Originally Posted by ZPR
Edit: I found it, it was hiding under Classes\U29G08004 with the name of AD0, N0AD0, U29G08004 searching for 4D,5A and there it was. I guess I now know how it became infected. But I still wonder how you would even execute it.
Edit 2: Part of it is gone, going to do some more searching to find out where the other part is.
Edit 3: After exporting the software hive into a new hive the exe header wasn't found. I will do a few more checks but that seamed to work. Thanks for the Guidance Foolish Tech, if I didn't do the mass registry export I could still be looking for it right now.
Probably uses a loader of some sort...probably some where in the AV history. It kind of looks like Virut but when I google the parts you put I come up with Bamital or Zapchast