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2006-10-22 23:24 620152 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2007-06-27 21:17 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2006-08-14 01:07 102400 C:\Program Files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2007-02-07 16:21 54832 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 00:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-02-07 16:24 71216 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-07-31 09:00 1116920 C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-08-10 12:10 221184 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-06-27 21:17 16132608 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-01 20:06]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-10 03:31:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-10 3:33:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-10 10:33:38
ComboFix2.txt 2008-06-10 01:21:11
ComboFix3.txt 2008-06-08 01:10:08

Pre-Run: 56,775,528,448 bytes free
Post-Run: 56,766,619,648 bytes free

379


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:41 AM, on 6/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212376485515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 7733 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 AM

Posted 10 June 2008 - 06:02 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 pheap

pheap
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 11 June 2008 - 10:42 PM

Hi,

That seems to solve the issue I was having. So far, virtumonde.dll is no longer found on my system by Spybot's scan. Thank you for your support and patience with my replies.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 AM

Posted 12 June 2008 - 12:23 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:56 AM

Posted 17 June 2008 - 02:08 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users