Tech Support Forum - View Single Post - Constant popups/slow pc

PAHUNTER21 · 01-21-2008, 07:41 PM

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:08 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142796829733
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8511 bytes

Kaspersky Log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 21, 2008 9:34:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/01/2008
Kaspersky Anti-Virus database records: 526188
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51750
Number of viruses found: 14
Number of infected objects: 36
Number of suspicious objects: 2
Duration of the scan process: 01:06:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq.exe.bac_a00516/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq.exe.bac_a00516 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq.exe.bac_a00516 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq[1].exe.bac_a00516/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq[1].exe.bac_a00516 NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq[1].exe.bac_a00516 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\mfhvgowg.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\npujrskw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\rrcgvlmw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\vtuurop.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.leases Object is locked skipped
C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\cert8.db Object is locked skipped
C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\history.dat Object is locked skipped
C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\key3.db Object is locked skipped
C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\parent.lock Object is locked skipped
C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Angela\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3614 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3793 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3795 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3798 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3851 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3854 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3855 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3856 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file4095/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file4095/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file4095 Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe Inno: infected - 11 skipped
C:\Documents and Settings\Angela\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Angela\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Angela\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Angela\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\vvqq.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Program Files\Mozilla Firefox\vvqq.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Program Files\Mozilla Firefox\vvqq.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1\A0002034.exe Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1\A0002035.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP14\change.log Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0002063.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.av skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0002063.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0004040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0005040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0006040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0006046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0006048.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP3\A0006079.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP3\A0006080.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{ECED0377-36C2-4003-98D0-59A54FD002C8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bdss.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_90.dat Object is locked skipped
C:\WINDOWS\Temp\tmp00002e68\tmp00000000 Object is locked skipped
C:\WINDOWS\Temp\vmware-serverd.log Object is locked skipped
C:\WINDOWS\Temp\vmware-vmount.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

ComboFix Log

ComboFix 08-01-20.1 - Angela 2008-01-21 19:52:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT -5:00]
Running from: C:\Documents and Settings\Angela\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Angela\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\bdcyahgw.ini
C:\WINDOWS\system32\wksrjupn.ini
C:\WINDOWS\system32\wmlvgcrr.ini
C:\WINDOWS\system32\yutdyrxy.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\geeby.dll.bad
C:\VundoFix Backups\vybeg.ini.bad
C:\VundoFix Backups\vybeg.ini2.bad
C:\VundoFix Backups\ybeeg.ini.bad
C:\VundoFix Backups\ybeeg.ini2.bad
C:\WINDOWS\system32\bdcyahgw.ini
C:\WINDOWS\system32\wksrjupn.ini
C:\WINDOWS\system32\wmlvgcrr.ini
C:\WINDOWS\system32\yutdyrxy.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-20 21:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 21:47 . 2008-01-09 21:47 <DIR> d-------- C:\Documents and Settings\Angela\Application Data\Wireshark
2008-01-09 20:43 . 2008-01-09 20:44 <DIR> d-------- C:\Program Files\Wireshark
2008-01-09 20:43 . 2008-01-09 20:43 <DIR> d-------- C:\Program Files\WinPcap
2008-01-08 21:11 . 2008-01-08 21:11 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-01-07 23:07 . 2004-08-03 22:31 154,624 --a------ C:\WINDOWS\system32\drivers\wlluc48.sys
2008-01-07 23:07 . 2004-08-03 22:31 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-07 20:49 . 2008-01-07 20:49 <DIR> d-------- C:\Deckard
2008-01-07 20:43 . 2008-01-08 20:28 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-07 20:43 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-01-07 20:43 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-07 19:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-07 19:46 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\mkqlwktpdijl.sys
2008-01-07 19:33 . 2008-01-07 19:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-06 23:47 . 2008-01-05 20:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-06 23:45 . 2008-01-07 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-06 22:53 . 2008-01-08 21:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 22:53 . 2008-01-08 20:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-06 22:53 . 2008-01-08 20:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-06 22:53 . 2008-01-08 20:47 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-06 20:49 . 2008-01-06 20:49 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-01-05 20:28 . 2008-01-06 23:47 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-05 20:25 . 2005-05-11 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-05 20:25 . 2005-05-11 23:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-01-05 17:48 . 2008-01-05 17:48 <DIR> d-------- C:\Documents and Settings\Angela\Application Data\Bitdefender
2008-01-05 17:22 . 2008-01-21 19:58 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-01-05 17:21 . 2008-01-05 17:27 <DIR> d-------- C:\Documents and Settings\Angela\.housecall6.6
2008-01-05 17:15 . 2008-01-05 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-01-05 14:47 . 2008-01-05 21:18 311,296 --a------ C:\WINDOWS\system32\hphmon03.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 00:59 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-01-22 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-01-22 00:57 --------- d-----w C:\Program Files\QuickTime
2008-01-22 00:52 --------- d-----w C:\Program Files\iTunes
2008-01-21 13:07 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware
2008-01-09 01:54 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-01-09 01:53 --------- d-----w C:\Program Files\Google
2007-12-03 02:55 --------- d-----w C:\Documents and Settings\Angela\Application Data\OpenOffice.org2
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((( snapshot_2008-01-21_19.46.36.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 12:51:21 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 00:52:17 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-21 12:51:21 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-22 00:52:17 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-21 12:51:21 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 00:52:17 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-21 12:51:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 00:52:17 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-21 12:51:22 3,817,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-22 00:52:17 3,817,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-21 12:51:22 98,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-22 00:52:18 98,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-21 12:51:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000007\UsrClass.dat
+ 2008-01-22 00:52:18 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000007\UsrClass.dat
+ 2006-01-27 01:19:52 73,728 ----a-w C:\WINDOWS\system32\sockspy.dll
+ 2008-01-06 02:18:40 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-05 21:18 339968]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2008-01-05 21:18 36975]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2008-01-05 21:18 794624]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-05 21:18 49152]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2008-01-05 21:18 102492]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-05 21:18 692316]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2008-01-05 21:18 290816]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2008-01-05 21:18 253952]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2008-01-05 21:18 233534]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2008-01-05 21:18 196608]
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2008-01-05 21:18 311296]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-05 21:18 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-05 21:18 69632]
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2008-01-05 21:02 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 14:40]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 09:39]
S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2006-01-13 01:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18289c3e-be56-11dc-b741-005056c00008}]
\Shell\AutoRun\command - E:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61137052-5388-11dc-b728-005056c00008}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure20.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 19:59:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?2?5?8??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 20:03:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-22 01:02:37
ComboFix2.txt 2008-01-22 00:48:05
ComboFix3.txt 2008-01-21 02:50:32
.
2008-01-09 00:22:00 --- E O F ---

01-21-2008, 07:41 PM	#11 (permalink)
PAHUNTER21 Registered User Join Date: Jan 2008 Posts: 12 OS: WinXP SP2	Re: Constant popups/slow pc - Virtumonde infection HijackThis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:37:08 PM, on 1/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\system32\hphmon03.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\VMware\VMware Server\vmserverdWin32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HPQ\SHARED\HPQWMI.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1142796829733 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 8511 bytes Kaspersky Log ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, January 21, 2008 9:34:06 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 21/01/2008 Kaspersky Anti-Virus database records: 526188 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ Scan Statistics: Total number of scanned objects: 51750 Number of viruses found: 14 Number of infected objects: 36 Number of suspicious objects: 2 Duration of the scan process: 01:06:10 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq.exe.bac_a00516/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq.exe.bac_a00516 NSIS: infected - 1 skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq.exe.bac_a00516 CryptFF.b: infected - 1 skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq[1].exe.bac_a00516/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq[1].exe.bac_a00516 NSIS: infected - 1 skipped C:\Documents and Settings\Administrator\.housecall6.6\Quarantine\zzqq[1].exe.bac_a00516 CryptFF.b: infected - 1 skipped C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\mfhvgowg.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\npujrskw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\rrcgvlmw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine\vtuurop.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.leases Object is locked skipped C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\cert8.db Object is locked skipped C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\formhistory.dat Object is locked skipped C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\history.dat Object is locked skipped C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\key3.db Object is locked skipped C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\parent.lock Object is locked skipped C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\search.sqlite Object is locked skipped C:\Documents and Settings\Angela\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\urlclassifier2.sqlite Object is locked skipped C:\Documents and Settings\Angela\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3614 Infected: not-a-virus:NetTool.Win32.Portscan.c skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3793 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3795 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3798 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3851 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3854 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3855 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file3856 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file4095/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file4095/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe/file4095 Infected: not-a-virus:PSWTool.Win32.RAS.a skipped C:\Documents and Settings\Angela\Desktop\UBCD4WinV310.exe Inno: infected - 11 skipped C:\Documents and Settings\Angela\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Angela\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Angela\Local Settings\Application Data\Mozilla\Firefox\Profiles\xolbgccm.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Angela\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Angela\Local Settings\History\History.IE5\MSHist012008012120080122\index.dat Object is locked skipped C:\Documents and Settings\Angela\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Angela\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Angela\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Angela\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Mozilla Firefox\vvqq.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped C:\Program Files\Mozilla Firefox\vvqq.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped C:\Program Files\Mozilla Firefox\vvqq.exe NSIS: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1\A0002034.exe Infected: Trojan-Downloader.Win32.PurityScan.fe skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP1\A0002035.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP14\change.log Object is locked skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0002063.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.av skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0002063.exe CAB: infected - 1 skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0004040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0005040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0006040.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0006046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\A0006048.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP3\A0006079.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP3\A0006080.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{ECED0377-36C2-4003-98D0-59A54FD002C8}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\bdss.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_90.dat Object is locked skipped C:\WINDOWS\Temp\tmp00002e68\tmp00000000 Object is locked skipped C:\WINDOWS\Temp\vmware-serverd.log Object is locked skipped C:\WINDOWS\Temp\vmware-vmount.log Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. ComboFix Log ComboFix 08-01-20.1 - Angela 2008-01-21 19:52:31.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.213 [GMT -5:00] Running from: C:\Documents and Settings\Angela\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Angela\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\WINDOWS\system32\bdcyahgw.ini C:\WINDOWS\system32\wksrjupn.ini C:\WINDOWS\system32\wmlvgcrr.ini C:\WINDOWS\system32\yutdyrxy.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\QuickTime\qttask .exe C:\Program Files\QuickTime\qttask .exe C:\VundoFix Backups C:\VundoFix Backups\addmorefiles.txt C:\VundoFix Backups\geeby.dll.bad C:\VundoFix Backups\vybeg.ini.bad C:\VundoFix Backups\vybeg.ini2.bad C:\VundoFix Backups\ybeeg.ini.bad C:\VundoFix Backups\ybeeg.ini2.bad C:\WINDOWS\system32\bdcyahgw.ini C:\WINDOWS\system32\wksrjupn.ini C:\WINDOWS\system32\wmlvgcrr.ini C:\WINDOWS\system32\yutdyrxy.ini . ((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 ))))))))))))))))))))))))))))))) . 2008-01-20 21:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-09 21:47 . 2008-01-09 21:47 <DIR> d-------- C:\Documents and Settings\Angela\Application Data\Wireshark 2008-01-09 20:43 . 2008-01-09 20:44 <DIR> d-------- C:\Program Files\Wireshark 2008-01-09 20:43 . 2008-01-09 20:43 <DIR> d-------- C:\Program Files\WinPcap 2008-01-08 21:11 . 2008-01-08 21:11 <DIR> d-------- C:\Program Files\Western Digital Technologies 2008-01-07 23:07 . 2004-08-03 22:31 154,624 --a------ C:\WINDOWS\system32\drivers\wlluc48.sys 2008-01-07 23:07 . 2004-08-03 22:31 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys 2008-01-07 20:49 . 2008-01-07 20:49 <DIR> d-------- C:\Deckard 2008-01-07 20:43 . 2008-01-08 20:28 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-07 20:43 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL 2008-01-07 20:43 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-01-07 19:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-07 19:46 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\mkqlwktpdijl.sys 2008-01-07 19:33 . 2008-01-07 19:33 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-06 23:47 . 2008-01-05 20:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2008-01-06 23:45 . 2008-01-07 08:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2008-01-06 22:53 . 2008-01-08 21:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-06 22:53 . 2008-01-08 20:47 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-06 22:53 . 2008-01-08 20:47 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-06 22:53 . 2008-01-08 20:47 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-06 20:49 . 2008-01-06 20:49 <DIR> d-------- C:\WINDOWS\McAfee.com 2008-01-05 20:28 . 2008-01-06 23:47 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6 2008-01-05 20:25 . 2005-05-11 23:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-01-05 20:25 . 2005-05-11 23:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer 2008-01-05 17:48 . 2008-01-05 17:48 <DIR> d-------- C:\Documents and Settings\Angela\Application Data\Bitdefender 2008-01-05 17:22 . 2008-01-21 19:58 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-01-05 17:21 . 2008-01-05 17:27 <DIR> d-------- C:\Documents and Settings\Angela\.housecall6.6 2008-01-05 17:15 . 2008-01-05 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-01-05 14:47 . 2008-01-05 21:18 311,296 --a------ C:\WINDOWS\system32\hphmon03.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-22 00:59 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware 2008-01-22 00:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware 2008-01-22 00:57 --------- d-----w C:\Program Files\QuickTime 2008-01-22 00:52 --------- d-----w C:\Program Files\iTunes 2008-01-21 13:07 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware 2008-01-09 01:54 --------- d-----w C:\Program Files\Common Files\LightScribe 2008-01-09 01:53 --------- d-----w C:\Program Files\Google 2007-12-03 02:55 --------- d-----w C:\Documents and Settings\Angela\Application Data\OpenOffice.org2 2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe . ((((((((((((((((((((((((((((( snapshot_2008-01-21_19.46.36.10 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-21 12:51:21 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-22 00:52:17 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-21 12:51:21 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-22 00:52:17 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-21 12:51:21 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-22 00:52:17 229,376 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-21 12:51:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-22 00:52:17 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-21 12:51:22 3,817,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT + 2008-01-22 00:52:17 3,817,472 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT - 2008-01-21 12:51:22 98,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-22 00:52:18 98,304 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat - 2008-01-21 12:51:22 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000007\UsrClass.dat + 2008-01-22 00:52:18 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000007\UsrClass.dat + 2006-01-27 01:19:52 73,728 ----a-w C:\WINDOWS\system32\sockspy.dll + 2008-01-06 02:18:40 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-05 21:18 339968] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2008-01-05 21:18 36975] "hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2008-01-05 21:18 794624] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-05 21:18 49152] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2008-01-05 21:18 102492] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-05 21:18 692316] "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2008-01-05 21:18 290816] "LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2008-01-05 21:18 253952] "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2008-01-05 21:18 233534] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2008-01-05 21:18 196608] "HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [2008-01-05 21:18 311296] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-05 21:18 278528] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-05 21:18 69632] "BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2008-01-05 21:02 290816] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=sockspy.dll R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2006-08-09 14:40] R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-22 09:39] S3 Dot4Usb HPH09;Dot4Usb HPH09;C:\WINDOWS\system32\drivers\hphius09.sys [2006-01-13 01:46] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 15:22] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{18289c3e-be56-11dc-b741-005056c00008}] \Shell\AutoRun\command - E:\wd_windows_tools\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61137052-5388-11dc-b728-005056c00008}] \Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure20.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-21 19:59:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????7?2?5?8??????? ???B?????????????hLC? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-21 20:03:28 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-22 01:02:37 ComboFix2.txt 2008-01-22 00:48:05 ComboFix3.txt 2008-01-21 02:50:32 . 2008-01-09 00:22:00 --- E O F ---