Hej NielsErik, velkommen til Spywarefri.
Ja, der er ganske rigtigt tegn på at du har Storm-ormen på computeren, som gør den til en Zombie.

Inden vi går i gang med at rense skal jeg dog lige høre ved dig, om det er en firma-computer, som du vil have renset?

Nej, det er min private pc

Ok. Prøv lige om du kan lave en combo log -

—Hent Combofix, og gem den på dit skrivebord:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Luk alle andre vinduer ned.

Kør så combofix.exe, og følg anvisningerne.

Du må ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.

Når combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C: combofix txt

Indholdet af denne fil må du gerne lægge herind sammen med en ny hijackthis log.

Hej her er log filerne;

ComboFix 07-12-21.4 - nek 2007-12-29 11:22:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2393 [GMT 1:00]
Running from: C:\spywarefri\ComboFix.exe
.
/wow section - STAGE 33

(((((((((((((((((((((((((((((((((((((((  Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\nek\g2mdlhlpx.exe
C:\WINDOWS\system32\Cache

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
———-\LEGACY_IPRIP
———-\Iprip

(((((((((((((((((((((((((  Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 10:11 . 2007-12-29 10:26 <DIR> d————C:\Documents and Settings\nek\Application Data\gtk-2.0
2007-12-29 01:17 . 2007-12-29 01:27 <DIR> d————C:\WINDOWS\BDOSCAN8
2007-12-23 12:34 . 2007-12-23 12:34 <DIR> d————C:\Documents and Settings\nek\Application Data\Grisoft
2007-12-23 12:34 . 2007-12-23 12:34 <DIR> d————C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 12:34 . 2007-05-30 13:10 10,872—a———C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-23 12:28 . 2007-12-29 11:02 <DIR> d————C:\spywarefri
2007-12-23 00:44 . 2007-12-23 00:44 <DIR> d————C:\Program Files\Lavasoft
2007-12-22 23:52 . 2007-06-29 09:38 581,632—a———C:\gmer.exe
2007-12-22 22:56 . 2007-12-23 12:17 250—a———C:\WINDOWS\gmer.ini
2007-12-21 23:23 . 2007-12-21 23:23 <DIR> d————C:\Program Files\Debugging Tools for Windows
2007-12-21 16:54 . 2007-12-29 06:44 <DIR> d————C:\temp
2007-12-21 16:54 . 2007-12-21 16:54 <DIR> d————C:\Program Files\Microsoft Silverlight
2007-12-20 01:26 . 2007-12-20 01:26 <DIR> d————C:\Documents and Settings\All Users\Application Data\UDL
2007-12-20 01:25 . 2007-12-29 11:15 <DIR> d————C:\Program Files\EPSON Print CD
2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d————C:\Documents and Settings\nek\Application Data\InstallShield
2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d————C:\Documents and Settings\All Users\Application Data\EPSON
2007-12-20 01:22 . 2004-08-03 23:01 25,856—a———C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-20 01:22 . 2004-08-03 23:01 25,856—a—c—- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-20 01:21 . 2007-12-20 01:25 <DIR> d————C:\Program Files\EPSON
2007-12-20 01:21 . 2007-12-20 01:21 26—a———C:\WINDOWS\CDER285EXPORT.ini
2007-12-20 00:37 . 1997-01-16 00:00 71,680—a———C:\WINDOWS\ST5UNST.EXE
2007-12-19 20:38 . 2007-12-19 20:38 3,816,988 -ra———C:\Documents and Settings\nek\firmware.bin
2007-12-18 19:16 . 2007-12-29 08:22 <DIR> d————C:\ReBurn
2007-12-17 18:59 . 2007-10-08 09:22 150,064—a———C:\WINDOWS\system32\vmnat.exe
2007-12-17 18:59 . 2007-10-08 09:22 121,392—a———C:\WINDOWS\system32\vmnetdhcp.exe
2007-12-17 18:59 . 2007-10-08 08:31 28,592 -ra———C:\WINDOWS\system32\drivers\vmnetbridge.sys
2007-12-17 18:59 . 2007-10-08 09:22 25,008—a———C:\WINDOWS\system32\drivers\vmnetuserif.sys
2007-12-17 18:59 . 2007-10-08 08:31 17,712 -ra———C:\WINDOWS\system32\drivers\vmnet.sys
2007-12-17 18:59 . 2007-10-08 08:31 16,816 -ra———C:\WINDOWS\system32\drivers\vmnetadapter.sys
2007-12-17 18:58 . 2007-12-17 18:58 <DIR> d————C:\Program Files\VMware
2007-12-17 18:58 . 2007-12-17 18:58 <DIR> d————C:\Program Files\Common Files\VMware
2007-12-12 23:30 . 2007-12-12 23:30 <DIR> d————C:\Program Files\GPLGS

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-29 10:27 224,148——a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-12-29 10:27 1,132——a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2007-12-29 03:46————- d——-w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-29 02:28————- d——-w C:\Program Files\Microsoft SQL Server
2007-12-28 23:24————- d——-w C:\Program Files\Microsoft Virtual PC
2007-12-23 00:24————- d——-w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 22:28————- d——-w C:\Program Files\UltraEdit
2007-12-22 01:13————- d——-w C:\Program Files\WinImage
2007-12-22 00:20————- d——-w C:\Program Files\Notepad++
2007-12-21 21:27————- d——-w C:\Program Files\Ethereal
2007-12-20 00:27————- d—h—w C:\Program Files\InstallShield Installation Information
2007-12-19 21:57————- d——-w C:\Documents and Settings\nek\Application Data\OpenOffice.org2
2007-12-19 21:54————- d——-w C:\Program Files\Image for Windows
2007-12-19 21:41 24——a-w C:\WINDOWS\system32\drivers\wnmsav.dat
2007-12-19 19:12————- d——-w C:\Documents and Settings\LocalService\Application Data\VMware
2007-12-19 19:12————- d——-w C:\Documents and Settings\All Users\Application Data\VMware
2007-12-17 19:41————- d——-w C:\Documents and Settings\nek\Application Data\VMware
2007-12-12 16:03————- d——-w C:\Documents and Settings\NetworkService\Application Data\VMware
2007-11-13 10:25 20,480——a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 22:26 538,867——a-w C:\sox12181.zip
2007-10-29 22:43 1,287,680——a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720——a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 09:26 53,248——a-w C:\WINDOWS\bdoscandel.exe
2007-10-24 00:47 96,760——a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 00:47 84,480——a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 00:47 282,112——a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 00:47 158,720——a-w C:\WINDOWS\system32\mscorier.dll
2007-10-11 15:12 299,603——a-w C:\atheros4229.zip
2007-10-11 14:59 1,314,219——a-w C:\aircrack-ng-0.9.1-win.zip
2007-10-11 08:55 88,576——a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-11 08:55 579,584——a-w C:\WINDOWS\system32\icardagt.exe
2007-10-11 08:55 11,776——a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 12:03 779,800——a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 12:03 73,752——a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 12:03 493,080——a-w C:\WINDOWS\system32\evr.dll
2007-10-09 12:03 350,744——a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 12:03 33,304——a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 12:03 161,304——a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 12:03 106,520——a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 12:03 1,986,072——a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 11:58 16,896——a-w C:\WINDOWS\system32\tswpfwrp.exe
2007-10-08 08:22 436,784——a-w C:\WINDOWS\system32\vnetlib.dll
2007-10-08 07:31 50,992——a-r C:\WINDOWS\system32\vmnetbridge.dll
2007-10-08 07:31 13,104——a-r C:\WINDOWS\system32\vnetinst.dll
2007-10-08 07:07 219,696——a-w C:\WINDOWS\system32\vmnc.dll
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PtiuPbmd”=“rem Rundll32.exe” []
“NeroFilterCheck”=“rem C:\WINDOWS\system32\NeroCheck.exe” []
“SSBkgdUpdate”=“rem C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” []
“Opware15”=“rem C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe” []
“DAEMON Tools-1033”=“rem C:\Program Files\D-Tools\daemon.exe” []
“Dit”=“rem Dit.exe” []
“domino”=“rem C:\WINDOWS\domino.exe” []
“VMSnap1”=“rem C:\WINDOWS\VMSnap1.exe” []
“VMware hqtray”=“C:\Program Files\VMware\VMware Player\hqtray.exe” [2007-10-08 09:21]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 10:25]
“combofix”=“C:\WINDOWS\system32\cmd.exe” [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 11:13 45056 C:\WINDOWS\system32\avldr.dll

R0 DontGo;Promise Removable Disk Control Driver;C:\WINDOWS\system32\drivers\DontGo.sys [2004-06-29 15:25]
R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\Drivers\NETFLT.SYS [2006-03-24 12:55]
R0 phylock;phylock;C:\WINDOWS\system32\drivers\phylock.sys [2006-06-01 14:27]
R0 ulsata2;ulsata2;C:\WINDOWS\system32\drivers\ulsata2.sys [2004-12-13 12:28]
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2006-03-01 17:44]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2006-04-20 08:09]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2006-02-09 16:18]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2006-04-06 11:49]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2006-02-10 08:55]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys [2005-08-29 13:23]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2005-12-12 11:17]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2006-02-09 09:19]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2005-08-12 13:36]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2004-01-08 07:54]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-10-08 09:22]
S3 BCORETH5;BCORETH5 NDIS Protocol Driver;C:\WINDOWS\system32\BCORETH5.SYS [2003-12-10 09:40]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-23 10:54]
S3 ZZZMPR5;ZZZMPR5 NDIS Protocol Driver;C:\WINDOWS\system32\ZZZMPR5.SYS []

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-29 11:27:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-29 11:29:17 - machine was rebooted [nek]
.
2007-12-12 22:37:41—- E O F—- 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:59, on 29-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DllHost.exe
C:\spywarefri\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AllStar\AdShield\AdShield.dll
O4 - HKLM\..\Run: [PtiuPbmd] rem Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [NeroFilterCheck] rem C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] rem “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM\..\Run: [Opware15] rem “C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe”
O4 - HKLM\..\Run: [DAEMON Tools-1033] rem “C:\Program Files\D-Tools\daemon.exe”  -lang 1033
O4 - HKLM\..\Run: [Dit] rem Dit.exe
O4 - HKLM\..\Run: [domino] rem C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] rem C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [VMware hqtray] “C:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Maintain; Block List… - C:\PROGRA~1\AllStar\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block; List… - C:\PROGRA~1\AllStar\AdShield\suppress.htm
O8 - Extra context menu item: Add to &Exclude; List… - C:\PROGRA~1\AllStar\AdShield\restrict.htm
O8 - Extra context menu item: AdShield Option &Settings;... - C:\PROGRA~1\AllStar\AdShield\settings.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AllStar\AdShield\AdShield.dll (HKCU)
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://yoda.digieyez.dk
O15 - Trusted Zone: http://*.digizuite.dk
O15 - Trusted Zone: http://webmail.nekn.dk
O15 - Trusted Zone: http://sputnik.tv2.dk
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nekn.dk
O17 - HKLM\Software\..\Telephony: DomainName = nekn.dk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nekn.dk
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

—
End of file - 7044 bytes

Åbn Stifinder, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved “Skjul beskyttede operativsystemfiler”.
Fjern flueben ved “Skjul filtypenavne for kendte filtyper”.
Sæt prik i “Vis skjulte filer og mapper”.
Dobbeltklik på denne fil, kopier teksten herind:
C:\WINDOWS\CDER285EXPORT.ini

Er dette noget du kender til?
C:\aircrack-ng-0.9.1-win.zip

her er cder285export.ini

[DialogSelected]
LADK=1

ad2.
ja, jeg har hentet denne fil fra http://www.aircrack-ng.org, for at teste mit trådløse netværks sikkerhed,
men fik det ikke til at virke grundet driver kompabilitets problemer

Combofix tog en vigtig del af infektionen, og muligvis er den deaktiveret. Men samtidig så er der en entry i dine logfiler, der tyder på at du har en infektion, der forhindrer Combofix i at arbejde ordentligt. Og så er der endelig tegn på et andet rootkit.

Jeg overfører derfor tråden til Rootkit-kategorien. Der gælder nogle særlige forhold for supporten i denne kategori, som du kan læse om her:

http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29320

Hvis du alligevel vælger at fortsætte, så prøv følgende:
—Kopiér indholdet mellem de stiplede linier ind i et notepad-vindue, og gem indholdet på skrivebordet som regfix.reg. Når du gemmer, skal du sikre, at der under “filtyper” står “alle filer”.
———————————————
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“combofix”=-
———————————————
Dobbeltklik så på den fil, som du lige har lavet, og bekræft at du vil tilføje oplysningerne til registreringsdatabasen.

—Genstart så computeren, og lav nye logfiler med hhv. Combofix og Hijackthis.

Jeg måtte disable Panda AV services for at få combofix til at køre…

ComboFix 07-12-21.4 - nek 2007-12-29 23:39:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2539 [GMT 1:00]
Running from: C:\spywarefri\ComboFix.exe
.
/wow section - STAGE 33
/wow section - STAGE 36

(((((((((((((((((((((((((  Files Created from 2007-11-28 to 2007-12-29 )))))))))))))))))))))))))))))))
.

2007-12-29 10:11 . 2007-12-29 10:26 <DIR> d————C:\Documents and Settings\nek\Application Data\gtk-2.0
2007-12-29 01:17 . 2007-12-29 01:27 <DIR> d————C:\WINDOWS\BDOSCAN8
2007-12-23 12:34 . 2007-12-23 12:34 <DIR> d————C:\Documents and Settings\nek\Application Data\Grisoft
2007-12-23 12:34 . 2007-12-23 12:34 <DIR> d————C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 12:34 . 2007-05-30 13:10 10,872—a———C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-23 12:28 . 2007-12-29 23:24 <DIR> d————C:\spywarefri
2007-12-23 00:44 . 2007-12-23 00:44 <DIR> d————C:\Program Files\Lavasoft
2007-12-22 22:56 . 2007-12-29 23:31 250—a———C:\WINDOWS\gmer.ini
2007-12-21 23:23 . 2007-12-21 23:23 <DIR> d————C:\Program Files\Debugging Tools for Windows
2007-12-21 16:54 . 2007-12-21 16:54 <DIR> d————C:\Program Files\Microsoft Silverlight
2007-12-20 01:26 . 2007-12-20 01:26 <DIR> d————C:\Documents and Settings\All Users\Application Data\UDL
2007-12-20 01:25 . 2007-12-29 20:57 <DIR> d————C:\Program Files\EPSON Print CD
2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d————C:\Documents and Settings\nek\Application Data\InstallShield
2007-12-20 01:23 . 2007-12-20 01:23 <DIR> d————C:\Documents and Settings\All Users\Application Data\EPSON
2007-12-20 01:22 . 2004-08-03 23:01 25,856—a———C:\WINDOWS\system32\drivers\usbprint.sys
2007-12-20 01:22 . 2004-08-03 23:01 25,856—a—c—- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-12-20 01:21 . 2007-12-20 01:25 <DIR> d————C:\Program Files\EPSON
2007-12-20 01:21 . 2007-12-20 01:21 26—a———C:\WINDOWS\CDER285EXPORT.ini
2007-12-20 00:37 . 1997-01-16 00:00 71,680—a———C:\WINDOWS\ST5UNST.EXE
2007-12-19 20:38 . 2007-12-19 20:38 3,816,988 -ra———C:\Documents and Settings\nek\firmware.bin
2007-12-17 18:59 . 2007-10-08 09:22 150,064—a———C:\WINDOWS\system32\vmnat.exe
2007-12-17 18:59 . 2007-10-08 09:22 121,392—a———C:\WINDOWS\system32\vmnetdhcp.exe
2007-12-17 18:59 . 2007-10-08 08:31 28,592 -ra———C:\WINDOWS\system32\drivers\vmnetbridge.sys
2007-12-17 18:59 . 2007-10-08 09:22 25,008—a———C:\WINDOWS\system32\drivers\vmnetuserif.sys
2007-12-17 18:59 . 2007-10-08 08:31 17,712 -ra———C:\WINDOWS\system32\drivers\vmnet.sys
2007-12-17 18:59 . 2007-10-08 08:31 16,816 -ra———C:\WINDOWS\system32\drivers\vmnetadapter.sys
2007-12-17 18:58 . 2007-12-17 18:58 <DIR> d————C:\Program Files\VMware
2007-12-17 18:58 . 2007-12-17 18:58 <DIR> d————C:\Program Files\Common Files\VMware
2007-12-12 23:30 . 2007-12-12 23:30 <DIR> d————C:\Program Files\GPLGS

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:42, on 2007-12-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\spywarefri\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AllStar\AdShield\AdShield.dll
O4 - HKLM\..\Run: [PtiuPbmd] rem Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [NeroFilterCheck] rem C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] rem “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM\..\Run: [Opware15] rem “C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe”
O4 - HKLM\..\Run: [DAEMON Tools-1033] rem “C:\Program Files\D-Tools\daemon.exe”  -lang 1033
O4 - HKLM\..\Run: [Dit] rem Dit.exe
O4 - HKLM\..\Run: [domino] rem C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] rem C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [VMware hqtray] rem “C:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Maintain; Block List… - C:\PROGRA~1\AllStar\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block; List… - C:\PROGRA~1\AllStar\AdShield\suppress.htm
O8 - Extra context menu item: Add to &Exclude; List… - C:\PROGRA~1\AllStar\AdShield\restrict.htm
O8 - Extra context menu item: AdShield Option &Settings;... - C:\PROGRA~1\AllStar\AdShield\settings.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AllStar\AdShield\AdShield.dll (HKCU)
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://yoda.digieyez.dk
O15 - Trusted Zone: http://*.digizuite.dk
O15 - Trusted Zone: http://webmail.nekn.dk
O15 - Trusted Zone: http://sputnik.tv2.dk
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nekn.dk
O17 - HKLM\Software\..\Telephony: DomainName = nekn.dk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nekn.dk
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

—
End of file - 5049 bytes

For det første bliver jeg nødt til at bede dig om at hente en ny version af Combofix på det link, hvor du hentede den første. Prøv så at omdøbe programmet, og lav en ny scanning med det. Læg logfilen herind til gennemsyn.

Så skal jeg også lige høre ved dig: Ved mange af linierne i din Hijackthis-log ser det ud til, at der er tilføjet et “rem”:

O4 - HKLM\..\Run: [Dit] rem Dit.exe

Ved du selv hvad årsagen til dette er?

jeg har forsøgt at hente en ny combofix, men den virker stadig ikke,

normalt når combofix kører lukker den ned efter 5-10 sek, den har da lige oprettet en mappe C:\QooBox

når cfix kommer lidt længere skriver den;
i stage_2 skriver den ’ type miscfile.dat ’ is not recognized as an internal or external command.
desuden brokker den sig over at en fil er i brug af en anden process.

vedrørende rem, er det min måde at udkommentere auto start elementer jeg ikke vil have til at starte, men
måske vil have til at starte engang (dos REM(ark))

 

en anden fejl fra combofix;

Scanning for infected files . . .
This typically dosn’t tate more than 10 minutes
However, scan times for basly infected machines may easily duble

’ swreg.cfexe query “hklm\software\swearware” /v runs | SED.cfexe “/.*\t!d; s/
/” ’ is not recognized as an internal or external command,
operable program or batch file.

Hmm, underligt [:0]

Nå men, lad os se om deckards scanner vil køre -

Hent denne scanner til skrivebordet:

http://www.techsupportforum.com/sectools/Deckard/dss.exe

Luk øvrige programmer inden du begynder at bruge programmet. Dobbeltklik på dss.exe

Når programmet er færdigt, så åbnes to filer i Notesblok (main.txt og extra.txt) - kopier indholdet af begge herind.

hej her er main.txt og extra.txt

Deckard’s System Scanner v20071014.68
Run by nek on 2007-12-30 08:15:22
Computer is in Normal Mode.
————————————————————————————————————————

—HijackThis (run as nek.exe)————————————————————————-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:15, on 2007-12-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\nek\Desktop\dss.exe
C:\SPYWAR~1\nek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AllStar\AdShield\AdShield.dll
O4 - HKLM\..\Run: [PtiuPbmd] rem Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [NeroFilterCheck] rem C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] rem “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM\..\Run: [Opware15] rem “C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe”
O4 - HKLM\..\Run: [DAEMON Tools-1033] rem “C:\Program Files\D-Tools\daemon.exe”  -lang 1033
O4 - HKLM\..\Run: [Dit] rem Dit.exe
O4 - HKLM\..\Run: [domino] rem C:\WINDOWS\domino.exe
O4 - HKLM\..\Run: [VMSnap1] rem C:\WINDOWS\VMSnap1.exe
O4 - HKLM\..\Run: [VMware hqtray] rem “C:\Program Files\VMware\VMware Player\hqtray.exe”
O4 - HKLM\..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Maintain; Block List… - C:\PROGRA~1\AllStar\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block; List… - C:\PROGRA~1\AllStar\AdShield\suppress.htm
O8 - Extra context menu item: Add to &Exclude; List… - C:\PROGRA~1\AllStar\AdShield\restrict.htm
O8 - Extra context menu item: AdShield Option &Settings;... - C:\PROGRA~1\AllStar\AdShield\settings.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\PROGRA~1\AllStar\AdShield\AdShield.dll (HKCU)
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://yoda.digieyez.dk
O15 - Trusted Zone: http://*.digizuite.dk
O15 - Trusted Zone: http://webmail.nekn.dk
O15 - Trusted Zone: http://sputnik.tv2.dk
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nekn.dk
O17 - HKLM\Software\..\Telephony: DomainName = nekn.dk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nekn.dk
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

—
End of file - 4739 bytes

—Files created between 2007-11-30 and 2007-12-30——————————————-

2007-12-30 08:14:51       0 dr-h——- C:\Documents and Settings\nek\Recent
2007-12-30 00:17:48     780—a———C:\app.reg
2007-12-29 10:11:31       0 d————C:\Documents and Settings\nek\Application Data\gtk-2.0
2007-12-29 01:17:19       0 d————C:\WINDOWS\BDOSCAN8
2007-12-23 12:34:49       0 d————C:\Documents and Settings\nek\Application Data\Grisoft
2007-12-23 12:34:39       0 d————C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-23 12:28:39       0 d————C:\spywarefri
2007-12-23 00:44:56       0 d————C:\Program Files\Lavasoft
2007-12-21 23:23:30       0 d————C:\Program Files\Debugging Tools for Windows
2007-12-21 16:54:55       0 d————C:\Program Files\Microsoft Silverlight
2007-12-20 01:26:06       0 d————C:\Documents and Settings\All Users\Application Data\UDL
2007-12-20 01:25:12       0 d————C:\Program Files\EPSON Print CD
2007-12-20 01:23:36   111932—a———C:\WINDOWS\system32\EPPICPrinterDB.dat
2007-12-20 01:23:36     1139—a———C:\WINDOWS\system32\EPPICPresetData_PT.dat
2007-12-20 01:23:36     1120—a———C:\WINDOWS\system32\EPPICPresetData_IT.dat
2007-12-20 01:23:36     1107—a———C:\WINDOWS\system32\EPPICPresetData_GE.dat
2007-12-20 01:23:36     1129—a———C:\WINDOWS\system32\EPPICPresetData_FR.dat
2007-12-20 01:23:36     1136—a———C:\WINDOWS\system32\EPPICPresetData_ES.dat
2007-12-20 01:23:36     1104—a———C:\WINDOWS\system32\EPPICPresetData_EN.dat
2007-12-20 01:23:36     1146—a———C:\WINDOWS\system32\EPPICPresetData_DU.dat
2007-12-20 01:23:36     1129—a———C:\WINDOWS\system32\EPPICPresetData_CF.dat
2007-12-20 01:23:36     1139—a———C:\WINDOWS\system32\EPPICPresetData_BP.dat
2007-12-20 01:23:36     4943—a———C:\WINDOWS\system32\EPPICPattern6.dat
2007-12-20 01:23:36   21390—a———C:\WINDOWS\system32\EPPICPattern5.dat
2007-12-20 01:23:36   11811—a———C:\WINDOWS\system32\EPPICPattern4.dat
2007-12-20 01:23:36   24903—a———C:\WINDOWS\system32\EPPICPattern3.dat
2007-12-20 01:23:36   20148—a———C:\WINDOWS\system32\EPPICPattern2.dat
2007-12-20 01:23:36   31053—a———C:\WINDOWS\system32\EPPICPattern131.dat
2007-12-20 01:23:36   27417—a———C:\WINDOWS\system32\EPPICPattern121.dat
2007-12-20 01:23:35   26154—a———C:\WINDOWS\system32\EPPICPattern1.dat
2007-12-20 01:23:34       0 d————C:\Documents and Settings\nek\Application Data\InstallShield
2007-12-20 01:23:06       0 d————C:\Documents and Settings\All Users\Application Data\EPSON
2007-12-20 01:21:37       0 d————C:\Program Files\EPSON
2007-12-20 00:37:36   71680—a———C:\WINDOWS\ST5UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-12-17 18:58:08       0 d————C:\Program Files\VMware
2007-12-17 18:58:06       0 d————C:\Program Files\Common Files\VMware
2007-12-12 23:30:16       0 d————C:\Program Files\GPLGS

—Find3M Report———————————————————————————————-

2007-12-30 00:40:50       0 d————C:\Program Files\Messenger
2007-12-29 23:09:36       0 d————C:\Program Files\Notepad++
2007-12-29 04:46:37       0 d————C:\Program Files\Common Files
2007-12-29 00:24:01       0 d————C:\Program Files\Microsoft Virtual PC
2007-12-23 01:24:17       0 d————C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 23:28:13       0 d————C:\Program Files\UltraEdit
2007-12-22 02:13:47       0 d————C:\Program Files\WinImage
2007-12-21 22:27:47       0 d————C:\Program Files\Ethereal
2007-12-20 01:27:47       0 d—h——- C:\Program Files\InstallShield Installation Information
2007-12-19 22:57:16       0 d————C:\Documents and Settings\nek\Application Data\OpenOffice.org2
2007-12-19 22:54:56       0 d————C:\Program Files\Image for Windows
2007-12-17 20:41:00       0 d————C:\Documents and Settings\nek\Application Data\VMware
2007-10-25 10:26:48   53248—a———C:\WINDOWS\bdoscandel.exe
2007-10-11 09:55:10   88576—a———C:\WINDOWS\system32\infocardapi.dll <Not Verified; Microsoft Corporation; Microsoft® .NET Framework>
2007-10-09 12:58:20   16896—a———C:\WINDOWS\system32\tswpfwrp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

—Registry Dump———————————————————————————————-

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PtiuPbmd”=“rem ulutil2.dll” []
“NeroFilterCheck”=“rem C:\WINDOWS\system32\NeroCheck.exe” []
“SSBkgdUpdate”=“rem C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” []
“Opware15”=“rem C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe” []
“DAEMON Tools-1033”=“rem C:\Program Files\D-Tools\daemon.exe” []
“Dit”=“rem Dit.exe” []
“domino”=“rem C:\WINDOWS\domino.exe” []
“VMSnap1”=“rem C:\WINDOWS\VMSnap1.exe” []
“VMware hqtray”=“rem C:\Program Files\VMware\VMware Player\hqtray.exe” []
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 17:24]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2005-09-27 11:13 45056 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

 

—End of Deckard’s System Scanner: finished at 2007-12-30 08:15:45——————

og extra.txt, jeg måtte finde den under C:\deckard\system scanner\20071230081522 kataloget

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
————————————————————————————————————————

—System Information—————————————————————————————

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.20GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.20GHz
Percentage of Memory in Use: 11%
Physical Memory (total/avail): 2941.72 MiB / 2606.54 MiB
Pagefile Memory (total/avail): 4322.46 MiB / 4181.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1902.48 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 465.75 GiB total, 442.93 GiB free.
U: is Removable (No Media)
V: is Removable (No Media)
W: is Removable (No Media)
X: is Removable (No Media)
Z: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST350064 1NS SCSI Disk Device - 465.76 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 465.75 GiB - C:

\\.\PHYSICALDRIVE1 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE2 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE3 - Generic STORAGE DEVICE USB Device

\\.\PHYSICALDRIVE4 - Generic STORAGE DEVICE USB Device

 

—Security Center——————————————————————————————-

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Panda Titanium 2006 Personal Firewall v5.03.00 (Panda Software) Disabled
AV: Panda Titanium 2006 Antivirus + Antispyware v5.03.00 (Panda Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

—Environment Variables———————————————————————————-

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\nek\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SINGULARITY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\nek
LOGONSERVER=\\SINGULARITY
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\nek\LOCALS~1\Temp
TMP=C:\DOCUME~1\nek\LOCALS~1\Temp
USERDOMAIN=SINGULARITY
USERNAME=nek
USERPROFILE=C:\Documents and Settings\nek
windir=C:\WINDOWS

—User Profiles———————————————————————————————-

nek (admin)

—Add/Remove Programs————————————————————————————-

—> .
—> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX—> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9—> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
AdShield—> “C:\Program Files\AllStar\AdShield\IsStub32.exe”  -f"C:\Program Files\AllStar\AdShield\DeIsL1.isu”  -c"C:\Program Files\AllStar\AdShield\_ISREG32.DLL”
AVG Anti-Spyware 7.5—> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Camera RAW Plug-In for EPSON Creativity Suite—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{93EA9C3E-BDFD-4309-A605-9B5BBC0CCEFD}\SETUP.EXE” -l0x9 UNINST
CCleaner (remove only)—> “C:\Program Files\CCleaner\uninst.exe”
Cisco Systems VPN Client 5.0.00.0340—> MsiExec.exe /X{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}
DAEMON Tools—> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
Debugging Tools for Windows—> MsiExec.exe /I{F3ECED46-91CC-4F44-9917-9A20085D5D26}
DiskRedactor—> “C:\Program Files\CEZEO software\Disk Redactor\unins000.exe”
EPSON-printersoftware—> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Attach To Email—> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{3D78F2A2-C893-4ABD-B5FE-AD7011837755}\SETUP.EXE” -l0x9 UNINST
EPSON File Manager—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe” -l0x9 UNINST
EPSON Print CD—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\SETUP.EXE” -l0x9 -SYSTEM
EPSON Scan Assistant—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe” -l0x9 -u
EPSON Stylus Photo R285_290 Håndbog—> C:\Program Files\EPSON\TPMANUAL\ESPR285_290\DNK\USE_G\DOCUNINS.EXE
Ethereal 0.99.0—> “C:\Program Files\Ethereal\uninstall.exe”
FileZilla (remove only)—> “C:\Program Files\FileZilla\uninstall.exe”
Google Earth—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe” -l0x9 -removeonly
GTK+ 2.10.13 runtime environment—> “C:\Program Files\Common Files\GTK\2.0\setup\unins000.exe”
HijackThis 2.0.2—> “C:\spywarefri\HijackThis.exe” /uninstall
IDA Pro Standard v5.1 with WinCE debugger—> “C:\Program Files\IDA\unins000.exe”
Microsoft Base Smart Card Cryptographic Service Provider Package—> “C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe”
Microsoft Compression Client Pack 1.0 for Windows XP—> “C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe”
Microsoft Device Emulator version 1.0 - ENU—> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005—> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005—> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Silverlight—> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0—> “C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe”
Microsoft Virtual PC 2007—> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Multi-Card Reader / Flash Disk—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{EA1CB7AC-E221-4822-A789-0ADB051DC498}\setup.exe” -l0x9
Nero 6—> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Notepad++—> C:\Program Files\Notepad++\uninstall.exe
OpenOffice.org 2.2—> MsiExec.exe /I{3CCBC9FF-7F35-4220-B66D-B60E2E7AB4E2}
Panda Titanium 2006 Antivirus + Antispyware—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{98032D6F-3EE6-4646-B68C-40BF012AC89B}\SETUP.exe” -l0x9 -removeonly
Samsung CLP-550 Series—> C:\WINDOWS\Samsung\CLP-550\SETUP.EXE
ScanSoft OmniPage 15.0—> MsiExec.exe /I{E9DCA3A9-7478-427C-9E98-765D980EF053}
SetIP—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{C206015D-DAC5-407C-A54B-6D7776A0881C}\Setup.exe” -l0x9
Skype 2.5—> “C:\Program Files\Skype\Phone\unins000.exe”
SyncThru—> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Samsung Network Printer Utilities\SyncThru\Uninst.isu” -c"C:\Program Files\Samsung Network Printer Utilities\SyncThru\_Uninst.dll”
TBIView—> C:\Program Files\TBIView\Uninst_TBIView.exe /U “C:\Program Files\TBIView\Uninst_TBIView.log”
TDC Digital Signatur CSP—> MsiExec.exe /X{BEF17411-8BB9-48D0-A124-7CD41FE46DCB}
TerraTec NOXON audio Manager—> C:\WINDOWS\st6unst.exe -n “C:\Program Files\TerraTec NOXON audio Manager\ST6UNST.LOG” 
The GIMP 2.2.16—> “C:\Program Files\GIMP-2.0\unins000.exe”
TreeSize Professional 4.0.2—> “C:\Program Files\JAM Software\TreeSize Professional\unins000.exe”
VB Decompiler Lite 3.4—> “C:\Program Files\VB Decompiler Lite\unins000.exe”
Vimicro USB PC Camera (VC0301PL)—> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information\{41E496B5-47F4-11D6-9BBB-00E0987BB2CD}\Setup.exe” -l0x9
VMware Player—> MsiExec.exe /I{A53A11EA-0095-493F-86FA-A15E8A86A405}
VNC Free Edition 4.1.2—> “C:\Program Files\RealVNC\VNC4\unins000.exe”
Winamp (remove only)—> “C:\Program Files\Winamp\UninstWA.exe”
Windows Imaging Component—> “C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe”
Windows Media Format 11 runtime—> “C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe”
Windows Presentation Foundation—> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2—> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2—> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
WinImage—> “C:\Program Files\WinImage\winimage.exe” /uninstall
WinPcap 3.1—> C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver—> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0—>

—Application Event Log———————————————————————————-

Event Record #/Type159 / Error
Event Submitted/Written: 12/30/2007 00:57:22 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Procmon.exe, version 1.12.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type111 / Error
Event Submitted/Written: 12/29/2007 04:00:05 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application TBIView.exe, version 0.3.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type91 / Error
Event Submitted/Written: 12/29/2007 00:08:55 AM
Event ID/Source: 4001 / Sentinel
Event Description:
Unexpected failure during Anti-virus On-Access Scan Engine initialization. The AvRtlInitializeAnalyzer
API failed unrecoverably (Error Status was 1).

This may be because a needed image file is missing
or corrupt.
The Panda Anti-virus Service failed to initialize properly.

Event Record #/Type71 / Error
Event Submitted/Written: 12/22/2007 10:25:00 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16574, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type64 / Warning
Event Submitted/Written: 12/21/2007 10:05:17 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

 

—Security Event Log—————————————————————————————

No Errors/Warnings found.

—System Event Log——————————————————————————————

Event Record #/Type1807 / Error
Event Submitted/Written: 12/30/2007 08:12:06 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “X” attempting to start the service IISADMIN with arguments “”
in order to run the server:
{A9E69610-B80D-11D0-B9B9-00A0C922E750}

Event Record #/Type1804 / Error
Event Submitted/Written: 12/30/2007 07:51:52 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “X” attempting to start the service IISADMIN with arguments “”
in order to run the server:
{A9E69610-B80D-11D0-B9B9-00A0C922E750}

Event Record #/Type1786 / Error
Event Submitted/Written: 12/30/2007 07:51:21 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error:
X

Event Record #/Type1777 / Error
Event Submitted/Written: 12/30/2007 07:20:49 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error “X” attempting to start the service IISADMIN with arguments “”
in order to run the server:
{A9E69610-B80D-11D0-B9B9-00A0C922E750}

Event Record #/Type1759 / Error
Event Submitted/Written: 12/30/2007 07:20:17 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error:
X

 

—End of Deckard’s System Scanner: finished at 2007-12-30 08:13:15——————

Nå, det ser desværre ud til at infektionen også forhindrer DSS i at køre ordentligt. Combofix og DSS bruger mange af de samme metoder, så måske vi skulle prøve et helt alternativt scannings-program:

Hent Oldtimer’s WinPFind3 herfra:
http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe

Dobbeltklik på WinPFind3u, som du hentede, og klik på Extract. Så udpakkes programmet i en særskilt mappe. Gå ind i denne mappe, og dobbeltklik på WinPFind3U.exe. I venstre side skal du sætte flueben og prikker på følgende måde:

Processes: Non-Microsoft
Win32 Services: Non-Microsoft
Driver Services: Non-Microsoft
Registry:  Non-Microsoft
Files Created Within: 30 Days, Non-Microsoft Only
Files Modified Within: 30 Days, Non-Microsoft Only
File String Search: Non-Microsoft

I Højre side skal du i første omgang ikke vælge noget.

Klik herefter på “Run Scan”. Efter noget tid vil der dukke en logfil op, som du gerne må paste herind. Muligvis vil loggen være så lang, at den ikke kan være i en enkelt post. Så må du lægge den ind i flere dele.

Den driver der hedder phylock er kendt, og en del af Image For Windows (http://www.terabyteunlimited.com)

WinPFind3 logfile created on: 2007-12-31 04:17:56
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\spywarefri\winpfind3u\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.11)

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 458.29 Gb Free Space | 98.40% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: SINGULARITY
Current User Name: nek
Logged in as Administrator.
Current Boot Mode: Normal

[Processes - Non-Microsoft Only]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 10:25:42 | Attr =  ]
winpfind3u.exe -> %SystemDrive%\spywarefri\winpfind3u\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 2007-11-21 09:19:46 | Attr =  ]

[Win32 Services - Non-Microsoft Only]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 2007-05-30 13:31:10 | Attr =  ]
(CVPND) Cisco Systems, Inc. VPN Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Cisco Systems\VPN Client\cvpnd.exe -> Cisco Systems, Inc. [Ver = 5.0.00.0340 | Size = 1516584 bytes | Modified Date = 2007-04-03 15:18:08 | Attr =  ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2004-08-03 23:56:50 | Attr =  ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 2005-04-04 00:41:10 | Attr =  ]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] ->  -> File not found
(PAVFNSVR) Panda Function Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe -> Panda Software International [Ver = 6.04.08.00 | Size = 151552 bytes | Modified Date = 2006-10-10 19:46:08 | Attr =  ]
(PavPrSrv) Panda Process Protection Service [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Panda Software\PavShld\PavPrSrv.exe -> Panda Software [Ver = 1.3.0.0 | Size = 32768 bytes | Modified Date = 2005-07-25 08:02:22 | Attr =  ]
(PAVSRV) Panda anti-virus service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PAVSRV51.EXE -> Panda Software International [Ver = 2, 0, 1840, 24 | Size = 151552 bytes | Modified Date = 2006-07-04 19:11:52 | Attr =  ]
(PNMSRV) Panda Network Manager [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\panda software\panda titanium 2006 antivirus + antispyware\FIREWALL\PNmSrv.exe -> Panda Software [Ver = 2, 0, 4, 67 | Size = 671744 bytes | Modified Date = 2006-04-03 16:02:34 | Attr =  ]
(PSIMSVC) Panda IManager Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe -> Panda Software [Ver = 2, 6, 1, 120 | Size = 98304 bytes | Modified Date = 2006-01-17 13:57:28 | Attr =  ]
(rpcapd) Remote Packet Capture Protocol v.0 (experimental) [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\WinPcap\rpcapd.exe -> CACE Technologies [Ver = 3, 1, 0, 27 | Size = 86016 bytes | Modified Date = 2005-08-02 22:18:50 | Attr =  ]
(TPSrv) Panda TPSrv [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe -> Panda Software [Ver = 7, 0, 0, 0 | Size = 286720 bytes | Modified Date = 2006-02-16 14:00:52 | Attr =  ]
(VMAuthdService) VMware Authorization Service [Win32_Own | Disabled | Stopped] -> %ProgramFiles%\VMware\VMware Player\vmware-authd.exe -> VMware, Inc. [Ver = 6.0.2 build-59824 | Size = 109104 bytes | Modified Date = 2007-10-08 09:21:50 | Attr =  ]
(VMnetDHCP) VMware DHCP Service [Win32_Own | Disabled | Stopped] -> %System32%\vmnetdhcp.exe -> VMware, Inc. [Ver = 6.0.2 build-59824 | Size = 121392 bytes | Modified Date = 2007-10-08 09:22:10 | Attr =  ]
(vmount2) VMware Virtual Mount Manager Extended [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\VMware\VMware Virtual Image Editing\vmount2.exe -> VMware, Inc. [Ver = 1.5.2 build-42958 | Size = 269104 bytes | Modified Date = 2007-03-23 10:02:52 | Attr =  ]
(VMware NAT Service) VMware NAT Service [Win32_Own | Disabled | Stopped] -> %System32%\vmnat.exe -> VMware, Inc. [Ver = 6.0.2 build-59824 | Size = 150064 bytes | Modified Date = 2007-10-08 09:22:10 | Attr =  ]

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] ->  -> File not found
(abp480n5) abp480n5 [Kernel | Disabled | Stopped] ->  -> File not found
(adpu160m) adpu160m [Kernel | Disabled | Stopped] ->  -> File not found
(aeaudio) aeaudio [Kernel | On_Demand | Running] -> %System32%\drivers\aeaudio.sys -> Andrea Electronics Corporation [Ver = 3.0.2.32 | Size = 100224 bytes | Modified Date = 2006-10-11 18:51:00 | Attr =  ]
(Aha154x) Aha154x [Kernel | Disabled | Stopped] ->  -> File not found
(aic78u2) aic78u2 [Kernel | Disabled | Stopped] ->  -> File not found
(aic78xx) aic78xx [Kernel | Disabled | Stopped] ->  -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] ->  -> File not found
(amsint) amsint [Kernel | Disabled | Stopped] ->  -> File not found
(APPFLT) App Filter Plugin [Kernel | System | Running] -> %System32%\drivers\APPFLT.SYS -> Panda Software [Ver = 0.04.7.0 | Size = 44928 bytes | Modified Date = 2006-03-01 17:44:20 | Attr =  ]
(AR5211) Atheros Wireless Network Adapter Service [Kernel | On_Demand | Stopped] -> %System32%\drivers\ar5211.sys -> WildPackets, Inc. and Atheros Communications, Inc. [Ver = 4.2.2.9 | Size = 583915 bytes | Modified Date = 2007-07-30 12:19:26 | Attr =  ]
(asc) asc [Kernel | Disabled | Stopped] ->  -> File not found
(asc3350p) asc3350p [Kernel | Disabled | Stopped] ->  -> File not found
(asc3550) asc3550 [Kernel | Disabled | Stopped] ->  -> File not found
(Atdisk) Atdisk [Kernel | Disabled | Stopped] ->  -> File not found
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %System32%\drivers\ati2mtag.sys -> ATI Technologies Inc. [Ver = 6.14.10.6462 | Size = 701440 bytes | Modified Date = 2004-08-03 21:29:28 | Attr =  ]
(AvFlt) Antivirus Filter Driver [File_System | On_Demand | Stopped] -> %System32%\drivers\av5flt.sys -> File not found
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys ->  [Ver =  | Size = 11000 bytes | Modified Date = 2007-05-30 13:10:42 | Attr =  ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 2007-05-30 13:10:42 | Attr =  ]
(bb-run) Promise driver accelerator [Kernel | Boot | Running] -> %System32%\drivers\bb-run.sys -> Promise Technology, Inc. [Ver =  1.0.1.2 built by: WinDDK | Size = 17408 bytes | Modified Date = 2003-11-05 09:45:12 | Attr =  ]
(BCORETH5) BCORETH5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %System32%\bcoreth5.sys -> BridgeCo AG, Switzerland [Ver = 5.03.16.56 | Size = 15970 bytes | Modified Date = 2003-12-10 09:40:42 | Attr =  ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\nek\LOCALS~1\Temp\catchme.sys -> File not found
(cd20xrnt) cd20xrnt [Kernel | Disabled | Stopped] ->  -> File not found
(Changer) Changer [Kernel | System | Stopped] ->  -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] ->  -> File not found
(cpoint) Panda CPoint Driver [Kernel | Auto | Running] -> %System32%\drivers\cpoint.sys -> Panda Software [Ver = 1, 2, 0, 2 | Size = 16640 bytes | Modified Date = 2005-08-12 13:36:56 | Attr =  ]
(Cpqarray) Cpqarray [Kernel | Disabled | Stopped] ->  -> File not found
(CVirtA) Cisco Systems VPN Adapter [Kernel | On_Demand | Stopped] -> %System32%\drivers\CVirtA.sys -> Cisco Systems, Inc. [Ver = 5.0.0.1 | Size = 5275 bytes | Modified Date = 2007-01-18 13:28:02 | Attr =  ]
(CVPNDRVA) Cisco Systems Inc. IPSec Driver [Kernel | Auto | Running] -> %System32%\drivers\CVPNDRVA.sys -> Cisco Systems, Inc. [Ver = 5.0.00.0340 | Size = 306295 bytes | Modified Date = 2007-04-03 15:17:08 | Attr =  ]
(d347bus) d347bus [Kernel | Boot | Running] -> %System32%\drivers\d347bus.sys ->  [Ver = 3.47.0.0 built by: WinDDK | Size = 155136 bytes | Modified Date = 2004-08-22 15:31:10 | Attr =  ]
(d347prt) d347prt [Kernel | Boot | Running] -> %System32%\drivers\d347prt.sys ->  [Ver = 3.47.0.0 built by: WinDDK | Size = 5248 bytes | Modified Date = 2004-08-22 15:31:48 | Attr =  ]
(dac960nt) dac960nt [Kernel | Disabled | Stopped] ->  -> File not found
(DgiVecp) Team MFP Comm Driver [Kernel | Auto | Running] -> %System32%\drivers\DGIVECP.SYS -> DeviceGuys, Inc. [Ver = 1.0.0.29 | Size = 40448 bytes | Modified Date = 2003-07-29 08:57:20 | Attr =  ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 2004-08-03 22:07:18 | Attr =  ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 2004-08-03 22:07:18 | Attr =  ]
(dmload) dmload [Kernel | Boot | Running] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 2003-03-31 13:00:00 | Attr =  ]
(DNE) Deterministic Network Enhancer Miniport [Kernel | On_Demand | Running] -> %System32%\drivers\dne2000.sys -> Deterministic Networks, Inc. [Ver = 3.20.5.16093 | Size = 127376 bytes | Modified Date = 2007-01-31 12:45:06 | Attr =  ]
(DontGo) Promise Removable Disk Control Driver [Kernel | Boot | Running] -> %System32%\drivers\DontGo.sys -> Promise Technology, Inc. [Ver =  1.0.0.3 built by: WinDDK | Size = 7680 bytes | Modified Date = 2004-06-29 15:25:26 | Attr =  ]
(dpti2o) dpti2o [Kernel | Disabled | Stopped] ->  -> File not found
(DSAFLT) DSA Filter Plugin [Kernel | System | Running] -> %System32%\drivers\dsaflt.sys -> Panda Software [Ver = 1, 2, 0, 63 | Size = 30208 bytes | Modified Date = 2006-04-20 08:09:50 | Attr =  ]
(EL2000) 3Com 3C2000x EtherLink XL Adapter [Kernel | On_Demand | Running] -> %System32%\drivers\EL2K_XP.sys -> 3Com Corporation [Ver = 1.00.00.0046 built by: WinDDK | Size = 147328 bytes | Modified Date = 2003-07-17 09:22:10 | Attr =  ]
(FileDisk) FileDisk [Kernel | System | Running] -> %System32%\drivers\filedisk.sys -> Bo Brantén [Ver = 1.0.0.13 | Size = 12928 bytes | Modified Date = 2005-10-16 07:00:00 | Attr =  ]
(FNETMON) NetMon Filter Plugin [Kernel | System | Running] -> %System32%\drivers\fnetmon.sys -> Panda Software [Ver = 0.01.04.01 | Size = 9216 bytes | Modified Date = 2006-02-09 16:18:54 | Attr =  ]
(gmer) gmer [Kernel | On_Demand | Stopped] -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3911 | Size = 70001 bytes | Modified Date = 2007-12-22 22:56:30 | Attr =  ]
(hcmon) VMware hcmon [Kernel | Auto | Running] -> %System32%\drivers\hcmon.sys -> VMware, Inc. [Ver = 6.0.2 | Size = 34864 bytes | Modified Date = 2007-10-08 09:22:48 | Attr =  ]
(hpn) hpn [Kernel | Disabled | Stopped] ->  -> File not found
(i2omgmt) i2omgmt [Kernel | System | Stopped] ->  -> File not found
(i2omp) i2omp [Kernel | Disabled | Stopped] ->  -> File not found
(IDSFLT) Ids Filter Plugin [Kernel | System | Running] -> %System32%\drivers\idsflt.sys -> Panda Software [Ver = 1, 2, 0, 72 | Size = 178944 bytes | Modified Date = 2006-04-06 11:49:10 | Attr =  ]
(ini910u) ini910u [Kernel | Disabled | Stopped] ->  -> File not found
(IntelIde) IntelIde [Kernel | Disabled | Stopped] ->  -> File not found
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] ->  -> File not found
(mraid35x) mraid35x [Kernel | Disabled | Stopped] ->  -> File not found
(netflt) Panda Net Driver [NDIS Layer] [Kernel | Boot | Running] -> %System32%\drivers\netflt.sys -> Panda Software [Ver = 1, 2, 0, 67 | Size = 115968 bytes | Modified Date = 2006-03-24 12:55:52 | Attr =  ]
(NETFLTDI) Panda Net Driver [TDI Layer] [Kernel | System | Running] -> %System32%\drivers\netfltdi.sys -> Panda Software [Ver = 0.06.4.1 | Size = 36224 bytes | Modified Date = 2006-02-10 08:55:02 | Attr =  ]
(NPF) NetGroup Packet Filter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\npf.sys -> CACE Technologies [Ver = 3, 1, 0, 27 | Size = 32512 bytes | Modified Date = 2005-08-02 22:10:14 | Attr =  ]
(PAVDRV) PAVDRV [File_System | Auto | Running] -> %System32%\drivers\pavdrv51.sys -> Panda Software [Ver = 5.1.2600.1016 (av05_rtm.050613-1650) | Size = 71424 bytes | Modified Date = 2005-06-13 15:51:40 | Attr =  ]
(PavProc) Panda Process Protection Driver [Kernel | Auto | Running] -> %System32%\drivers\PavProc.sys -> Panda Software [Ver = 1.1.1.1 | Size = 163856 bytes | Modified Date = 2004-01-08 07:54:32 | Attr =  ]
(PavSRK.sys) PavSRK.sys [Kernel | On_Demand | Stopped] -> %System32%\PavSRK.sys -> File not found
(PCIDump) PCIDump [Kernel | System | Stopped] ->  -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] ->  -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] ->  -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] ->  -> File not found
(perc2) perc2 [Kernel | Disabled | Stopped] ->  -> File not found
(perc2hib) perc2hib [Kernel | Disabled | Stopped] ->  -> File not found
(phylock) phylock [Kernel | Boot | Running] -> %System32%\drivers\phylock.sys -> TeraByte, Inc. [Ver = 2, 0, 1, 1 | Size = 11904 bytes | Modified Date = 2006-06-01 14:27:10 | Attr =  ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 2003-03-31 13:00:00 | Attr =  ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\PxHelp20.sys -> Sonic Solutions [Ver = 3.00.33a | Size = 36528 bytes | Modified Date = 2006-08-25 04:47:00 | Attr =  ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] ->  -> File not found
(Ql10wnt) Ql10wnt [Kernel | Disabled | Stopped] ->  -> File not found
(ql12160) ql12160 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1240) ql1240 [Kernel | Disabled | Stopped] ->  -> File not found
(ql1280) ql1280 [Kernel | Disabled | Stopped] ->  -> File not found
(RTLWUSB) Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter [Kernel | On_Demand | Stopped] -> %System32%\drivers\RTL8187.sys -> Realtek Semiconductor Corporation                   [Ver = 5.1233.0623.2006 built by: WinDDK | Size = 180608 bytes | Modified Date = 2006-06-23 10:54:06 | Attr = R ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 2007-11-13 11:25:54 | Attr =  ]
(ShldDrv) Panda File Shield Driver [Kernel | System | Running] -> %System32%\drivers\ShldDrv.sys -> Panda Software [Ver = 1.3.6.0 | Size = 26752 bytes | Modified Date = 2005-08-29 13:23:30 | Attr =  ]
(Simbad) Simbad [Kernel | Disabled | Stopped] ->  -> File not found
(SMSFLT) SMS Filter Plugin [Kernel | System | Running] -> %System32%\drivers\smsflt.sys -> Panda Software [Ver = 1, 2, 0, 60 | Size = 17536 bytes | Modified Date = 2005-12-12 11:17:14 | Attr =  ]
(smwdm) smwdm [Kernel | On_Demand | Running] -> %System32%\drivers\smwdm.sys -> Analog Devices, Inc. [Ver = 5.12.01.3630 | Size = 578304 bytes | Modified Date = 2006-10-11 18:51:00 | Attr =  ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] ->  -> File not found
(symc810) symc810 [Kernel | Disabled | Stopped] ->  -> File not found
(symc8xx) symc8xx [Kernel | Disabled | Stopped] ->  -> File not found
(sym_hi) sym_hi [Kernel | Disabled | Stopped] ->  -> File not found
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] ->  -> File not found
(TosIde) TosIde [Kernel | Disabled | Stopped] ->  -> File not found
(ulsata2) ulsata2 [Kernel | Boot | Running] -> %System32%\drivers\ulsata2.sys -> Promise Technology, Inc. [Ver =  1.00.0.31 | Size = 125440 bytes | Modified Date = 2004-12-13 12:28:04 | Attr =  ]
(ultra) ultra [Kernel | Disabled | Stopped] ->  -> File not found
(ViaIde) ViaIde [Kernel | Disabled | Stopped] ->  -> File not found
(vmkbd) VMware kbd [Kernel | On_Demand | Running] -> %System32%\drivers\VMkbd.sys -> VMware, Inc. [Ver = 1.0.0.1 | Size = 20912 bytes | Modified Date = 2007-10-08 09:22:46 | Attr =  ]
(VMnetAdapter) VMware Virtual Ethernet Adapter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\vmnetadapter.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 16816 bytes | Modified Date = 2007-10-08 08:31:30 | Attr = R ]
(VMnetBridge) VMware Bridge Protocol [Kernel | Auto | Running] -> %System32%\drivers\vmnetbridge.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 28592 bytes | Modified Date = 2007-10-08 08:31:30 | Attr = R ]
(VMnetuserif) VMware Network Application Interface [Kernel | Auto | Running] -> %System32%\drivers\vmnetuserif.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 25008 bytes | Modified Date = 2007-10-08 09:22:46 | Attr =  ]
(VMparport) VMware VMparport [Kernel | Auto | Running] -> %System32%\drivers\VMparport.sys -> VMware, Inc. [Ver = 6.0.2 | Size = 15920 bytes | Modified Date = 2007-10-08 09:22:16 | Attr =  ]
(vmusb) VMware USB Client Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\vmusb.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 30768 bytes | Modified Date = 2007-08-21 19:25:50 | Attr = R ]
(vmx86) VMware vmx86 [Kernel | Auto | Running] -> %System32%\drivers\vmx86.sys -> VMware, Inc. [Ver = 6.0.2 | Size = 924976 bytes | Modified Date = 2007-10-08 09:22:48 | Attr =  ]
(vsdatant) vsdatant [Kernel | On_Demand | Stopped] -> %System32%\vsdatant.sys -> Zone Labs LLC [Ver = 5.5.062.011 | Size = 280344 bytes | Modified Date = 2005-01-26 07:22:20 | Attr =  ]
(vstor2) Vstor2 Virtual Storage Driver [Kernel | Auto | Running] -> %CommonProgramFiles%\VMware\VMware Virtual Image Editing\vstor2.sys -> VMware, Inc. [Ver = 1.5.2 build-42958 | Size = 18480 bytes | Modified Date = 2007-03-23 10:03:00 | Attr =  ]
(WDICA) WDICA [Kernel | On_Demand | Stopped] ->  -> File not found
(WNMFLT) Wifi Monitor Filter Plugin [Kernel | System | Running] -> %System32%\drivers\wnmflt.sys -> Panda Software [Ver = 1, 2, 0, 63 | Size = 11264 bytes | Modified Date = 2006-02-09 09:19:42 | Attr =  ]
(ZSMC301b) Vimicro USB PC Camera (VC0301PL) [Kernel | On_Demand | Stopped] -> %System32%\drivers\usbVM31b.sys -> VM [Ver = 3, 6, 403, 7 | Size = 195299 bytes | Modified Date = 2006-05-24 12:39:00 | Attr =  ]
(ZZZMPR5) ZZZMPR5 NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %System32%\ZZZMPR5.SYS -> File not found

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 2007-06-11 10:25:42 | Attr =  ]
DAEMON Tools-1033 -> rem “%ProgramFiles%\D-Tools\daemon.exe -> File not found
Dit -> rem Dit.exe -> File not found
domino -> rem %SystemRoot%\domino.exe -> File not found
NeroFilterCheck -> rem %System32%\NeroCheck.exe -> File not found
Opware15 -> rem “%ProgramFiles%\ScanSoft\OmniPage15.0\Opware15.exe -> File not found
PtiuPbmd -> %System32%\ulutil2.dll [rem Rundll32.exe ulutil2.dll,SetWriteBack] -> Promise Technology,Inc. [Ver = 1, 0, 0, 16 | Size = 110592 bytes | Modified Date = 2003-11-05 19:06:14 | Attr =  ]
SSBkgdUpdate -> rem “%CommonProgramFiles%\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -> File not found
VMSnap1 -> rem %SystemRoot%\VMSnap1.exe -> File not found
VMware hqtray -> rem “%ProgramFiles%\VMware\VMware Player\hqtray.exe -> File not found
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 2007-05-30 13:29:58 | Attr =  ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
avldr -> %System32%\avldr.dll -> Panda Software [Ver = 2, 0, 1840, 1 | Size = 45056 bytes | Modified Date = 2005-09-27 11:13:48 | Attr =  ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ ->  ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1     localhost ->  ->
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.google.dk/ ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] ->  ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
www_adobe.com [http] ->  ->
yoda_digieyez.dk [http] ->  ->
yoda_digieyez.dk [https] ->  ->
digizuite.dk [http] ->  ->
update_microsoft.com [http] ->  ->
v4.windowsupdate_microsoft.com [http] ->  ->
webmail_nekn.dk [http] ->  ->
sputnik_tv2.dk [http] ->  ->
< BHO’s > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 2006-12-18 03:16:42 | Attr =  ]
{7559B76E-0222-4d77-9499-CCE9EB4EDC2F} [HKLM] -> %ProgramFiles%\AllStar\AdShield\AdShield.dll [AdShield.AdShield] -> AdShield, LLC [Ver = 3, 0, 9, 0 | Size = 208896 bytes | Modified Date = 2004-10-12 18:16:12 | Attr =  ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
{492B6DFB-F0D6-45B6-9AF0-6AD521006906} [HKLM] -> %ProgramFiles%\AllStar\AdShield\AdShield.dll [AdShield.ExBar] -> AdShield, LLC [Ver = 3, 0, 9, 0 | Size = 208896 bytes | Modified Date = 2004-10-12 18:16:12 | Attr =  ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{85d1f590-48f4-11d9-9669-0800200c9a66} [HKLM] -> Reg Data - Key not found [MenuText: Uninstall BitDefender Online Scanner v8] -> File not found
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
&Maintain; Block List… -> %ProgramFiles%\AllStar\AdShield\Maintain.htm ->  [Ver =  | Size = 192 bytes | Modified Date = 2003-02-25 18:10:26 | Attr =  ]
Add to &Block; List… -> %ProgramFiles%\AllStar\AdShield\Suppress.htm ->  [Ver =  | Size = 193 bytes | Modified Date = 2003-02-25 18:10:54 | Attr =  ]
Add to &Exclude; List… -> %ProgramFiles%\AllStar\AdShield\Restrict.htm ->  [Ver =  | Size = 192 bytes | Modified Date = 2003-02-25 18:10:34 | Attr =  ]
AdShield Option &Settings;... -> %ProgramFiles%\AllStar\AdShield\Settings.htm ->  [Ver =  | Size = 340 bytes | Modified Date = 2003-02-25 18:10:48 | Attr =  ]
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{0D0912CE-FCB1-40F4-9B6B-2CE6FCBA41A0} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{12E79EE4-B7FC-436A-89C9-A4D9720DEE4C} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{243DAF8C-4254-49BB-8B1B-95924A27AA60} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{2BBFD5A3-E6C9-42FF-8EFB-D5626E400B3A} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{4B43B3E3-274F-4B63-BD77-A09DA80BA041} ->  () ->
{73B84C7F-C557-4882-AEB9-4C8EEDFE3D1A} ->  (Atheros Wireless Network Adapter) ->
{86A17925-D962-4A34-8AE7-23C8C8A306B4} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{93BF88A4-34FB-498D-A588-85A18BFB9969} ->  () ->
{B05EA3A5-C006-4EBA-9955-264DAF5CC7A7} ->  () ->
{B19A3F49-3CEE-4D59-8CFE-ACBAE6CD7831} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{B1A12E36-1427-4D46-A1C4-7D97903C6F35} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{B370D650-2491-48F3-B7B2-9D2783A47D0F} ->  (3Com Gigabit LOM (3C940)) ->
{BF0CA7F2-3568-49B3-A16F-1126A6777BE4} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{C535B528-384A-4657-BE79-F2C5914068A3} ->  () ->
{C9C4B3E3-6AD5-4240-A5F4-5E9A88C0968B} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{F31B9421-6DA9-4F3F-A5D9-F5A6C5FF7C7A} ->  (Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter) ->
{F7A4556E-AF2E-49A9-BB02-F7201A58BDB2} ->  () ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
Protocol_Catalog9\Catalog_Entries\000000000001 -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PAVLSP.DLL -> Panda Software International [Ver = 6, 3, 16, 51 | Size = 167936 bytes | Modified Date = 2006-04-10 13:01:38 | Attr =  ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PAVLSP.DLL -> Panda Software International [Ver = 6, 3, 16, 51 | Size = 167936 bytes | Modified Date = 2006-04-10 13:01:38 | Attr =  ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PAVLSP.DLL -> Panda Software International [Ver = 6, 3, 16, 51 | Size = 167936 bytes | Modified Date = 2006-04-10 13:01:38 | Attr =  ]
Protocol_Catalog9\Catalog_Entries\000000000047 -> %ProgramFiles%\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PAVLSP.DLL -> Panda Software International [Ver = 6, 3, 16, 51 | Size = 167936 bytes | Modified Date = 2006-04-10 13:01:38 | Attr =  ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ->  - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab ->
{D216644A-C6DB-49D9-BBCF-D38FE7991BF2} -> Util Class - CodeBase = https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->

[Files/Folders - Created Within 30 days]
app.reg -> %SystemDrive%\app.reg ->  [Ver =  | Size = 780 bytes | Created Date = 2007-12-30 00:17:48 | Attr =  ]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 2007-12-30 01:18:57 | Attr =  ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 2007-12-30 08:11:35 | Attr =  ]
hkcu_nek.reg -> %SystemDrive%\hkcu_nek.reg ->  [Ver =  | Size = 13254670 bytes | Created Date = 2007-12-30 08:38:49 | Attr =  ]
msg.bmp -> %SystemDrive%\msg.bmp ->  [Ver =  | Size = 1536054 bytes | Created Date = 2007-12-30 01:33:37 | Attr =  ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 2007-12-30 01:19:03 | Attr =  ]
QooBox.rar -> %SystemDrive%\QooBox.rar ->  [Ver =  | Size = 236901 bytes | Created Date = 2007-12-30 01:18:43 | Attr =  ]
res.rtf -> %SystemDrive%\res.rtf ->  [Ver =  | Size = 31797 bytes | Created Date = 2007-12-30 01:34:39 | Attr =  ]
spywarefri -> %SystemDrive%\spywarefri ->  [Folder | Created Date = 2007-12-23 12:28:39 | Attr =  ]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Created Date = 2007-12-29 01:17:19 | Attr =  ]
CDER285EXPORT.ini -> %SystemRoot%\CDER285EXPORT.ini ->  [Ver =  | Size = 26 bytes | Created Date = 2007-12-20 01:21:27 | Attr =  ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Created Date = 2007-12-29 11:23:41 | Attr =  ]
gmer.bat -> %SystemRoot%\gmer.bat ->  [Ver =  | Size = 867 bytes | Created Date = 2007-12-22 23:00:32 | Attr =  ]
gmer.dll -> %SystemRoot%\gmer.dll ->  [Ver = 1, 0, 13, 12551 | Size = 585791 bytes | Created Date = 2007-12-22 22:56:29 | Attr =  ]
gmer.exe -> %SystemRoot%\gmer.exe ->  [Ver = 1, 0, 13, 12551 | Size = 581632 bytes | Created Date = 2007-12-22 22:56:28 | Attr =  ]
gmer.ini -> %SystemRoot%\gmer.ini ->  [Ver =  | Size = 250 bytes | Created Date = 2007-12-22 22:56:29 | Attr =  ]
gmer.reg -> %SystemRoot%\gmer.reg ->  [Ver =  | Size = 856 bytes | Created Date = 2007-12-22 23:00:32 | Attr =  ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd ->  [Ver =  | Size = 80 bytes | Created Date = 2007-12-22 22:56:29 | Attr =  ]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Created Date = 2007-12-29 11:29:21 | Attr =  ]
EPPICLocal_BP.cfg -> %System32%\EPPICLocal_BP.cfg ->  [Ver =  | Size = 6347 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_CF.cfg -> %System32%\EPPICLocal_CF.cfg ->  [Ver =  | Size = 6195 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_DU.cfg -> %System32%\EPPICLocal_DU.cfg ->  [Ver =  | Size = 6122 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_EN.cfg -> %System32%\EPPICLocal_EN.cfg ->  [Ver =  | Size = 13732 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_ES.cfg -> %System32%\EPPICLocal_ES.cfg ->  [Ver =  | Size = 6103 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_FR.cfg -> %System32%\EPPICLocal_FR.cfg ->  [Ver =  | Size = 6195 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_GE.cfg -> %System32%\EPPICLocal_GE.cfg ->  [Ver =  | Size = 6335 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_IT.cfg -> %System32%\EPPICLocal_IT.cfg ->  [Ver =  | Size = 6442 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_KO.cfg -> %System32%\EPPICLocal_KO.cfg ->  [Ver =  | Size = 5817 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_PT.cfg -> %System32%\EPPICLocal_PT.cfg ->  [Ver =  | Size = 6347 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_RU.cfg -> %System32%\EPPICLocal_RU.cfg ->  [Ver =  | Size = 2889 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_SC.cfg -> %System32%\EPPICLocal_SC.cfg ->  [Ver =  | Size = 5436 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICLocal_TC.cfg -> %System32%\EPPICLocal_TC.cfg ->  [Ver =  | Size = 2426 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPicMgr.dll -> %System32%\EPPicMgr.dll -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 1 | Size = 71840 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICPattern1.dat -> %System32%\EPPICPattern1.dat ->  [Ver =  | Size = 26154 bytes | Created Date = 2007-12-20 01:23:35 | Attr =  ]
EPPICPattern121.dat -> %System32%\EPPICPattern121.dat ->  [Ver =  | Size = 27417 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPattern131.dat -> %System32%\EPPICPattern131.dat ->  [Ver =  | Size = 31053 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPattern2.dat -> %System32%\EPPICPattern2.dat ->  [Ver =  | Size = 20148 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPattern3.dat -> %System32%\EPPICPattern3.dat ->  [Ver =  | Size = 24903 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPattern4.dat -> %System32%\EPPICPattern4.dat ->  [Ver =  | Size = 11811 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPattern5.dat -> %System32%\EPPICPattern5.dat ->  [Ver =  | Size = 21390 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPattern6.dat -> %System32%\EPPICPattern6.dat ->  [Ver =  | Size = 4943 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_BP.dat -> %System32%\EPPICPresetData_BP.dat ->  [Ver =  | Size = 1139 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_CF.dat -> %System32%\EPPICPresetData_CF.dat ->  [Ver =  | Size = 1129 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_DU.dat -> %System32%\EPPICPresetData_DU.dat ->  [Ver =  | Size = 1146 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_EN.dat -> %System32%\EPPICPresetData_EN.dat ->  [Ver =  | Size = 1104 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_ES.dat -> %System32%\EPPICPresetData_ES.dat ->  [Ver =  | Size = 1136 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_FR.dat -> %System32%\EPPICPresetData_FR.dat ->  [Ver =  | Size = 1129 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_GE.dat -> %System32%\EPPICPresetData_GE.dat ->  [Ver =  | Size = 1107 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_IT.dat -> %System32%\EPPICPresetData_IT.dat ->  [Ver =  | Size = 1120 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPresetData_PT.dat -> %System32%\EPPICPresetData_PT.dat ->  [Ver =  | Size = 1139 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EPPICPrinterDB.dat -> %System32%\EPPICPrinterDB.dat ->  [Ver =  | Size = 111932 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
EpPicPrt.dll -> %System32%\EpPicPrt.dll -> SEIKO EPSON CORPORATION [Ver = 1, 1, 0, 1 | Size = 120992 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
E_DCINST.DLL -> %System32%\E_DCINST.DLL -> SEIKO EPSON CORP. [Ver = 1, 0, 0, 5 | Size = 49152 bytes | Created Date = 2007-12-20 01:23:03 | Attr =  ]
E_FD4BCKE.DLL -> %System32%\E_FD4BCKE.DLL -> SEIKO EPSON CORPORATION [Ver = 2, 0, 0, 0 | Size = 62976 bytes | Created Date = 2007-12-20 01:23:02 | Attr =  ]
E_FLBCKE.DLL -> %System32%\E_FLBCKE.DLL -> SEIKO EPSON CORPORATION [Ver = 2, 4, 0, 0 | Size = 76800 bytes | Created Date = 2007-12-20 01:23:02 | Attr =  ]
PICEntry.dll -> %System32%\PICEntry.dll -> SEIKO EPSON CORPORATION [Ver = 3.0.0.2 | Size = 108704 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
PICSDK.dll -> %System32%\PICSDK.dll -> SEIKO EPSON CORPORATION [Ver = 3.0.0.1 | Size = 80024 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
PICSDK.ini -> %System32%\PICSDK.ini ->  [Ver =  | Size = 97 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
PICSDK2.dll -> %System32%\PICSDK2.dll -> SEIKO EPSON CORPORATION [Ver = 3.0.1.3 | Size = 501912 bytes | Created Date = 2007-12-20 01:23:36 | Attr =  ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Created Date = 2007-12-23 14:21:44 | Attr =  ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2007-12-23 14:21:44 | Attr =  ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2007-12-23 14:21:44 | Attr =  ]
VFind.exe -> %System32%\VFind.exe ->  [Ver =  | Size = 49152 bytes | Created Date = 2007-12-23 14:21:44 | Attr =  ]
vmnat.exe -> %System32%\vmnat.exe -> VMware, Inc. [Ver = 6.0.2 build-59824 | Size = 150064 bytes | Created Date = 2007-12-17 18:59:50 | Attr =  ]
vmnetdhcp.exe -> %System32%\vmnetdhcp.exe -> VMware, Inc. [Ver = 6.0.2 build-59824 | Size = 121392 bytes | Created Date = 2007-12-17 18:59:52 | Attr =  ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 2007-12-23 12:34:40 | Attr =  ]
gmer.sys -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3911 | Size = 70001 bytes | Created Date = 2007-12-22 22:56:29 | Attr =  ]
vmnet.sys -> %System32%\drivers\vmnet.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 17712 bytes | Created Date = 2007-12-17 18:59:35 | Attr = R ]
vmnetadapter.sys -> %System32%\drivers\vmnetadapter.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 16816 bytes | Created Date = 2007-12-17 18:59:56 | Attr = R ]
vmnetbridge.sys -> %System32%\drivers\vmnetbridge.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 28592 bytes | Created Date = 2007-12-17 18:59:35 | Attr = R ]
vmnetuserif.sys -> %System32%\drivers\vmnetuserif.sys -> VMware, Inc. [Ver = 4.0.1.0 | Size = 25008 bytes | Created Date = 2007-12-17 18:59:49 | Attr =  ]

[Files/Folders - Modified Within 30 days]
app.reg -> %SystemDrive%\app.reg ->  [Ver =  | Size = 780 bytes | Modified Date = 2007-12-30 00:17:34 | Attr =  ]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 2007-12-30 03:52:52 | Attr =  ]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 2007-12-30 08:11:36 | Attr =  ]
hkcu_nek.reg -> %SystemDrive%\hkcu_nek.reg ->  [Ver =  | Size = 13254670 bytes | Modified Date = 2007-12-30 08:38:54 | Attr =  ]
msg.bmp -> %SystemDrive%\msg.bmp ->  [Ver =  | Size = 1536054 bytes | Modified Date = 2007-12-30 01:42:50 | Attr =  ]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 2007-12-29 19:22:34 | Attr = R ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 2007-12-30 01:21:52 | Attr =  ]
QooBox.rar -> %SystemDrive%\QooBox.rar ->  [Ver =  | Size = 236901 bytes | Modified Date = 2007-12-30 01:18:46 | Attr =  ]
res.rtf -> %SystemDrive%\res.rtf ->  [Ver =  | Size = 31797 bytes | Modified Date = 2007-12-30 01:34:40 | Attr =  ]
spywarefri -> %SystemDrive%\spywarefri ->  [Folder | Modified Date = 2007-12-31 04:17:02 | Attr =  ]
Store -> %SystemDrive%\Store ->  [Folder | Modified Date = 2007-12-30 11:45:56 | Attr =  ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 2007-12-30 11:28:20 | Attr =  HS]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 2007-12-30 08:53:18 | Attr =  ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ ->  [Folder | Modified Date = 2007-12-12 23:26:22 | Attr =  H ]
AppPatch -> %SystemRoot%\AppPatch ->  [Folder | Modified Date = 2007-12-30 00:40:58 | Attr =  ]
assembly -> %SystemRoot%\assembly ->  [Folder | Modified Date = 2007-12-29 19:17:28 | Attr = R S]
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Modified Date = 2007-12-29 01:27:22 | Attr =  ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 2007-12-31 04:13:56 | Attr =  S]
CDER285EXPORT.ini -> %SystemRoot%\CDER285EXPORT.ini ->  [Ver =  | Size = 26 bytes | Modified Date = 2007-12-20 01:21:28 | Attr =  ]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 2007-12-30 00:44:34 | Attr =  HS]
Debug -> %SystemRoot%\Debug ->  [Folder | Modified Date = 2007-12-21 22:43:20 | Attr =  ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 2007-12-30 08:12:36 | Attr =  S]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 2007-12-30 08:12:08 | Attr =  ]
Fonts -> %SystemRoot%\Fonts ->  [Folder | Modified Date = 2007-12-29 04:45:26 | Attr = R S]
gmer.bat -> %SystemRoot%\gmer.bat ->  [Ver =  | Size = 867 bytes | Modified Date = 2007-12-30 00:43:14 | Attr =  ]
gmer.dll -> %SystemRoot%\gmer.dll ->  [Ver = 1, 0, 13, 12551 | Size = 585791 bytes | Modified Date = 2007-12-22 22:56:30 | Attr =  ]
gmer.ini -> %SystemRoot%\gmer.ini ->  [Ver =  | Size = 250 bytes | Modified Date = 2007-12-30 00:46:40 | Attr =  ]
gmer.reg -> %SystemRoot%\gmer.reg ->  [Ver =  | Size = 856 bytes | Modified Date = 2007-12-30 00:46:54 | Attr =  ]
gmer_uninstall.cmd -> %SystemRoot%\gmer_uninstall.cmd ->  [Ver =  | Size = 80 bytes | Modified Date = 2007-12-22 22:56:30 | Attr =  ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 2007-12-29 04:45:08 | Attr =  ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 2007-12-29 01:17:20 | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 2007-12-29 19:18:12 | Attr =  HS]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date = 2007-12-29 06:56:22 | Attr =  ]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 2007-12-23 12:47:22 | Attr =  ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 116 bytes | Modified Date = 2007-12-29 18:45:22 | Attr =  ]
ODBC.INI -> %SystemRoot%\ODBC.INI ->  [Ver =  | Size = 113 bytes | Modified Date = 2007-12-29 04:31:14 | Attr =  ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 2007-12-30 11:47:20 | Attr =  ]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 2007-12-29 02:58:34 | Attr =  ]
security -> %SystemRoot%\security ->  [Folder | Modified Date = 2007-12-30 07:27:40 | Attr =  ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution ->  [Folder | Modified Date = 2007-12-29 00:44:00 | Attr =  ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 2007-12-30 03:52:48 | Attr =  ]
system32 -> %System32% ->  [Folder | Modified Date = 2007-12-30 12:35:18 | Attr =  ]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Modified Date = 2007-12-31 04:16:04 | Attr =  ]
UEDIT32.INI -> %SystemRoot%\UEDIT32.INI ->  [Ver =  | Size = 15693 bytes | Modified Date = 2007-12-30 09:54:44 | Attr =  ]
WinSxS -> %SystemRoot%\WinSxS ->  [Folder | Modified Date = 2007-12-29 19:18:10 | Attr =  ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 2007-12-31 04:14:00 | Attr =  H ]
1033 -> %System32%\1033 ->  [Folder | Modified Date = 2007-12-29 04:46:30 | Attr =  ]
CatRoot -> %System32%\CatRoot ->  [Folder | Modified Date = 2007-12-21 16:12:00 | Attr =  ]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 2007-12-30 08:12:36 | Attr =  ]
config -> %System32%\config ->  [Folder | Modified Date = 2007-12-30 08:34:46 | Attr =  ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 2007-12-20 01:23:04 | Attr = RHS]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 2007-12-30 08:45:40 | Attr =  ]
en-US -> %System32%\en-US ->  [Folder | Modified Date = 2007-12-21 16:10:56 | Attr =  ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT ->  [Ver =  | Size = 103824 bytes | Modified Date = 2007-12-29 11:25:04 | Attr =  ]
inetsrv -> %System32%\inetsrv ->  [Folder | Modified Date = 2007-12-30 08:36:02 | Attr =  ]
perfc009.dat -> %System32%\perfc009.dat ->  [Ver =  | Size = 82414 bytes | Modified Date = 2007-12-29 03:23:32 | Attr =  ]
perfh009.dat -> %System32%\perfh009.dat ->  [Ver =  | Size = 482296 bytes | Modified Date = 2007-12-29 03:23:32 | Attr =  ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI ->  [Ver =  | Size = 620880 bytes | Modified Date = 2007-12-21 16:08:40 | Attr =  ]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 2007-12-30 11:28:20 | Attr =  ]
Setup -> %System32%\Setup ->  [Folder | Modified Date = 2007-12-21 18:44:24 | Attr =  ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Modified Date = 2007-12-13 21:26:52 | Attr =  ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 2007-12-04 01:00:44 | Attr =  ]
wbem -> %System32%\wbem ->  [Folder | Modified Date = 2007-12-29 03:20:30 | Attr =  ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 13646 bytes | Modified Date = 2007-12-31 04:16:00 | Attr =  ]
XPSViewer -> %System32%\XPSViewer ->  [Folder | Modified Date = 2007-12-21 16:10:52 | Attr =  ]
APPFCONT.DAT -> %System32%\drivers\APPFCONT.DAT ->  [Ver =  | Size = 224148 bytes | Modified Date = 2007-12-30 00:45:08 | Attr =  ]
APPFLTR.CFG -> %System32%\drivers\APPFLTR.CFG ->  [Ver =  | Size = 1132 bytes | Modified Date = 2007-12-30 00:45:08 | Attr =  ]
etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 2007-12-29 11:26:46 | Attr =  ]
gmer.sys -> %System32%\drivers\gmer.sys -> GMER [Ver = 1, 0, 12, 3911 | Size = 70001 bytes | Modified Date = 2007-12-22 22:56:30 | Attr =  ]
wnmsav.dat -> %System32%\drivers\wnmsav.dat ->  [Ver =  | Size = 24 bytes | Modified Date = 2007-12-29 23:15:24 | Attr =  ]
DsaFlt.cfg -> %System32%\drivers\etc\DsaFlt.cfg ->  [Ver =  | Size = 4 bytes | Modified Date = 2007-12-30 00:45:08 | Attr =  ]
DsaFlt.rls -> %System32%\drivers\etc\DsaFlt.rls ->  [Ver =  | Size = 260924 bytes | Modified Date = 2007-12-30 00:45:10 | Attr =  ]
IdsFlt.cfg -> %System32%\drivers\etc\IdsFlt.cfg ->  [Ver =  | Size = 200 bytes | Modified Date = 2007-12-30 00:45:10 | Attr =  ]
NetAR.wlt -> %System32%\drivers\etc\NetAR.wlt ->  [Ver =  | Size = 16 bytes | Modified Date = 2007-12-30 00:44:52 | Attr =  ]
NetAV.alt -> %System32%\drivers\etc\NetAV.alt ->  [Ver =  | Size = 604 bytes | Modified Date = 2007-12-30 00:44:40 | Attr =  ]
NetFlt.cfg -> %System32%\drivers\etc\NetFlt.cfg ->  [Ver =  | Size = 12 bytes | Modified Date = 2007-12-30 00:45:10 | Attr =  ]
SmsFlt.cfg -> %System32%\drivers\etc\SmsFlt.cfg ->  [Ver =  | Size = 4 bytes | Modified Date = 2007-12-30 00:45:10 | Attr =  ]
WnmFlt.cfg -> %System32%\drivers\etc\WnmFlt.cfg ->  [Ver =  | Size = 4 bytes | Modified Date = 2007-12-30 00:45:10 | Attr =  ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 ,  -> %SystemRoot%\daemon.dll ->  [Ver = 3.47.0.0 | Size = 69120 bytes | Modified Date = 2004-08-22 16:04:56 | Attr =  ]
@Alternate Data Stream - 26 bytes -> %System32%\a3d.dll:Zone.Identifier ->
Thawte Consulting ,  -> %System32%\CSGina.dll ->  [Ver =  | Size = 193576 bytes | Modified Date = 2007-04-03 15:18:06 | Attr =  ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 2003-03-31 13:00:00 | Attr =  ]
Thawte Consulting ,  -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.35a | Size = 63144 bytes | Modified Date = 2006-08-25 04:47:00 | Attr =  ]
Thawte Consulting ,  -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 67240 bytes | Modified Date = 2006-08-25 04:47:00 | Attr =  ]
Thawte Consulting ,  -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 62632 bytes | Modified Date = 2006-08-25 04:47:00 | Attr =  ]
Thawte Consulting ,  -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 115880 bytes | Modified Date = 2006-08-25 04:47:00 | Attr =  ]
UPX! , UPX0 ,  -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.11 | Size = 156160 bytes | Modified Date = 2007-12-13 21:26:52 | Attr =  ]
UPX! , UPX0 ,  -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 2007-12-04 01:00:44 | Attr =  ]
Thawte Consulting ,  -> %System32%\vpnapi.dll ->  [Ver =  | Size = 197672 bytes | Modified Date = 2007-04-03 15:18:26 | Attr =  ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 2003-03-31 13:00:00 | Attr =  ]
WSUD , UPX0 ,  -> %System32%\dllcache\hwxjpn.dll ->  [Ver =  | Size = 13463552 bytes | Modified Date = 2003-03-31 13:00:00 | Attr =  ]
@Alternate Data Stream - 26 bytes -> %System32%\drivers\aeaudio.sys:Zone.Identifier ->
PTech ,  -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 2004-08-03 21:41:38 | Attr =  ]
@Alternate Data Stream - 26 bytes -> %System32%\drivers\smsens.sys:Zone.Identifier ->
@Alternate Data Stream - 26 bytes -> %System32%\drivers\smwdm.sys:Zone.Identifier ->

< End of report >