------------
Logfile of HijackThis v1.99.1
Scan saved at 3:47:39 PM, on 10/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Ewido AS 4.0\guard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\TrojanHunter 4.6\THGuard.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
D:\Downloads\Repair Tools\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lanarchy.org/web2/html/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6BBC4C44-90B8-503B-149A-0151397244E5} - C:\WINNT\system32\jsrbcu.dll (file missing)
O2 - BHO: (no name) - {739C352C-CAF9-D13A-CBC1-034A2F8881B4} - C:\WINNT\system32\fastsz.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINNT\system32\nsd57.dll (file missing)
O2 - BHO: C:\WINNT\system32\251BE0.dll - {855875B5-93F3-429D-FF34-660B206D897C} - C:\WINNT\system32\251BE0.dll (file missing)
O2 - BHO: (no name) - {A78CC8FE-234D-2FC9-4574-5CF077C66B9A} - C:\WINNT\system32\grmwehta.dll (file missing)
O2 - BHO: (no name) - {AC8E0070-7011-4A14-B59E-BDC0A1D27370} - C:\WINNT\system32\sstqr.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINNT\system32\jlsusadg.dll (file missing)
O2 - BHO: (no name) - {F3D091FD-244C-789B-4174-5CF077C66893} - C:\WINNT\system32\nyh.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [np] c:\winnt\system32\upnp.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [Ncuw] "C:\WINNT\system32\ASKS~1\svchost.exe" -vt ndrv
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://usa.kaspersky.com
O15 - Trusted Zone: http://us.mcafee.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinn...gsaw/jigsaw.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinn...d/bejeweled.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...861/mcfscan.cab
O20 - Winlogon Notify: IPConfMSP - C:\WINNT\system32\hr2o05f3e.dll (file missing)
O20 - Winlogon Notify: sstqr - C:\WINNT\system32\sstqr.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\Ewido AS 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
[10/01/2006, 15:33:22] - VirtumundoBeGone v1.5 ( "D:\Downloads\Repair Tools\VirtumundoBeGone.exe" )
[10/01/2006, 15:33:23] - Detected System Information:
[10/01/2006, 15:33:23] - Windows Version: 5.0.2195, Service Pack 4
[10/01/2006, 15:33:23] - Current Username: Administrator (Admin)
[10/01/2006, 15:33:23] - Windows is in NORMAL mode.
[10/01/2006, 15:33:23] - Searching for Browser Helper Objects:
[10/01/2006, 15:33:23] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/01/2006, 15:33:23] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[10/01/2006, 15:33:23] - BHO 3: {6BBC4C44-90B8-503B-149A-0151397244E5} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\jsrbcu
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\jsrbcu, continuing.
[10/01/2006, 15:33:23] - BHO 4: {739C352C-CAF9-D13A-CBC1-034A2F8881B4} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\fastsz
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\fastsz, continuing.
[10/01/2006, 15:33:23] - BHO 5: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[10/01/2006, 15:33:23] - BHO 6: {855875B5-93F3-429D-FF34-660B206D897C} (C:\WINNT\system32\251BE0.dll)
[10/01/2006, 15:33:23] - BHO 7: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\sstqr
[10/01/2006, 15:33:23] - Found: HKLM\...\Winlogon\Notify\sstqr - This is probably Virtumundo.
[10/01/2006, 15:33:23] - Assigning {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} MSEvents Object
[10/01/2006, 15:33:23] - BHO list has been changed! Starting over...
[10/01/2006, 15:33:23] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/01/2006, 15:33:23] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[10/01/2006, 15:33:23] - BHO 3: {6BBC4C44-90B8-503B-149A-0151397244E5} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\jsrbcu
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\jsrbcu, continuing.
[10/01/2006, 15:33:23] - BHO 4: {739C352C-CAF9-D13A-CBC1-034A2F8881B4} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\fastsz
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\fastsz, continuing.
[10/01/2006, 15:33:23] - BHO 5: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[10/01/2006, 15:33:23] - BHO 6: {855875B5-93F3-429D-FF34-660B206D897C} (C:\WINNT\system32\251BE0.dll)
[10/01/2006, 15:33:23] - BHO 7: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} (MSEvents Object)
[10/01/2006, 15:33:23] - ALERT: Found MSEvents Object!
[10/01/2006, 15:33:23] - BHO 8: {A78CC8FE-234D-2FC9-4574-5CF077C66B9A} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\grmwehta
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\grmwehta, continuing.
[10/01/2006, 15:33:23] - BHO 9: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[10/01/2006, 15:33:23] - BHO 10: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\jlsusadg
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\jlsusadg, continuing.
[10/01/2006, 15:33:23] - BHO 11: {F3D091FD-244C-789B-4174-5CF077C66893} ()
[10/01/2006, 15:33:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:23] - Checking for HKLM\...\Winlogon\Notify\nyh
[10/01/2006, 15:33:23] - Key not found: HKLM\...\Winlogon\Notify\nyh, continuing.
[10/01/2006, 15:33:23] - Finished Searching Browser Helper Objects
[10/01/2006, 15:33:23] - *** Detected MSEvents Object
[10/01/2006, 15:33:23] - Trying to remove MSEvents Object...
[10/01/2006, 15:33:24] - Terminating Process: IEXPLORE.EXE
[10/01/2006, 15:33:24] - Terminating Process: RUNDLL32.EXE
[10/01/2006, 15:33:24] - Disabling Automatic Shell Restart
[10/01/2006, 15:33:24] - Terminating Process: EXPLORER.EXE
[10/01/2006, 15:33:24] - Suspending the NT Session Manager System Service
[10/01/2006, 15:33:25] - Terminating Windows NT Logon/Logoff Manager
[10/01/2006, 15:33:25] - Re-enabling Automatic Shell Restart
[10/01/2006, 15:33:25] - File to disable: C:\WINNT\system32\sstqr.dll
[10/01/2006, 15:33:25] - Renaming C:\WINNT\system32\sstqr.dll -> C:\WINNT\system32\sstqr.dll.vir
[10/01/2006, 15:33:25] - ! File rename was unsucessful.
[10/01/2006, 15:33:25] - Attempting to Deny Access to C:\WINNT\system32\sstqr.dll
[10/01/2006, 15:33:25] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/01/2006, 15:33:25] - processed file: C:\WINNT\system32\sstqr.dll
[10/01/2006, 15:33:25] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/01/2006, 15:33:25] - Removing HKLM\...\Browser Helper Objects\{8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC}
[10/01/2006, 15:33:25] - Removing HKCR\CLSID\{8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC}
[10/01/2006, 15:33:25] - Adding Kill Bit for ActiveX for GUID: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC}
[10/01/2006, 15:33:26] - Deleting ATLEvents/MSEvents Registry entries
[10/01/2006, 15:33:26] - Removing HKLM\...\Winlogon\Notify\sstqr
[10/01/2006, 15:33:26] - Searching for Browser Helper Objects:
[10/01/2006, 15:33:26] - BHO 1: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/01/2006, 15:33:26] - BHO 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} (PCTools Site Guard)
[10/01/2006, 15:33:26] - BHO 3: {6BBC4C44-90B8-503B-149A-0151397244E5} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\jsrbcu
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\jsrbcu, continuing.
[10/01/2006, 15:33:26] - BHO 4: {739C352C-CAF9-D13A-CBC1-034A2F8881B4} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\fastsz
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\fastsz, continuing.
[10/01/2006, 15:33:26] - BHO 5: {746455FE-D059-47e7-AF0E-140E03F5A447} (SSL encrypt)
[10/01/2006, 15:33:26] - BHO 6: {855875B5-93F3-429D-FF34-660B206D897C} (C:\WINNT\system32\251BE0.dll)
[10/01/2006, 15:33:26] - BHO 7: {8DDB60B7-F83B-4CC5-84A8-DC63F2CB51AC} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\sstqr
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\sstqr, continuing.
[10/01/2006, 15:33:26] - BHO 8: {A78CC8FE-234D-2FC9-4574-5CF077C66B9A} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\grmwehta
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\grmwehta, continuing.
[10/01/2006, 15:33:26] - BHO 9: {B56A7D7D-6927-48C8-A975-17DF180C71AC} (PCTools Browser Monitor)
[10/01/2006, 15:33:26] - BHO 10: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\jlsusadg
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\jlsusadg, continuing.
[10/01/2006, 15:33:26] - BHO 11: {F3D091FD-244C-789B-4174-5CF077C66893} ()
[10/01/2006, 15:33:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/01/2006, 15:33:26] - Checking for HKLM\...\Winlogon\Notify\nyh
[10/01/2006, 15:33:26] - Key not found: HKLM\...\Winlogon\Notify\nyh, continuing.
[10/01/2006, 15:33:26] - Finished Searching Browser Helper Objects
[10/01/2006, 15:33:26] - Finishing up...
[10/01/2006, 15:33:26] - A restart is needed.
[10/01/2006, 15:33:27] - Attempting to Restart via STOP error (Blue Screen!)
Scan Results:
scan start: 10/1/2006 4:35:20 PM
scan stop: 10/1/2006 5:17:30 PM
scanned items: 51719
found items: 124
found and ignored: 0
tools used: General Scanner, Process Scanner, Registry Scanner, Startup Scanner, Browser Scanner, Browser Activity Scanner, LSP Scanner, Disk Scanner, ActiveX Scanner
Infection Name Location Risk
Common Components Unrelated C:\Documents and Settings\All Users\Documents\Settings\desktop.ini Medium
MediaTickets C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe Elevated
MediaTickets C:\Program Files\Common Files\Yazzle1438OinUninstaller.exe Elevated
MediaTickets C:\Program Files\Common Files\Yazzle1440OinUninstaller.exe Elevated
MediaTickets C:\Program Files\Common Files\Yazzle1452OinUninstaller.exe Elevated
I-Search Desktop Search Toolbar C:\WINNT\RFBzeDc\lI1WyGw.vbs Elevated
Virtumonde C:\WINNT\system32\sstqr.dll Elevated
Virtumonde Explorer.EXE (C:\WINNT\system32\sstqr.dll) Elevated
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C} High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}## High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}##ThreadingModel High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32 High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32## High
Backdoor.Agent.CFC HKCR\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32##ThreadingModel High
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370} Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}## Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32 Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32## Elevated
Virtumonde HKCR\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32##ThreadingModel Elevated
Maxifiles HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run##{78BEFE2C-08A3-1033-0727-050606050001} High
PurityScan HKCU\Software\PSCloner High
PurityScan HKCU\Software\PSCloner## High
Common Components for Trojans HKCU\Software\unker Medium
Common Components for Trojans HKCU\Software\unker## Medium
Common Components for Trojans HKCU\Software\unker\upnp Medium
Common Components for Trojans HKCU\Software\unker\upnp## Medium
Common Components for Trojans HKCU\Software\unker\upnp\main Medium
Common Components for Trojans HKCU\Software\unker\upnp\main## Medium
Common Components for Trojans HKCU\Software\unker\upnp\main##cid Medium
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C} High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}## High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}##ThreadingModel High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32 High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32## High
Backdoor.Agent.CFC HKLM\Software\Classes\CLSID\{855875B5-93F3-429D-FF34-660B206D897C}\InProcServer32##ThreadingModel High
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370} Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32 Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32## Elevated
Virtumonde HKLM\Software\Classes\CLSID\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}\InprocServer32##ThreadingModel Elevated
Virtumonde HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\sstqr##DllName Elevated
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC8E0070-7011-4A14-B59E-BDC0A1D27370} Elevated
Virtumonde HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AC8E0070-7011-4A14-B59E-BDC0A1D27370}## Elevated
Trojan.Downloader.Small.DNQ HKLM\Software\Microsoft\Windows\CurrentVersion\Run##np High
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1438Oin##UninstallString Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1440Oin##UninstallString Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin## Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin##ntdll.dll Elevated
MediaTickets HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1452Oin##UninstallString Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE##NextInstance Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000 Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000## Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Class Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ClassGUID Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##ConfigFlags Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##DeviceDesc Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Legacy Elevated
I-Search Desktop Search Toolbar HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000##Service Elevated
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR##NextInstance High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000 High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000## High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Class High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ClassGUID High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##ConfigFlags High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##DeviceDesc High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Legacy High
Network Monitor HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000##Service High
Virtumonde IEXPLORE.EXE (C:\WINNT\system32\sstqr.dll) Elevated
Common Components for Trojans multiple Medium