Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Virtumonde attack Virtumonde attack
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 07-05-2008, 04:49 AM   #1 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 9
OS: Vista 32


Virtumonde attack
Hey im been hit by the Virtumonde trojan, getting spammed by adds and pop-ups all the time, all efforts with spybot, ad-aware, spyblaster etc. has been futile, they say they remove it, but every time i scan again, there it is..
Hope you can help me, thanks!

My logs!

Deckard's System Scanner v20071014.68
Run by Marc on 2008-07-05 13:24:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
14: 2008-07-04 19:48:45 UTC - RP156 - Windows Defender Checkpoint
13: 2008-07-04 18:15:37 UTC - RP154 - Windows Defender Checkpoint
12: 2008-07-04 17:14:13 UTC - RP152 - Ad-Aware Restore Point 2008-07-04 19:14:12
11: 2008-07-04 15:57:20 UTC - RP150 - Installed Ad-Aware
10: 2008-07-04 15:38:38 UTC - RP149 - Windows Defender Checkpoint


-- First Restore Point --
1: 2008-07-03 13:07:34 UTC - RP137 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-05 13:26:16
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Windows\System32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\microsoft shared\Windows Live\WLLoginProxy.exe
C:\Users\Marc\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer leveret af Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.dk/ig/dell?hl=da&c...dk&ibd=1080410
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {29906A7F-18D2-4251-B995-37D075250B60} - C:\Windows\System32\khfgGVLD.dll
O2 - BHO: (no name) - {4267713B-641A-44FE-A803-3AFAE866C989} - C:\Windows\system32\cbXQhHXr.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {848BDA22-3C5B-4262-A1F0-19C8244902A1} - C:\Windows\system32\tUlMFXpM.dll (file missing)
O2 - BHO: {536a853f-b94e-81bb-b034-e1f65b212fd8} - {8df212b5-6f1e-430b-bb18-e49bf358a635} - C:\Windows\System32\frpube.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {EDECCBDA-F402-404C-BC2D-7237C65647D0} - C:\Windows\System32\gnecpeff.dll
O2 - BHO: (no name) - {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} - C:\Windows\System32\tuVOFyYR.dll
O2 - BHO: (no name) - {F28C4846-9BF8-4F5E-8D03-759D626CD1C6} - C:\Users\Marc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUVK8JY6\3077ahntdksr[1].dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Bluetooth HCI Monitor] RunDll32 HCIMNTR.DLL,RunCheckHCIMode
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\tuVOFyYR.dll,#1
O4 - HKLM\..\Run: [3055abef] rundll32.exe "C:\Windows\system32\fmnvndbq.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Send billede til &Bluetooth-enhed... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send siden til &Bluetooth-enhed... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/res.../wlscctrl2.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\System32\PnkBstrB.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\stacsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe


--
End of file - 12283 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service (Bonjour-tjeneste) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S2 SessionLauncher - c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-01 01:00:00 348 --a------ C:\Windows\Tasks\McQcTask.job
2008-06-15 01:00:00 360 --a------ C:\Windows\Tasks\McDefragTask.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-04 22:44:19 0 d-------- C:\ie-spyad_zo
2008-07-04 22:41:35 118784 --a------ C:\Windows\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-07-04 22:41:35 0 d-------- C:\Program Files\SpywareBlaster
2008-07-04 22:37:32 0 d-------- C:\Program Files\Panda Security
2008-07-04 22:29:01 103424 --a------ C:\Windows\system32\rplqdpox.dll
2008-07-04 22:29:01 103424 --a------ C:\Windows\system32\frpube.dll
2008-07-04 22:29:01 78848 --a------ C:\Windows\system32\fmnvndbq.dll
2008-07-04 22:25:18 0 d-------- C:\Program Files\Enigma Software Group
2008-07-04 22:11:52 78848 -----n--- C:\Windows\system32\nerfoohs.dll
2008-07-04 22:11:50 48640 --a------ C:\Windows\system32\gnecpeff.dll
2008-07-04 22:09:31 103424 --a------ C:\Windows\system32\tnhombdy.dll
2008-07-04 22:09:31 103424 --a------ C:\Windows\system32\lutsho.dll
2008-07-04 22:08:49 420575 --ahs---- C:\Windows\system32\DLVGgfhk.ini2
2008-07-04 22:08:48 319488 -----n--- C:\Windows\system32\khfgGVLD.dll
2008-07-04 21:47:18 59904 --a------ C:\Windows\system32\tuVOFyYR.dll
2008-07-04 21:01:47 0 d-------- C:\327882R2FWJFW
2008-07-04 20:45:05 545 --a------ C:\Windows\UC.PIF
2008-07-04 20:45:05 545 --a------ C:\Windows\RAR.PIF
2008-07-04 20:45:05 545 --a------ C:\Windows\PKZIP.PIF
2008-07-04 20:45:05 545 --a------ C:\Windows\PKUNZIP.PIF
2008-07-04 20:45:05 545 --a------ C:\Windows\NOCLOSE.PIF
2008-07-04 20:45:05 545 --a------ C:\Windows\LHA.PIF
2008-07-04 20:45:05 545 --a------ C:\Windows\ARJ.PIF
2008-07-04 20:45:04 0 d-------- C:\totalcmd
2008-07-04 20:21:32 345 --ahs---- C:\Windows\system32\MpXFMlUt.ini2
2008-07-04 17:59:00 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-04 17:57:34 0 d-------- C:\Program Files\Lavasoft
2008-07-04 17:57:33 0 d-------- C:\Users\All Users\Lavasoft
2008-07-04 17:56:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 17:24:41 81920 -----n--- C:\Windows\system32\llnwxfho.dll
2008-07-04 17:22:03 102912 --a------ C:\Windows\system32\hhdnkf.dll
2008-07-04 17:22:03 102912 --a------ C:\Windows\system32\fatlqjpm.dll
2008-07-04 10:49:10 0 d-------- C:\Users\All Users\Locktime
2008-07-04 10:19:41 102912 --a------ C:\Windows\system32\uxrumggg.dll
2008-07-04 10:19:41 102912 --a------ C:\Windows\system32\twpptz.dll
2008-07-04 10:16:41 447736 --ahs---- C:\Windows\system32\mVGiiPXx.ini2
2008-07-03 1503 52777 --ahs---- C:\Windows\system32\rXHhQXbc.ini2
2008-07-03 15:01:05 0 d-------- C:\Program Files\Sony Setup
2008-06-27 00:27:41 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-23 16:20:48 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-18 20:33:13 0 d-------- C:\Program Files\Common Files\BioWare
2008-06-18 20:23:52 0 d-------- C:\Program Files\Mass Effect
2008-06-17 23:36:07 0 d-------- C:\Program Files\DivX
2008-06-13 03:50:52 0 d-------- C:\Program Files\Ubisoft
2008-06-11 13:42:09 0 d-a------ C:\Users\All Users\TEMP
2008-06-11 13:42:08 0 d-------- C:\Fraps
2008-06-05 03:48:51 0 d-------- C:\Program Files\CAPCOM
2008-06-05 03:47:51 0 d-------- C:\Windows\system32\xlive


-- Find3M Report ---------------------------------------------------------------

2008-07-05 13:27:24 0 d-------- C:\Users\Marc\AppData\Roaming\uTorrent
2008-07-05 13:26:20 0 d-------- C:\Users\Marc\AppData\Roaming\Skype
2008-07-05 08:07:43 0 d-------- C:\Users\Marc\AppData\Roaming\skypePM
2008-07-04 21:26:21 493676 --a------ C:\Windows\system32\perfh006.dat
2008-07-04 21:26:21 84670 --a------ C:\Windows\system32\perfc006.dat
2008-07-04 20:45:04 0 d-------- C:\Users\Marc\AppData\Roaming\GHISLER
2008-07-04 19:42:53 4219 --a------ C:\Windows\bthservsdp.dat
2008-07-04 17:56:58 0 d-------- C:\Program Files\Common Files
2008-07-04 10:50:22 0 d-------- C:\Users\Marc\AppData\Roaming\Locktime
2008-07-03 17:13:43 0 d-------- C:\Users\Marc\AppData\Roaming\DivX
2008-07-03 15:12:36 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-24 07:31:20 0 d-------- C:\Users\Marc\AppData\Roaming\dvdcss
2008-06-20 18:57:15 0 d-------- C:\Program Files\McAfee
2008-06-17 23:36:13 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-06-10 03:32:10 0 d-------- C:\Program Files\Windows Mail
2008-05-30 19:22:22 3596288 --a------ C:\Windows\system32\qt-dx331.dll
2008-05-30 19:18:56 196608 --a------ C:\Windows\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 19:18:56 81920 --a------ C:\Windows\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 19:18:50 823296 --a------ C:\Windows\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:18:48 802816 --a------ C:\Windows\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 19:18:48 823296 --a------ C:\Windows\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:18:48 815104 --a------ C:\Windows\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:18:48 683520 --a------ C:\Windows\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 19:18:00 12288 --a------ C:\Windows\system32\DivXWMPExtType.dll
2008-05-28 22:19:37 0 d-------- C:\Users\Marc\AppData\Roaming\Command & Conquer 3 Tiberium Wars
2008-05-21 15:41:34 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-19 13:56:09 0 d-------- C:\Program Files\Common Files\Logitech
2008-05-10 20:18:06 0 d-------- C:\Users\Marc\AppData\Roaming\GetRightToGo
2008-05-10 20:17:42 0 d-------- C:\Users\Marc\AppData\Roaming\Turbine
2008-05-10 19:46:29 0 d-------- C:\Program Files\Turbine
2008-05-07 03:22:20 0 d-------- C:\Users\Marc\AppData\Roaming\Roxio
2008-05-07 03:18:49 0 d-------- C:\Program Files\Philips ToUcam Camera
2008-05-06 18:51:38 0 d-------- C:\Program Files\Ulead Systems
2008-05-06 18:51:24 0 d-------- C:\Program Files\VideoLink Mail
2008-05-06 18:51:18 0 d-------- C:\Program Files\Common Files\Smith Micro Shared
2008-04-25 03:34:15 0 -rahs---- C:\MSDOS.SYS
2008-04-25 03:34:15 0 -rahs---- C:\IO.SYS
2008-04-17 10:45:47 2337865 --a------ C:\Windows\system32\pbsvc.exe
2008-04-16 22:44:29 0 --a------ C:\Windows\nsreg.dat
2008-04-10 08:34:14 216164 --a------ C:\Windows\system32\REBOOT=ReallySuppress
2008-04-10 08:23:01 174 --ahs---- C:\Program Files\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{29906A7F-18D2-4251-B995-37D075250B60}]
04-07-2008 22:08 319488 --------- C:\Windows\system32\khfgGVLD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4267713B-641A-44FE-A803-3AFAE866C989}]
C:\Windows\system32\cbXQhHXr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{848BDA22-3C5B-4262-A1F0-19C8244902A1}]
C:\Windows\system32\tUlMFXpM.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8df212b5-6f1e-430b-bb18-e49bf358a635}]
04-07-2008 22:29 103424 --a------ C:\Windows\system32\frpube.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDECCBDA-F402-404C-BC2D-7237C65647D0}]
04-07-2008 22:11 48640 --a------ C:\Windows\system32\gnecpeff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}]
03-07-2008 15:00 59904 --a------ C:\Windows\system32\tuVOFyYR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F28C4846-9BF8-4F5E-8D03-759D626CD1C6}]
04-07-2008 22:16 88576 --a------ C:\Users\Marc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUVK8JY6\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10-04-2008 16:06]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [08-12-2006 01:50 C:\Windows\System32\HCIMNTR.DLL]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [12-09-2007 10:40]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [10-04-2008 08:30]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [03-10-2007 16:44]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [10-04-2008 08:37]
"@"="" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [14-12-2007 15:25]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03-08-2007 23:33]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [11-04-2007 15:32 C:\Windows\KHALMNPR.Exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [12-01-2007 03:09]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [12-01-2007 03:12]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12-12-2007 01:06]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12-12-2007 01:06]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12-12-2007 01:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28-03-2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30-03-2008 10:36]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11-01-2008 22:16]
"MSServer"="C:\Windows\system32\tuVOFyYR.dll" [03-07-2008 15:00]
"3055abef"="C:\Windows\system32\fmnvndbq.dll" [04-07-2008 22:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18-10-2007 11:34]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02-11-2006 14:35]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [01-04-2008 11:39]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [06-02-2008 18:21]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [02-11-2006 14:36]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [13-02-2007 12:43:38]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [16-04-2008 19:44:03]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [19-05-2008 13:56:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}"= C:\Windows\system32\tuVOFyYR.dll [03-07-2008 15:00 59904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\Windows\system32\khfgGVLD

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f05411d-0c58-11dd-8188-001e4ce63655}]
AutoRun\command- K:\autorun.exe -auto


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8772 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-05 13:27:57 ------------

The extra log.

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: Other (0406) - see http://preview.tinyurl.com/mhhp6

CPU 0: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 3325.14 MiB / 1596.32 MiB
Pagefile Memory (total/avail): 6823.72 MiB / 5108.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1885.5 MiB

C: is Fixed (NTFS) - 581.12 GiB total, 241 GiB free.
D: is Fixed (NTFS) - 15 GiB total, 10.82 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (FAT)
J: is Removable (FAT)
K: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ARRAY - 596.18 GiB - 3 partitions
\PARTITION0 - Unknown - 62.72 MiB
\PARTITION1 - Installable File System - 15 GiB - D:
\PARTITION2 (bootable) - Installable File System - 581.12 GiB - C:

\\.\PHYSICALDRIVE1 - DELL USB HS-CF Card USB Device

\\.\PHYSICALDRIVE3 - DELL USB HS-MS Card USB Device - 957 MiB - 1 partition
\PARTITION0 (bootable) - MS-DOS V4 Huge - 956.95 MiB - I:

\\.\PHYSICALDRIVE4 - DELL USB HS-SD Card USB Device - 486.34 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 489.89 MiB - J:

\\.\PHYSICALDRIVE2 - DELL USB HS-xD/SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee) Outdated
AS: McAfee VirusScan v (McAfee)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Marc\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MARC-PC
ComSpec=C:\Windows\system32\cmd.exe
EMC_AUTOPLAY=C:\Program Files\Common Files\Roxio Shared\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Marc
LOCALAPPDATA=C:\Users\Marc\AppData\Local
LOGONSERVER=\\MARC-PC
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Marc\AppData\Local\Temp
TMP=C:\Users\Marc\AppData\Local\Temp
USERDOMAIN=Marc-PC
USERNAME=Marc
USERPROFILE=C:\Users\Marc
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Marc (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
648 opskrifter fra Karolines Køkken --> C:\Windows\IsUn0406.exe -f"C:\Program Files\Karolines\Uninst.isu"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Browser Address Error Redirector --> MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
CDDRV_Installer --> MsiExec.exe /I{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}
Command & Conquer 3 --> MsiExec.exe /I{DDEDAF6C-488E-4CDA-8276-1CCF5F3C5C32}
DirectXInstallService --> MsiExec.exe /X{098122AB-C605-4853-B441-C0A4EB359B75}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Hauppauge MCE XP/Vista Software Encoder (2.0.25296) --> C:\PROGRA~1\WinTV\UNSftMCE.EXE C:\PROGRA~1\WinTV\softMCE.LOG
Hauppauge TV Tuner Driver --> MsiExec.exe /I{AF094932-91E6-4EF8-8AB8-1C7226DFEECB}
Intel(R) Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exe
Intel(R) PRO Network Connections 12.1.12.4 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Intel(R) PRO Network Connections 12.1.12.4 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
KhalInstallWrapper --> MsiExec.exe /I{56918C0C-0D87-4CA6-92BF-4975A43AC719}
Kompatibilitetspakke til Office 2007-systemet --> MsiExec.exe /X{90120000-0020-0406-0000-0000000FF1CE}
Logitech Communications Manager --> MsiExec.exe /I{BD202930-5F70-4B35-B875-1E28604F328D}
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\SETUP.EXE" -l0x6 UNINSTALL
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe -runfromtemp -l0x0006 -removeonly
LOST PLANET COLONIES --> MsiExec.exe /X{6FCFA783-CE7B-4018-AC48-0E6EEAAEA322}
Mass Effect --> C:\Program Files\Common Files\BioWare\Uninstall Mass Effect.exe
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB929729) --> "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M929729\M929729Uninstall.msp"
Microsoft Games for Windows - LIVE Redistributable --> MsiExec.exe /X{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}
Microsoft Office PowerPoint Viewer 2007 (Danish) --> MsiExec.exe /X{95120000-00AF-0406-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{B238D61F-3EEF-4716-BFEA-9903DEF045D9}
Mozilla Firefox (2.0.0.15) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PunkBuster Services --> C:\Windows\system32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Roxio Activation Module --> MsiExec.exe /I{EC877639-07AB-495C-BFD1-D63AF9140810}
Roxio CinePlayer Decoder Pack --> MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
Roxio Creator Audio --> MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy --> MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data --> MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator Premier --> C:\ProgramData\Uninstall\{469EF13B-4AD0-48D7-AF89-6B92278293E2}\setup.exe /x {469EF13B-4AD0-48D7-AF89-6B92278293E2}
Roxio Creator Premier --> MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Premier 10 --> MsiExec.exe /I{3FB3647F-B6A6-46B4-8613-A09BCFAB80F0}
Roxio Creator Tools --> MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler --> MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
THE SETTLERS - Rise of an Empire --> "C:\Program Files\InstallShield Installation Information\{D3F80A98-05AB-4D8C-9272-766CCFA6A48D}\setup.exe" -runfromtemp -l0x0009 -removeonly
Tilmeldingsassistent til Windows Live --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Total Commander (Remove or Repair) --> c:\totalcmd\tcuninst.exe
Ulead Photo Explorer 6.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0194539-8118-4FD7-8ABA-912B2D479B48}\setup.exe"
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VideoLink Mail --> C:\PROGRA~1\VIDEOL~1\UNWISE.EXE C:\PROGRA~1\VIDEOL~1\INSTALL.LOG
WIDCOMM Bluetooth Software 6.0.1.4300 --> MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
Windows Live installer --> MsiExec.exe /X{38092A00-F9C8-420F-B5CB-C56F89F94B12}
Windows Live Mail --> MsiExec.exe /I{0F44ED57-F95F-471B-AF59-83CDA45F0C96}
Windows Live Messenger --> MsiExec.exe /X{1EDF0646-14CE-46FE-8785-9E12E29686DF}
Windows Live OneCare safety scanner --> "C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
WowAceUpdater --> rundll32.exe dfshim.dll,ShArpMaintain WowAceUpdater.application, Culture=neutral, PublicKeyToken=4d89fb8d52541cc9, processorArchitecture=msil
XPS MiniView Gadget --> MsiExec.exe /I{A73BDB2A-E4A7-4FE8-960E-6A5C8BF76FCB}


-- Application Event Log -------------------------------------------------------

Event Record #/Type7379 / Error
Event Submitted/Written: 07/05/2008 06:07:25 AM
Event ID/Source: 1000 / Application Error
Event Description:
Program med fejl firefox.exe, version 1.8.20080.62306, tidsstempel 0x485fa92b, modul med fejl ole32.dll, version 6.0.6000.16386, tidsstempel 0x4549bd92, undtagelseskode 0xc0000005, forskydning med fejl 0x0004101f,
proces-id 0x1154, programmets starttidspunkt 0xfirefox.exe0.

Event Record #/Type7362 / Error
Event Submitted/Written: 07/04/2008 10:36:33 PM
Event ID/Source: 1000 / Application Error
Event Description:
Program med fejl explorer.exe, version 6.0.6000.16549, tidsstempel 0x46d230c5, modul med fejl fmnvndbq.dll, version 0.0.0.0, tidsstempel 0x35003e26, undtagelseskode 0xc0000005, forskydning med fejl 0x000013ac,
proces-id 0xf94, programmets starttidspunkt 0xexplorer.exe0.

Event Record #/Type7361 / Error
Event Submitted/Written: 07/04/2008 10:31:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Programmet explorer.exe version 6.0.6000.16549 afbrød kommunikationen med Windows og blev afsluttet. Hvis du vil se, om der findes yderligere oplysninger om problemet, kan du læse om problemets historik via kontrolpanelet Problemrapporter og -løsninger.
Proces-id: 10b4
Starttidspunkt: 01c8de110f93984f
Sluttidspunkt: 8

Event Record #/Type7358 / Error
Event Submitted/Written: 07/04/2008 10:26:57 PM
Event ID/Source: 1000 / Application Error
Event Description:
Program med fejl SpyHunter3.exe, version 1.0.30.0, tidsstempel 0x485a63a2, modul med fejl Secur32.dll, version 6.0.6000.16386, tidsstempel 0x4549bdd2, undtagelseskode 0xc0000005, forskydning med fejl 0x000021f4,
proces-id 0xf8c, programmets starttidspunkt 0xSpyHunter3.exe0.

Event Record #/Type7356 / Error
Event Submitted/Written: 07/04/2008 10:25:24 PM
Event ID/Source: 1000 / Application Error
Event Description:
Program med fejl SpyHunter3.exe, version 1.0.30.0, tidsstempel 0x485a63a2, modul med fejl Secur32.dll, version 6.0.6000.16386, tidsstempel 0x4549bdd2, undtagelseskode 0xc0000005, forskydning med fejl 0x000021f4,
proces-id 0x9cc, programmets starttidspunkt 0xSpyHunter3.exe0.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type22851 / Warning
Event Submitted/Written: 07/05/2008 01:27:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Marc-PC27 Fuldtidsbeskyttelsesagenten har fundet ændringer. Microsoft anbefaler, at du analyserer den software, der har foretaget disse ændringer, for at se, om der er potentielle risici. Du kan bruge oplysninger om, hvordan disse programmer fungerer til at vælge, om de må køre, eller om de skal fjernes fra computeren. Tillad kun ændringer, hvis du har tillid til programmet eller softwareudgiveren. %Marc-PC27 kan ikke fortryde ændringer, du tillader.

Flere oplysninger finder du her:
%Marc-PC275

Scannings-id: {5BB4966E-0E2D-4CD9-873D-E48DAF3B5872}

Bruger: Marc-PC\Marc

Navn: %Marc-PC271

Id: %Marc-PC272

Alvorligheds-id: %Marc-PC273

Kategori-id: %Marc-PC274

Sti fundet: %Marc-PC276

Advarselstype: %Marc-PC278

Registreringstype: 1.1.1505.02

Event Record #/Type22850 / Warning
Event Submitted/Written: 07/05/2008 01:27:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Marc-PC27 Fuldtidsbeskyttelsesagenten har fundet ændringer. Microsoft anbefaler, at du analyserer den software, der har foretaget disse ændringer, for at se, om der er potentielle risici. Du kan bruge oplysninger om, hvordan disse programmer fungerer til at vælge, om de må køre, eller om de skal fjernes fra computeren. Tillad kun ændringer, hvis du har tillid til programmet eller softwareudgiveren. %Marc-PC27 kan ikke fortryde ændringer, du tillader.

Flere oplysninger finder du her:
%Marc-PC275

Scannings-id: {6FF48DCB-F66E-4ABD-8E66-A36396D2EE63}

Bruger: Marc-PC\Marc

Navn: %Marc-PC271

Id: %Marc-PC272

Alvorligheds-id: %Marc-PC273

Kategori-id: %Marc-PC274

Sti fundet: %Marc-PC276

Advarselstype: %Marc-PC278

Registreringstype: 1.1.1505.02

Event Record #/Type22849 / Warning
Event Submitted/Written: 07/05/2008 01:27:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Marc-PC27 Fuldtidsbeskyttelsesagenten har fundet ændringer. Microsoft anbefaler, at du analyserer den software, der har foretaget disse ændringer, for at se, om der er potentielle risici. Du kan bruge oplysninger om, hvordan disse programmer fungerer til at vælge, om de må køre, eller om de skal fjernes fra computeren. Tillad kun ændringer, hvis du har tillid til programmet eller softwareudgiveren. %Marc-PC27 kan ikke fortryde ændringer, du tillader.

Flere oplysninger finder du her:
%Marc-PC275

Scannings-id: {1E501816-633D-42AF-A01B-EAD4E2F5F143}

Bruger: Marc-PC\Marc

Navn: %Marc-PC271

Id: %Marc-PC272

Alvorligheds-id: %Marc-PC273

Kategori-id: %Marc-PC274

Sti fundet: %Marc-PC276

Advarselstype: %Marc-PC278

Registreringstype: 1.1.1505.02

Event Record #/Type22848 / Warning
Event Submitted/Written: 07/05/2008 01:27:01 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Marc-PC27 Fuldtidsbeskyttelsesagenten har fundet ændringer. Microsoft anbefaler, at du analyserer den software, der har foretaget disse ændringer, for at se, om der er potentielle risici. Du kan bruge oplysninger om, hvordan disse programmer fungerer til at vælge, om de må køre, eller om de skal fjernes fra computeren. Tillad kun ændringer, hvis du har tillid til programmet eller softwareudgiveren. %Marc-PC27 kan ikke fortryde ændringer, du tillader.

Flere oplysninger finder du her:
%Marc-PC275

Scannings-id: {4E6E48B3-3439-4280-B9DE-80E20845AA03}

Bruger: Marc-PC\Marc

Navn: %Marc-PC271

Id: %Marc-PC272

Alvorligheds-id: %Marc-PC273

Kategori-id: %Marc-PC274

Sti fundet: %Marc-PC276

Advarselstype: %Marc-PC278

Registreringstype: 1.1.1505.02

Event Record #/Type22847 / Warning
Event Submitted/Written: 07/05/2008 01:26:58 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Marc-PC27 Fuldtidsbeskyttelsesagenten har fundet ændringer. Microsoft anbefaler, at du analyserer den software, der har foretaget disse ændringer, for at se, om der er potentielle risici. Du kan bruge oplysninger om, hvordan disse programmer fungerer til at vælge, om de må køre, eller om de skal fjernes fra computeren. Tillad kun ændringer, hvis du har tillid til programmet eller softwareudgiveren. %Marc-PC27 kan ikke fortryde ændringer, du tillader.

Flere oplysninger finder du her:
%Marc-PC275

Scannings-id: {3764D8C8-C926-4D50-BE09-73D90CEB1E12}

Bruger: Marc-PC\Marc

Navn: %Marc-PC271

Id: %Marc-PC272

Alvorligheds-id: %Marc-PC273

Kategori-id: %Marc-PC274

Sti fundet: %Marc-PC276

Advarselstype: %Marc-PC278

Registreringstype: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-07-05 13:27:57 ------------
Telkov is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 07-08-2008, 07:00 PM   #2 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 9
OS: Vista 32


Re: Virtumonde attack
bump!
Telkov is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 07-08-2008, 11:37 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,091
OS: WinXP and Vista


Re: Virtumonde attack
Hello Telkov and welcome,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We'll begin with ComboFix.exe. Please download it from here and save it directly to your desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are unsure how to do this, please see this link http://www.bleepingcomputer.com/forums/topic114351.html

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 07-09-2008, 01:13 AM   #4 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 9
OS: Vista 32


Re: Virtumonde attack
Hey and thanks for the response :)

Had a little troulbe disable McAFee antivirus..

But here goes...

ComboFix 08-07-07.3 - Marc 2008-07-09 10:01:04.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1030.18.2036 [GMT 2:00]
Running from: C:\Users\Marc\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\byXOhFur.dll
C:\Windows\system32\djkkbsxx.ini
C:\Windows\System32\DLVGgfhk.ini
C:\Windows\System32\DLVGgfhk.ini2
C:\Windows\system32\dnnqvexh.dll
C:\Windows\system32\dvjdbymx.dll
C:\Windows\system32\fatlqjpm.dll
C:\Windows\system32\frpube.dll
C:\Windows\system32\fwlwvojg.ini
C:\Windows\system32\gjajop.dll
C:\Windows\system32\gnecpeff.dll
C:\Windows\system32\hhdnkf.dll
C:\Windows\system32\hwfqpnwf.dll
C:\Windows\System32\hxevqnnd.ini
C:\Windows\system32\ifwbbeki.dll
C:\Windows\system32\isrhojqg.dll
C:\Windows\system32\jovtsadc.ini
C:\Windows\system32\khfgGVLD.dll
C:\Windows\system32\klodytxk.ini
C:\Windows\system32\lkjfocyq.ini
C:\Windows\system32\llnwxfho.dll
C:\Windows\system32\lutsho.dll
C:\Windows\system32\meeftwho.dll
C:\Windows\system32\MpXFMlUt.ini
C:\Windows\System32\MpXFMlUt.ini2
C:\Windows\System32\mVGiiPXx.ini
C:\Windows\System32\mVGiiPXx.ini2
C:\Windows\system32\nerfoohs.dll
C:\Windows\System32\ohfxwnll.ini
C:\Windows\system32\ohwtfeem.ini
C:\Windows\system32\olxeycuv.ini
C:\Windows\system32\oskqbnpr.dll
C:\Windows\system32\otlltasr.dll
C:\Windows\system32\pwbnbi.dll
C:\Windows\system32\qbdnvnmf.ini
C:\Windows\system32\rplqdpox.dll
C:\Windows\system32\rsatllto.ini
C:\Windows\system32\rXHhQXbc.ini
C:\Windows\System32\rXHhQXbc.ini2
C:\Windows\System32\shoofren.ini
C:\Windows\system32\smcpnsnw.dll
C:\Windows\system32\tnhombdy.dll
C:\Windows\system32\twpptz.dll
C:\Windows\system32\uxrumggg.dll
C:\Windows\system32\vlcdst.dll
C:\Windows\system32\vwfdny.dll
C:\Windows\System32\wftnipbx.ini
C:\Windows\system32\xbpintfw.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-09 03:25 . 2008-07-09 03:25 <DIR> d-------- C:\Program Files\ffdshow
2008-07-09 03:25 . 2008-06-08 23:58 60,273 --a------ C:\Windows\System32\pthreadGC2.dll
2008-07-09 03:25 . 2007-06-03 14:31 10,752 --a------ C:\Windows\System32\ff_vfw.dll
2008-07-09 03:25 . 2007-06-03 14:31 6,144 --a------ C:\Windows\System32\ff_acm.acm
2008-07-09 03:25 . 2006-12-10 23:32 547 --a------ C:\Windows\System32\ff_vfw.dll.manifest
2008-07-09 03:11 . 2008-07-09 03:11 <DIR> d-------- C:\Program Files\Haali
2008-07-05 13:23 . 2008-07-05 13:23 <DIR> d-------- C:\Deckard
2008-07-04 22:44 . 2008-07-04 22:44 <DIR> d-------- C:\ie-spyad_zo
2008-07-04 22:41 . 2008-07-04 22:41 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-04 22:41 . 2005-08-25 19:18 118,784 --a------ C:\Windows\System32\MSSTDFMT.DLL
2008-07-04 22:38 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys
2008-07-04 22:37 . 2008-07-04 22:37 <DIR> d-------- C:\Program Files\Panda Security
2008-07-04 22:25 . 2008-07-04 22:36 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-04 20:45 . 2008-07-04 20:45 <DIR> d-------- C:\Users\Marc\AppData\Roaming\GHISLER
2008-07-04 20:45 . 2008-07-04 20:45 <DIR> d-------- C:\totalcmd
2008-07-04 20:45 . 2008-04-22 07:03 545 --a------ C:\Windows\UC.PIF
2008-07-04 20:45 . 2008-04-22 07:03 545 --a------ C:\Windows\RAR.PIF
2008-07-04 20:45 . 2008-04-22 07:03 545 --a------ C:\Windows\PKZIP.PIF
2008-07-04 20:45 . 2008-04-22 07:03 545 --a------ C:\Windows\PKUNZIP.PIF
2008-07-04 20:45 . 2008-04-22 07:03 545 --a------ C:\Windows\NOCLOSE.PIF
2008-07-04 20:45 . 2008-04-22 07:03 545 --a------ C:\Windows\LHA.PIF
2008-07-04 20:45 . 2008-04-22 07:03 545 --a------ C:\Windows\ARJ.PIF
2008-07-04 20:21 . 2008-07-04 20:21 319,488 --a------ C:\Windows\System32\tUlMFXpM.dll_old
2008-07-04 19:40 . 2008-07-04 20:40 269 --a------ C:\Windows\wininit.ini
2008-07-04 17:59 . 2008-07-04 20:14 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-04 17:59 . 2008-07-04 20:14 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-07-04 17:59 . 2008-07-04 17:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-04 17:57 . 2008-07-04 17:58 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-07-04 17:57 . 2008-07-04 17:58 <DIR> d-------- C:\ProgramData\Lavasoft
2008-07-04 17:57 . 2008-07-04 17:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-04 17:56 . 2008-07-04 17:56 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 10:50 . 2008-07-04 10:50 <DIR> d-------- C:\Users\Marc\AppData\Roaming\Locktime
2008-07-04 10:49 . 2008-07-04 10:49 <DIR> d-------- C:\Users\All Users\Locktime
2008-07-04 10:49 . 2008-07-04 10:49 <DIR> d-------- C:\ProgramData\Locktime
2008-07-03 17:13 . 2008-07-03 17:13 <DIR> d-------- C:\Users\Marc\AppData\Roaming\DivX
2008-07-03 15:01 . 2008-07-03 15:31 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-28 00:39 . 2008-06-29 02:19 <DIR> d-------- C:\Users\Public\I.Love.***.Cheeks.2.XXX.DVDRiP.XviD-DivXfacTory
2008-06-27 00:27 . 2008-06-27 00:31 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-24 07:31 . 2008-06-24 07:31 <DIR> d-------- C:\Users\Marc\AppData\Roaming\dvdcss
2008-06-23 16:20 . 2008-06-23 16:21 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-06-18 20:33 . 2008-06-18 20:33 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-06-18 20:23 . 2008-06-18 20:35 <DIR> d-------- C:\Program Files\Mass Effect
2008-06-17 23:36 . 2008-06-17 23:36 <DIR> d-------- C:\Program Files\DivX
2008-06-13 12:38 . 2008-04-23 07:11 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-06-13 12:38 . 2008-04-23 06:27 428,032 --a------ C:\Windows\System32\EncDec.dll
2008-06-13 12:38 . 2008-04-23 07:12 292,352 --a------ C:\Windows\System32\psisdecd.dll
2008-06-13 12:38 . 2008-04-23 07:12 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-13 12:38 . 2008-04-23 07:12 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-06-13 12:38 . 2008-04-23 07:11 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-06-13 12:38 . 2008-04-23 07:11 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-13 03:52 . 2008-06-13 03:52 278,728 --a------ C:\Windows\System32\drivers\atksgt.sys
2008-06-13 03:52 . 2008-06-13 03:52 25,416 --a------ C:\Windows\System32\drivers\lirsgt.sys
2008-06-13 03:50 . 2008-06-13 03:50 <DIR> d-------- C:\Program Files\Ubisoft
2008-06-11 13:42 . 2008-07-08 23:39 <DIR> d-a------ C:\Users\All Users\TEMP
2008-06-11 13:42 . 2008-07-08 23:39 <DIR> d-a------ C:\ProgramData\TEMP
2008-06-11 13:42 . 2008-07-08 21:08 <DIR> d-------- C:\Fraps
2008-06-10 00:46 . 2008-04-25 06:22 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 08:07 --------- d-----w C:\Users\Marc\AppData\Roaming\skypePM
2008-07-09 08:07 --------- d-----w C:\Users\Marc\AppData\Roaming\Skype
2008-07-09 07:45 --------- d-----w C:\Users\Marc\AppData\Roaming\uTorrent
2008-07-09 01:11 --------- d-----w C:\Program Files\Haali
2008-07-05 12:33 --------- d-----w C:\Program Files\Karolines
2008-07-03 13:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-03 13:08 --------- d-----w C:\ProgramData\Media Center Programs
2008-06-20 16:57 --------- d-----w C:\Program Files\McAfee
2008-06-17 21:36 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-06-10 01:32 --------- d-----w C:\Program Files\Windows Mail
2008-06-05 02:02 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-06-05 01:48 --------- d-----w C:\Program Files\CAPCOM
2008-05-30 17:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-30 17:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-30 17:19 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-30 17:19 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-28 20:19 --------- d-----w C:\Users\Marc\AppData\Roaming\Command & Conquer 3 Tiberium Wars
2008-05-21 13:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-19 11:58 --------- d-----w C:\ProgramData\LogiShrd
2008-05-19 11:57 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2008-05-19 11:56 --------- d-----w C:\Program Files\Common Files\Logitech
2008-05-16 09:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-05-10 18:18 --------- d-----w C:\Users\Marc\AppData\Roaming\GetRightToGo
2008-05-10 18:17 --------- d-----w C:\Users\Marc\AppData\Roaming\Turbine
2008-05-10 17:46 --------- d-----w C:\Program Files\Turbine
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-29 03:50 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-26 07:41 1,327,616 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-04-18 14:30 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-18 14:30 32 ----a-w C:\ProgramData\ezsid.dat
2008-04-17 08:46 22,328 ----a-w C:\Users\Marc\AppData\Roaming\PnkBstrK.sys
2008-04-17 08:45 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-04-17 08:45 2,337,865 ----a-w C:\Windows\System32\pbsvc.exe
2008-04-17 08:45 107,832 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-04-16 17:43 127,034 ------r C:\Windows\bwUnin-8.1.1.50-8876480SL.exe
2008-04-16 16:54 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-04-16 16:53 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-16 16:53 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-16 16:53 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-04-16 16:53 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-04-16 16:53 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-04-16 16:51 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-04-16 16:51 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-04-16 16:49 83,968 ----a-w C:\Windows\System32\dnsrslvr.dll
2008-04-16 16:49 24,576 ----a-w C:\Windows\System32\dnscacheugc.exe
2008-04-16 16:33 80,896 ----a-w C:\Windows\System32\wudriver.dll
2008-04-16 16:33 549,720 ----a-w C:\Windows\System32\wuapi.dll
2008-04-16 16:33 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-04-16 16:33 43,352 ----a-w C:\Windows\System32\wups2.dll
2008-04-16 16:33 33,624 ----a-w C:\Windows\System32\wups.dll
2008-04-16 16:33 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2008-04-16 16:33 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2008-04-16 16:32 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-04-16 16:32 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2008-04-10 14:14 229,888 ----a-w C:\Windows\System32\msshsq.dll
2008-04-10 14:13 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-04-10 14:13 750,080 ----a-w C:\Windows\System32\qmgr.dll
2008-04-10 14:13 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-04-10 14:13 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-04-10 14:13 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-04-10 14:13 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-04-10 14:11 974,336 ----a-w C:\Windows\System32\crypt32.dll
2008-04-10 14:11 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2008-04-10 14:11 8,704 ----a-w C:\Windows\System32\hccoin.dll
2008-04-10 14:11 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-04-10 14:11 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-04-10 14:11 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-04-10 14:11 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-04-10 14:11 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-04-10 14:11 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-04-10 14:09 8,192 ----a-w C:\Windows\System32\riched32.dll
2008-04-10 14:09 77,824 ----a-w C:\Windows\System32\rascfg.dll
2008-04-10 14:09 694,784 ----a-w C:\Windows\System32\localspl.dll
2008-04-10 14:09 52,736 ----a-w C:\Windows\System32\rasdiag.dll
2008-04-10 14:09 384,000 ----a-w C:\Windows\System32\netcfgx.dll
2008-04-10 14:09 33,280 ----a-w C:\Windows\System32\traffic.dll
2008-04-10 14:09 32,768 ----a-w C:\Windows\System32\rasmxs.dll
2008-04-10 14:09 286,208 ----a-w C:\Windows\System32\ipnathlp.dll
2008-04-10 14:09 22,016 ----a-w C:\Windows\System32\rasser.dll
2008-04-10 14:09 15,360 ----a-w C:\Windows\System32\pacerprf.dll
2008-04-10 14:09 134,656 ----a-w C:\Windows\System32\dps.dll
2008-04-10 14:09 13,824 ----a-w C:\Windows\System32\wshqos.dll
2008-04-10 14:09 13,824 ----a-w C:\Windows\System32\icsunattend.exe
2008-04-10 14:08 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-04-10 14:07 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-04-10 14:07 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-04-10 14:07 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-04-10 14:07 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-04-10 14:05 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-04-10 14:04 5,120 ----a-w C:\Windows\System32\wmi.dll
2008-04-10 14:04 36,864 ----a-w C:\Windows\System32\wmdmps.dll
2008-04-10 14:04 311,296 ----a-w C:\Windows\System32\mswmdm.dll
2008-04-10 14:04 31,744 ----a-w C:\Windows\System32\wmdmlog.dll
2008-04-10 14:04 152,576 ----a-w C:\Windows\System32\imagehlp.dll
2008-04-10 14:02 53,760 ----a-w C:\Windows\System32\Mcx2Svc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 11:39 486856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:21 21898024]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-12 10:40 405504]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2008-04-10 08:30 77824]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 16:44 178712]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-10 08:37 1838592]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2007-12-14 15:25 244208]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 03:09 488984]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 03:12 244512]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-12 01:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-12 01:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-12 01:06 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-08 01:50 9728 C:\Windows\System32\HCIMNTR.DLL]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\Windows\KHALMNPR.Exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-13 12:43:38 715568]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-04-16 19:44:03 67128]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-19 13:56:03 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5709CF70-2DF3-4FC5-B262-28A8E81D607A}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{127C54E6-17AE-47DF-8D0B-BC4171904AE9}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{033742CC-0147-4B5E-969E-46B9EAC933D2}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{C4292B77-9CA9-4B4A-A8CB-F0531772FEEA}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{3F2BE4CA-B0D7-4292-AC30-8E652DA6CCDD}"= UDP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{A9A138CF-7895-4AB9-BB95-AEC4F3F8D3C8}"= TCP:C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{32C35AD5-2E8D-415F-8013-A1CFB8442055}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B4BE6734-F2D1-4621-8B63-8FFBF7A4ADFB}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{344CB9CB-78DB-41C9-8E67-E795B4AE0021}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{5BDE15BD-C20C-47FE-A3BE-D63E790A6756}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{47EE9502-1FE4-4D18-A43C-5FB41A190D6F}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{BBCAAA17-C2C6-4A23-A886-A6E62328A887}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{8DB8A7D0-223B-4668-A3C0-10F5400D04F1}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{34169EAD-D427-4567-8884-4FC13D53057E}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{29B49A00-99F7-40C7-A70F-B2AF85BA3CC7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{C2BCBB6B-9902-4DE9-9D89-2F70871C83DE}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{CD183782-D1F7-457D-B0C0-CACA20FEA1AB}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{A0A7742B-4182-4511-8C1C-6C6A6D4D2C56}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{5396224F-84FB-47F6-82B7-E366F06FD92D}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{A8D793D6-D392-40FF-BDC9-E9E9F6CB289F}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{84994745-17CE-4F3D-81FB-FD7D4E2C2221}"= UDP:C:\Program Files\CAPCOM\LOSTPLANETCOLONIES\LostPlanetColoniesDX9.exe:LOSTPLANETCOLONIES_DX9
"{F6BA12ED-90E3-4370-BD85-A61E5D0A9210}"= TCP:C:\Program Files\CAPCOM\LOSTPLANETCOLONIES\LostPlanetColoniesDX9.exe:LOSTPLANETCOLONIES_DX9
"{FCF99512-DF81-4C11-928E-EBE6BC87327E}"= UDP:C:\Program Files\CAPCOM\LOSTPLANETCOLONIES\LostPlanetColoniesDX10.exe:LOSTPLANETCOLONIES_DX10
"{91CC876C-2B28-42DB-94B9-7181AA771839}"= TCP:C:\Program Files\CAPCOM\LOSTPLANETCOLONIES\LostPlanetColoniesDX10.exe:LOSTPLANETCOLONIES_DX10
"{66017A7A-C135-49EF-A2BD-5D9734C6A55F}"= UDP:C:\Program Files\Ubisoft\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{0210943E-2DFC-4FBA-9694-6F3802686EAE}"= TCP:C:\Program Files\Ubisoft\THE SETTLERS - Rise of an Empire\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{6DF8B86A-E74A-4DC7-8D93-C87AE96E4900}"= UDP:C:\Program Files\Mass Effect\Binaries\MassEffect.exe:Mass Effect Game
"{DCBED5C5-D7A6-435B-917F-A5A2ACE5A546}"= TCP:C:\Program Files\Mass Effect\Binaries\MassEffect.exe:Mass Effect Game
"{5D18FF19-7433-425A-AE36-CB07F2DF6E1F}"= UDP:C:\Program Files\Mass Effect\MassEffectLauncher.exe:Mass Effect Launcher
"{F5865D81-66F5-4EFA-A996-C86657FE1572}"= TCP:C:\Program Files\Mass Effect\MassEffectLauncher.exe:Mass Effect Launcher
"{C06260DE-290E-4F6F-946E-4E5F45D4C7DE}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{2035A927-CECA-4422-906C-2BD58C5DF333}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor;C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 16:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 btwaudio;Bluetooth-audioenhed;C:\Windows\system32\drivers\btwaudio.sys [2007-04-02 06:42]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-04-02 06:42]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-04-02 06:42]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys [2007-11-20 09:20]
S2 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2007-12-14 15:25]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2007-12-14 15:25]
S2 SessionLauncher;SessionLauncher;C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe []
S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2007-12-14 15:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f05411d-0c58-11dd-8188-001e4ce63655}]
\shell\AutoRun\command - K:\INSTALLATION.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 23:00:00 C:\Windows\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-30 23:00:00 C:\Windows\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{4267713B-641A-44FE-A803-3AFAE866C989} - C:\Windows\system32\cbXQhHXr.dll
BHO-{848BDA22-3C5B-4262-A1F0-19C8244902A1} - C:\Windows\system32\tUlMFXpM.dll
BHO-{F28C4846-9BF8-4F5E-8D03-759D626CD1C6} - C:\Users\Marc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUVK8JY6\3077ahntdksr[1].dll
HKLM-Run-MSServer - C:\Windows\system32\byXOhFur.dll
HKLM-Run-3055abef - C:\Windows\system32\otlltasr.dll
HKLM-Run-BM33669873 - C:\Windows\system32\isrhojqg.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 1021
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"IAAnotif"="\"C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe\""
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Windows\System32\PnkBstrA.exe
C:\Windows\System32\PnkBstrB.exe
C:\Windows\System32\stacsv.exe
C:\Windows\System32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\conime.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Windows\System32\dllhost.exe
C:\Windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2008-07-09 10:09:32 - machine was rebooted [Marc]
ComboFix-quarantined-files.txt 2008-07-09 08:09:24

Pre-Run: 207,804,297,216 byte ledig
Post-Run: 208,223,096,832 byte ledig

389 --- E O F --- 2008-06-25 17:49:12
Telkov is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 07-09-2008, 08:05 AM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 19,091
OS: WinXP and Vista


Re: Virtumonde attack
Hi Telkov,

Press the Windows Logo key and the letter 'E' to open Windows Explorer.

Navigate to and delete the following file:

C:\Windows\System32\tUlMFXpM.dll_old

----------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis.exe and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
New HijackThis log
Update on system behavior
__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Keep this site free for all. Please consider, donating

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline