Vitrumonde (the malware that shall not be named)

**Rhonn1** · 2008-01-20, 02:31

C:\posD.tmp
C:\posD0.tmp
C:\posD00.tmp
C:\posD01.tmp
C:\posD02.tmp
C:\posD03.tmp
C:\posD04.tmp
C:\posD05.tmp
C:\posD06.tmp
C:\posD07.tmp
C:\posD08.tmp
C:\posD09.tmp
C:\posD0A.tmp
C:\posD0B.tmp
C:\posD0C.tmp
C:\posD0D.tmp
C:\posD0E.tmp
C:\posD0F.tmp
C:\posD1.tmp
C:\posD10.tmp
C:\posD11.tmp
C:\posD12.tmp
C:\posD13.tmp
C:\posD14.tmp
C:\posD15.tmp
C:\posD16.tmp
C:\posD17.tmp
C:\posD18.tmp
C:\posD19.tmp
C:\posD1A.tmp
C:\posD1B.tmp
C:\posD1C.tmp
C:\posD1D.tmp
C:\posD1E.tmp
C:\posD1F.tmp
C:\posD2.tmp
C:\posD20.tmp
C:\posD21.tmp
C:\posD22.tmp
C:\posD23.tmp
C:\posD24.tmp
C:\posD25.tmp
C:\posD26.tmp
C:\posD27.tmp
C:\posD28.tmp
C:\posD29.tmp
C:\posD2A.tmp
C:\posD2B.tmp
C:\posD2C.tmp
C:\posD2D.tmp
C:\posD2E.tmp
C:\posD2F.tmp
C:\posD3.tmp
C:\posD30.tmp
C:\posD31.tmp
C:\posD32.tmp
C:\posD33.tmp
C:\posD34.tmp
C:\posD35.tmp
C:\posD36.tmp
C:\posD37.tmp
C:\posD38.tmp
C:\posD39.tmp
C:\posD3A.tmp
C:\posD3B.tmp
C:\posD3C.tmp
C:\posD3D.tmp
C:\posD3E.tmp
C:\posD3F.tmp
C:\posD4.tmp
C:\posD40.tmp
C:\posD41.tmp
C:\posD42.tmp
C:\posD43.tmp
C:\posD44.tmp
C:\posD45.tmp
C:\posD46.tmp
C:\posD47.tmp
C:\posD48.tmp
C:\posD49.tmp
C:\posD4A.tmp
C:\posD4B.tmp
C:\posD4C.tmp
C:\posD4D.tmp
C:\posD4E.tmp
C:\posD4F.tmp
C:\posD5.tmp
C:\posD50.tmp
C:\posD51.tmp
C:\posD52.tmp
C:\posD53.tmp
C:\posD54.tmp
C:\posD55.tmp
C:\posD56.tmp
C:\posD57.tmp
C:\posD58.tmp
C:\posD59.tmp
C:\posD5A.tmp
C:\posD5B.tmp
C:\posD5C.tmp
C:\posD5D.tmp
C:\posD5E.tmp
C:\posD5F.tmp
C:\posD6.tmp
C:\posD60.tmp
C:\posD61.tmp
C:\posD62.tmp
C:\posD63.tmp
C:\posD64.tmp
C:\posD65.tmp
C:\posD66.tmp
C:\posD67.tmp
C:\posD68.tmp
C:\posD69.tmp
C:\posD6A.tmp
C:\posD6B.tmp
C:\posD6C.tmp
C:\posD6D.tmp
C:\posD6E.tmp
C:\posD6F.tmp
C:\posD7.tmp
C:\posD70.tmp
C:\posD71.tmp
C:\posD72.tmp
C:\posD73.tmp
C:\posD74.tmp
C:\posD75.tmp
C:\posD76.tmp
C:\posD77.tmp
C:\posD78.tmp
C:\posD79.tmp
C:\posD7A.tmp
C:\posD7B.tmp
C:\posD7C.tmp
C:\posD7D.tmp
C:\posD7E.tmp
C:\posD7F.tmp
C:\posD8.tmp
C:\posD80.tmp
C:\posD81.tmp
C:\posD82.tmp
C:\posD83.tmp
C:\posD84.tmp
C:\posD85.tmp
C:\posD86.tmp
C:\posD87.tmp
C:\posD88.tmp
C:\posD89.tmp
C:\posD8A.tmp
C:\posD8B.tmp
C:\posD8C.tmp
C:\posD8D.tmp
C:\posD8E.tmp
C:\posD8F.tmp
C:\posD9.tmp
C:\posD90.tmp
C:\posD91.tmp
C:\posD92.tmp
C:\posD93.tmp
C:\posD94.tmp
C:\posD95.tmp
C:\posD96.tmp
C:\posD97.tmp
C:\posD98.tmp
C:\posD99.tmp
C:\posD9A.tmp
C:\posD9B.tmp
C:\posD9C.tmp
C:\posD9D.tmp
C:\posD9E.tmp
C:\posD9F.tmp
C:\posDA.tmp
C:\posDA0.tmp
C:\posDA1.tmp
C:\posDA2.tmp
C:\posDA3.tmp
C:\posDA4.tmp
C:\posDA5.tmp
C:\posDA6.tmp
C:\posDA7.tmp
C:\posDA8.tmp
C:\posDA9.tmp
C:\posDAA.tmp
C:\posDAB.tmp
C:\posDAC.tmp
C:\posDAD.tmp
C:\posDAE.tmp
C:\posDAF.tmp
C:\posDB.tmp
C:\posDB0.tmp
C:\posDB1.tmp
C:\posDB2.tmp
C:\posDB3.tmp
C:\posDB4.tmp
C:\posDB5.tmp
C:\posDB6.tmp
C:\posDB7.tmp
C:\posDB8.tmp
C:\posDB9.tmp
C:\posDBA.tmp
C:\posDBB.tmp
C:\posDBC.tmp
C:\posDBD.tmp
C:\posDBE.tmp
C:\posDBF.tmp
C:\posDC.tmp
C:\posDC0.tmp
C:\posDC1.tmp
C:\posDC2.tmp
C:\posDC3.tmp
C:\posDC4.tmp
C:\posDC5.tmp
C:\posDC6.tmp
C:\posDC7.tmp
C:\posDC8.tmp
C:\posDC9.tmp
C:\posDCA.tmp
C:\posDCB.tmp
C:\posDCC.tmp
C:\posDCD.tmp
C:\posDCE.tmp
C:\posDCF.tmp
C:\posDD.tmp
C:\posDD0.tmp
C:\posDD1.tmp
C:\posDD2.tmp
C:\posDD3.tmp
C:\posDD4.tmp
C:\posDD5.tmp
C:\posDD6.tmp
C:\posDD7.tmp
C:\posDD8.tmp
C:\posDD9.tmp
C:\posDDA.tmp
C:\posDDB.tmp
C:\posDDC.tmp
C:\posDDD.tmp
C:\posDDE.tmp
C:\posDDF.tmp
C:\posDE.tmp
C:\posDE0.tmp
C:\posDE1.tmp
C:\posDE2.tmp
C:\posDE3.tmp
C:\posDE4.tmp
C:\posDE5.tmp
C:\posDE6.tmp
C:\posDE7.tmp
C:\posDE8.tmp
C:\posDE9.tmp
C:\posDEA.tmp
C:\posDEB.tmp
C:\posDEC.tmp
C:\posDED.tmp
C:\posDEE.tmp
C:\posDEF.tmp
C:\posDF.tmp
C:\posDF0.tmp
C:\posDF1.tmp
C:\posDF2.tmp
C:\posDF3.tmp
C:\posDF4.tmp
C:\posDF5.tmp
C:\posDF6.tmp
C:\posDF7.tmp
C:\posDF8.tmp
C:\posDF9.tmp
C:\posDFA.tmp
C:\posDFB.tmp
C:\posDFC.tmp
C:\posDFD.tmp
C:\posDFE.tmp
C:\posDFF.tmp
C:\posE.tmp
C:\posE0.tmp
C:\posE00.tmp
C:\posE01.tmp
C:\posE02.tmp
C:\posE03.tmp
C:\posE04.tmp
C:\posE05.tmp
C:\posE06.tmp
C:\posE07.tmp
C:\posE08.tmp
C:\posE09.tmp
C:\posE0A.tmp
C:\posE0B.tmp
C:\posE0C.tmp
C:\posE0D.tmp
C:\posE0E.tmp
C:\posE0F.tmp
C:\posE1.tmp
C:\posE10.tmp
C:\posE11.tmp
C:\posE12.tmp
C:\posE13.tmp
C:\posE14.tmp
C:\posE15.tmp
C:\posE16.tmp
C:\posE17.tmp
C:\posE18.tmp
C:\posE19.tmp
C:\posE1A.tmp
C:\posE1B.tmp
C:\posE1C.tmp
C:\posE1D.tmp
C:\posE1E.tmp
C:\posE1F.tmp
C:\posE2.tmp
C:\posE20.tmp
C:\posE21.tmp
C:\posE22.tmp
C:\posE23.tmp
C:\posE24.tmp
C:\posE25.tmp
C:\posE26.tmp
C:\posE27.tmp
C:\posE28.tmp
C:\posE29.tmp
C:\posE2A.tmp
C:\posE2B.tmp
C:\posE2C.tmp
C:\posE2D.tmp
C:\posE2E.tmp
C:\posE2F.tmp
C:\posE3.tmp
C:\posE30.tmp
C:\posE31.tmp
C:\posE32.tmp
C:\posE33.tmp
C:\posE34.tmp
C:\posE35.tmp
C:\posE36.tmp
C:\posE37.tmp
C:\posE38.tmp
C:\posE39.tmp
C:\posE3A.tmp
C:\posE3B.tmp
C:\posE3C.tmp
C:\posE3D.tmp
C:\posE3E.tmp
C:\posE3F.tmp
C:\posE4.tmp
C:\posE40.tmp
C:\posE41.tmp
C:\posE42.tmp
C:\posE43.tmp
C:\posE44.tmp
C:\posE45.tmp
C:\posE46.tmp
C:\posE47.tmp
C:\posE48.tmp
C:\posE49.tmp
C:\posE4A.tmp
C:\posE4B.tmp
C:\posE4C.tmp
C:\posE4D.tmp
C:\posE4E.tmp
C:\posE4F.tmp
C:\posE5.tmp
C:\posE50.tmp
C:\posE51.tmp
C:\posE52.tmp
C:\posE53.tmp
C:\posE54.tmp
C:\posE55.tmp
C:\posE56.tmp
C:\posE57.tmp
C:\posE58.tmp
C:\posE59.tmp
C:\posE5A.tmp
C:\posE5B.tmp
C:\posE5C.tmp
C:\posE5D.tmp
C:\posE5E.tmp
C:\posE5F.tmp
C:\posE6.tmp
C:\posE60.tmp
C:\posE61.tmp
C:\posE62.tmp
C:\posE63.tmp
C:\posE64.tmp
C:\posE65.tmp
C:\posE66.tmp
C:\posE67.tmp
C:\posE68.tmp
C:\posE69.tmp
C:\posE6A.tmp
C:\posE6B.tmp
C:\posE6C.tmp
C:\posE6D.tmp
C:\posE6E.tmp
C:\posE6F.tmp
C:\posE7.tmp
C:\posE70.tmp
C:\posE71.tmp
C:\posE72.tmp
C:\posE73.tmp
C:\posE74.tmp
C:\posE75.tmp
C:\posE76.tmp
C:\posE77.tmp
C:\posE78.tmp
C:\posE79.tmp
C:\posE7A.tmp
C:\posE7B.tmp
C:\posE7C.tmp
C:\posE7D.tmp
C:\posE7E.tmp
C:\posE7F.tmp
C:\posE8.tmp
C:\posE80.tmp
C:\posE81.tmp
C:\posE82.tmp
C:\posE83.tmp
C:\posE84.tmp
C:\posE85.tmp
C:\posE86.tmp
C:\posE87.tmp
C:\posE88.tmp
C:\posE89.tmp
C:\posE8A.tmp
C:\posE8B.tmp
C:\posE8C.tmp
C:\posE8D.tmp
C:\posE8E.tmp
C:\posE8F.tmp
C:\posE9.tmp
C:\posE90.tmp
C:\posE91.tmp
C:\posE92.tmp
C:\posE93.tmp
C:\posE94.tmp
C:\posE95.tmp
C:\posE96.tmp
C:\posE97.tmp
C:\posE98.tmp
C:\posE99.tmp
C:\posE9A.tmp
C:\posE9B.tmp
C:\posE9C.tmp
C:\posE9D.tmp
C:\posE9E.tmp
C:\posE9F.tmp
C:\posEA.tmp
C:\posEA0.tmp
C:\posEA1.tmp
C:\posEA2.tmp
C:\posEA3.tmp
C:\posEA4.tmp
C:\posEA5.tmp
C:\posEA6.tmp
C:\posEA7.tmp
C:\posEA8.tmp
C:\posEA9.tmp
C:\posEAA.tmp
C:\posEAB.tmp
C:\posEAC.tmp
C:\posEAD.tmp
C:\posEAE.tmp
C:\posEAF.tmp
C:\posEB.tmp
C:\posEB0.tmp
C:\posEB1.tmp
C:\posEB2.tmp
C:\posEB3.tmp
C:\posEB4.tmp
C:\posEB5.tmp
C:\posEB6.tmp
C:\posEB7.tmp
C:\posEB8.tmp
C:\posEB9.tmp
C:\posEBA.tmp
C:\posEBB.tmp
C:\posEBC.tmp
C:\posEBD.tmp
C:\posEBE.tmp
C:\posEBF.tmp
C:\posEC.tmp
C:\posEC0.tmp
C:\posEC1.tmp
C:\posEC2.tmp
C:\posEC3.tmp
C:\posEC4.tmp
C:\posEC5.tmp
C:\posEC6.tmp
C:\posEC7.tmp
C:\posEC8.tmp
C:\posEC9.tmp
C:\posECA.tmp
C:\posECB.tmp
C:\posECC.tmp
C:\posECD.tmp
C:\posECE.tmp
C:\posECF.tmp
C:\posED.tmp
C:\posED0.tmp
C:\posED1.tmp
C:\posED2.tmp
C:\posED3.tmp
C:\posED4.tmp
C:\posED5.tmp
C:\posED6.tmp
C:\posED7.tmp
C:\posED8.tmp
C:\posED9.tmp
C:\posEDA.tmp
C:\posEDB.tmp
C:\posEDC.tmp
C:\posEDD.tmp
C:\posEDE.tmp
C:\posEDF.tmp
C:\posEE.tmp
C:\posEE0.tmp
C:\posEE1.tmp
C:\posEE2.tmp
C:\posEE3.tmp
C:\posEE4.tmp
C:\posEE5.tmp
C:\posEE6.tmp
C:\posEE7.tmp
C:\posEE8.tmp
C:\posEE9.tmp
C:\posEEA.tmp
C:\posEEB.tmp
C:\posEEC.tmp
C:\posEED.tmp
C:\posEEE.tmp
C:\posEEF.tmp
C:\posEF.tmp
C:\posEF0.tmp
C:\posEF1.tmp
C:\posEF2.tmp
C:\posEF3.tmp
C:\posEF4.tmp
C:\posEF5.tmp
C:\posEF6.tmp
C:\posEF7.tmp
C:\posEF8.tmp
C:\posEF9.tmp
C:\posEFA.tmp
C:\posEFB.tmp
C:\posEFC.tmp
C:\posEFD.tmp
C:\posEFE.tmp
C:\posEFF.tmp
C:\posF.tmp
C:\posF0.tmp
C:\posF00.tmp
C:\posF01.tmp
C:\posF02.tmp
C:\posF03.tmp
C:\posF04.tmp
C:\posF05.tmp
C:\posF06.tmp
C:\posF07.tmp
C:\posF08.tmp
C:\posF09.tmp
C:\posF0A.tmp
C:\posF0B.tmp
C:\posF0C.tmp
C:\posF0D.tmp
C:\posF0E.tmp
C:\posF0F.tmp
C:\posF1.tmp
C:\posF10.tmp
C:\posF11.tmp
C:\posF12.tmp
C:\posF13.tmp
C:\posF14.tmp
C:\posF15.tmp
C:\posF16.tmp
C:\posF17.tmp
C:\posF18.tmp
C:\posF19.tmp
C:\posF1A.tmp
C:\posF1B.tmp
C:\posF1C.tmp
C:\posF1D.tmp
C:\posF1E.tmp
C:\posF1F.tmp
C:\posF2.tmp
C:\posF20.tmp
C:\posF21.tmp
C:\posF22.tmp
C:\posF23.tmp
C:\posF24.tmp
C:\posF25.tmp
C:\posF26.tmp
C:\posF27.tmp
C:\posF28.tmp
C:\posF29.tmp
C:\posF2A.tmp
C:\posF2B.tmp
C:\posF2C.tmp
C:\posF2D.tmp
C:\posF2E.tmp
C:\posF2F.tmp
C:\posF3.tmp
C:\posF30.tmp
C:\posF31.tmp
C:\posF32.tmp
C:\posF33.tmp
C:\posF34.tmp
C:\posF35.tmp
C:\posF36.tmp
C:\posF37.tmp
C:\posF38.tmp
C:\posF39.tmp
C:\posF3A.tmp
C:\posF3B.tmp
C:\posF3C.tmp
C:\posF3D.tmp
C:\posF3E.tmp
C:\posF3F.tmp
C:\posF4.tmp
C:\posF40.tmp
C:\posF41.tmp
C:\posF42.tmp
C:\posF43.tmp
C:\posF44.tmp
C:\posF45.tmp
C:\posF46.tmp
C:\posF47.tmp
C:\posF48.tmp
C:\posF49.tmp
C:\posF4A.tmp
C:\posF4B.tmp
C:\posF4C.tmp
C:\posF4D.tmp
C:\posF4E.tmp
C:\posF4F.tmp
C:\posF5.tmp
C:\posF50.tmp
C:\posF51.tmp
C:\posF52.tmp
C:\posF53.tmp
C:\posF54.tmp
C:\posF55.tmp
C:\posF56.tmp
C:\posF57.tmp
C:\posF58.tmp
C:\posF59.tmp
C:\posF5A.tmp
C:\posF5B.tmp
C:\posF5C.tmp
C:\posF5D.tmp
C:\posF5E.tmp
C:\posF5F.tmp
C:\posF6.tmp
C:\posF60.tmp
C:\posF61.tmp
C:\posF62.tmp
C:\posF63.tmp
C:\posF64.tmp
C:\posF65.tmp
C:\posF66.tmp
C:\posF67.tmp
C:\posF68.tmp
C:\posF69.tmp
C:\posF6A.tmp
C:\posF6B.tmp
C:\posF6C.tmp
C:\posF6D.tmp
C:\posF6E.tmp
C:\posF6F.tmp
C:\posF7.tmp
C:\posF70.tmp
C:\posF71.tmp
C:\posF72.tmp
C:\posF73.tmp
C:\posF74.tmp
C:\posF75.tmp
C:\posF76.tmp
C:\posF77.tmp
C:\posF78.tmp
C:\posF79.tmp
C:\posF7A.tmp
C:\posF7B.tmp
C:\posF7C.tmp
C:\posF7D.tmp
C:\posF7E.tmp
C:\posF7F.tmp
C:\posF8.tmp
C:\posF80.tmp
C:\posF81.tmp
C:\posF82.tmp
C:\posF83.tmp
C:\posF84.tmp
C:\posF85.tmp
C:\posF86.tmp
C:\posF87.tmp
C:\posF88.tmp
C:\posF89.tmp
C:\posF8A.tmp
C:\posF8B.tmp
C:\posF8C.tmp
C:\posF8D.tmp
C:\posF8E.tmp
C:\posF8F.tmp
C:\posF9.tmp
C:\posF90.tmp
C:\posF91.tmp
C:\posF92.tmp
C:\posF93.tmp
C:\posF94.tmp
C:\posF95.tmp
C:\posF96.tmp
C:\posF97.tmp
C:\posF98.tmp
C:\posF99.tmp
C:\posF9A.tmp
C:\posF9B.tmp
C:\posF9C.tmp
C:\posF9D.tmp
C:\posF9E.tmp
C:\posF9F.tmp
C:\posFA.tmp
C:\posFA0.tmp
C:\posFA1.tmp
C:\posFA2.tmp
C:\posFA3.tmp
C:\posFA4.tmp
C:\posFA5.tmp
C:\posFA6.tmp
C:\posFA7.tmp
C:\posFA8.tmp
C:\posFA9.tmp
C:\posFAA.tmp
C:\posFAB.tmp
C:\posFAC.tmp
C:\posFAD.tmp
C:\posFAE.tmp
C:\posFAF.tmp
C:\posFB.tmp
C:\posFB0.tmp
C:\posFB1.tmp
C:\posFB2.tmp
C:\posFB3.tmp
C:\posFB4.tmp
C:\posFB5.tmp
C:\posFB6.tmp
C:\posFB7.tmp
C:\posFB8.tmp
C:\posFB9.tmp
C:\posFBA.tmp
C:\posFBB.tmp
C:\posFBC.tmp
C:\posFBD.tmp
C:\posFBE.tmp
C:\posFBF.tmp
C:\posFC.tmp
C:\posFC0.tmp
C:\posFC1.tmp
C:\posFC2.tmp
C:\posFC3.tmp
C:\posFC4.tmp
C:\posFC5.tmp
C:\posFC6.tmp
C:\posFC7.tmp
C:\posFC8.tmp
C:\posFC9.tmp
C:\posFCA.tmp
C:\posFCB.tmp
C:\posFCC.tmp
C:\posFCD.tmp
C:\posFCE.tmp
C:\posFCF.tmp
C:\posFD.tmp
C:\posFD0.tmp
C:\posFD1.tmp
C:\posFD2.tmp
C:\posFD3.tmp
C:\posFD4.tmp
C:\posFD5.tmp
C:\posFD6.tmp
C:\posFD7.tmp
C:\posFD8.tmp
C:\posFD9.tmp
C:\posFDA.tmp
C:\posFDB.tmp
C:\posFDC.tmp
C:\posFDD.tmp
C:\posFDE.tmp
C:\posFDF.tmp
C:\posFE.tmp
C:\posFE0.tmp
C:\posFE1.tmp
C:\posFE2.tmp
C:\posFE3.tmp
C:\posFE4.tmp
C:\posFE5.tmp
C:\posFE6.tmp
C:\posFE7.tmp
C:\posFE8.tmp
C:\posFE9.tmp
C:\posFEA.tmp
C:\posFEB.tmp
C:\posFEC.tmp
C:\posFED.tmp
C:\posFEE.tmp
C:\posFEF.tmp
C:\posFF.tmp
C:\posFF0.tmp
C:\posFF1.tmp
C:\posFF2.tmp
C:\posFF3.tmp
C:\posFF4.tmp
C:\posFF5.tmp
C:\posFF6.tmp
C:\posFF7.tmp
C:\posFF8.tmp
C:\posFF9.tmp
C:\posFFA.tmp
C:\posFFB.tmp
C:\posFFC.tmp
C:\posFFD.tmp
C:\posFFE.tmp
C:\posFFF.tmp
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbawv.dll
C:\WINDOWS\system32\e9
C:\WINDOWS\system32\edaluybm.dll
C:\WINDOWS\SYSTEM32\glkwrnjh.ini
C:\WINDOWS\SYSTEM32\juyfldtl.ini
C:\WINDOWS\system32\jzebpxpw.dll
C:\WINDOWS\system32\jzebpxpw.dllbox
C:\WINDOWS\system32\ktsctlsk.dll
C:\WINDOWS\system32\ltdlfyuj.dll
C:\WINDOWS\system32\p2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnkhfd.dll
C:\WINDOWS\SYSTEM32\rcreisyn.ini
C:\WINDOWS\system32\t8
C:\WINDOWS\SYSTEM32\vwabc.ini
C:\WINDOWS\SYSTEM32\vwabc.ini2
C:\WINDOWS\system32\windows
C:\WINDOWS\SYSTEM32\xgfpxjdv.ini
C:\WINDOWS\system32\z4

**Rhonn1** · 2008-01-20, 02:32

.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-19 07:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 21:48 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-17 21:44 . 2008-01-18 08:10 <DIR> d-------- C:\Documents and Settings\Rhonni\Application Data\HouseCall 6.6
2008-01-17 21:37 . 2008-01-17 21:38 <DIR> d-------- C:\Documents and Settings\Rhonni\.housecall6.6
2008-01-17 18:49 . 2008-01-17 18:49 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-01-17 17:36 . 2008-01-17 18:49 <DIR> d-------- C:\VundoFix Backups
2008-01-16 11:41 . 2008-01-16 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 11:31 . 2008-01-16 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 11:30 . 2008-01-16 11:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-14 17:43 . 2008-01-14 17:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01
2008-01-14 17:42 . 2008-01-14 17:43 <DIR> d-------- C:\TEMP\Ryuan1
2007-12-19 09:56 . 2008-01-14 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 09:56 . 2007-12-19 09:56 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 22:11 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-01-19 22:11 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-01-19 22:11 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-01-19 22:11 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-01-19 22:11 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-01-19 22:11 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-01-19 22:11 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-01-19 22:11 150,046 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-01-15 03:06 --------- d-----w C:\Program Files\Windows Defender
2008-01-14 23:37 --------- d-----w C:\Program Files\QuickTime
2008-01-14 23:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-14 23:37 --------- d-----w C:\Program Files\iTunes
2008-01-14 23:37 --------- d-----w C:\Program Files\Apoint
2008-01-14 23:05 --------- d-----w C:\Program Files\AIM
2008-01-11 01:13 --------- d-----w C:\Program Files\eFax Messenger Plus 3.3
2007-12-17 18:58 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-12 21:32 --------- d-----w C:\Program Files\Boingo
2007-12-12 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBoingo
2007-12-06 01:02 --------- d-----w C:\Documents and Settings\Rhonni\Application Data\Apple Computer
2007-11-29 00:41 --------- d-----w C:\Program Files\iPod
2007-11-29 00:39 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 00:38 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-29 00:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-19 16:45 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2006-09-19 11:54 15,831,583 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_19_06_48_15.dmp.zip
2006-09-19 11:53 15,332,708 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_19_06_48_09.dmp.zip
2006-07-12 00:37 12,985,523 ----a-w C:\WINDOWS\Internet Logs\ca_2nd_2006_07_11_13_54_58.dmp.zip
2006-05-11 12:19 12,238,615 ----a-w C:\WINDOWS\Internet Logs\ca_2nd_2006_05_11_08_12_04.dmp.zip
2004-11-10 17:41 4,032,512 ------w C:\Program Files\msgrplus.exe
2004-10-26 01:25 20,630,968 ------w C:\Program Files\iTunesSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4CF4C59-FED1-497E-82D4-38AB14CE48B1}]
C:\WINDOWS\system32\nnnkh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [ ]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"cafwc"="C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-01-17 18:59 1193224]
"capfasem"="C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-01-17 18:59 173320]
"capfupgrade"="C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-01-17 18:59 253952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-22 09:55:54]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-01-31 14:00 79368 C:\WINDOWS\SYSTEM32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqroo]
C:\WINDOWS\system32\rqroo.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Live Menu 3.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Live Menu 3.3.lnk
backup=C:\WINDOWS\pss\eFax Live Menu 3.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.3.lnk
backup=C:\WINDOWS\pss\eFax Tray Menu 3.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Weekly Compass.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Weekly Compass.lnk
backup=C:\WINDOWS\pss\Weekly Compass.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--------- 2004-05-16 20:18 528384 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--------- 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-05-31 12:43]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-03-21 17:57]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-03-16 03:39]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-05-31 12:43]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 16:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-03-21 15:31]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 12:44]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-05-14 17:23]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-03-05 18:36]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-03-19 18:06]
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2003-12-11 12:53]
S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2004-11-03 22:00]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-06-06 17:22]
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPCtlPriv.exe" [2007-08-31 08:30]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2005-10-08 15:32]
S3 WrKPoET2000;WrKPoET2000;C:\Program Files\WinPoET Broadband Connection\WrKPoET2000.sys [2000-10-30 14:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 00:13:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 17:41:20 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Rhonni at 11 26 AM.job"
- C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\CAAntiSpyware.exe
"2008-01-19 22:15:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 17:15:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-19 17:30:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 22:29:26
.
2008-01-18 02:02:54 --- E O F ---

**Rhonn1** · 2008-01-20, 02:48

I don't know how long combofix ran. I left the office at 45 minutes or so.

**Shaba** · 2008-01-20, 11:24

Hi

Yes, there were "some" pos*.tmp files.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\WINDOWS\SYSTEM32\edcA01
C:\TEMP\Ryuan1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4CF4C59-FED1-497E-82D4-38AB14CE48B1}]


[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqroo]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**Rhonn1** · 2008-01-20, 14:48

ComboFix 08-01-18.5 - Rhonni 2008-01-20 8:35:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1091 [GMT -5:00]
Running from: C:\Documents and Settings\Rhonni\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rhonni\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\TEMP\Ryuan1
C:\TEMP\Ryuan1\tepU.log
C:\WINDOWS\SYSTEM32\edcA01
C:\WINDOWS\SYSTEM32\edcA01\edcA011065.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-19 07:38 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 21:48 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-17 21:44 . 2008-01-18 08:10 <DIR> d-------- C:\Documents and Settings\Rhonni\Application Data\HouseCall 6.6
2008-01-17 21:37 . 2008-01-17 21:38 <DIR> d-------- C:\Documents and Settings\Rhonni\.housecall6.6
2008-01-17 18:49 . 2008-01-17 18:49 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-01-17 17:36 . 2008-01-17 18:49 <DIR> d-------- C:\VundoFix Backups
2008-01-16 11:41 . 2008-01-16 11:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 11:31 . 2008-01-16 11:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 11:30 . 2008-01-16 11:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 02:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2008-01-20 02:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2008-01-20 02:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2008-01-20 02:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2008-01-20 02:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2008-01-20 02:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2008-01-20 02:33 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2008-01-20 02:33 150,046 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2008-01-15 03:06 --------- d-----w C:\Program Files\Windows Defender
2008-01-14 23:37 --------- d-----w C:\Program Files\QuickTime
2008-01-14 23:37 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-14 23:37 --------- d-----w C:\Program Files\iTunes
2008-01-14 23:37 --------- d-----w C:\Program Files\Apoint
2008-01-14 23:05 --------- d-----w C:\Program Files\AIM
2008-01-11 01:13 --------- d-----w C:\Program Files\eFax Messenger Plus 3.3
2007-12-17 18:58 --------- d-----w C:\Program Files\MUSICMATCH
2007-12-12 21:32 --------- d-----w C:\Program Files\Boingo
2007-12-12 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBoingo
2007-12-06 01:02 --------- d-----w C:\Documents and Settings\Rhonni\Application Data\Apple Computer
2007-11-29 00:41 --------- d-----w C:\Program Files\iPod
2007-11-29 00:39 --------- d-----w C:\Program Files\Apple Software Update
2007-11-29 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-29 00:38 --------- d-----w C:\Program Files\Common Files\Apple
2007-11-29 00:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2006-09-19 11:54 15,831,583 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_19_06_48_15.dmp.zip
2006-09-19 11:53 15,332,708 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_09_19_06_48_09.dmp.zip
2006-07-12 00:37 12,985,523 ----a-w C:\WINDOWS\Internet Logs\ca_2nd_2006_07_11_13_54_58.dmp.zip
2006-05-11 12:19 12,238,615 ----a-w C:\WINDOWS\Internet Logs\ca_2nd_2006_05_11_08_12_04.dmp.zip
2004-11-10 17:41 4,032,512 ------w C:\Program Files\msgrplus.exe
2004-10-26 01:25 20,630,968 ------w C:\Program Files\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-19_17.21.05.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-19 12:41:00 253,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 13:34:20 253,952 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-19 12:41:01 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 13:34:20 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-19 12:41:02 8,122,368 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 13:34:20 8,134,656 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-19 12:41:03 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 13:34:21 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-19 12:41:03 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 13:34:21 249,856 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-19 12:41:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 13:34:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 13:24:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_608.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\PROGRA~1\AIM\aim.exe" [ ]
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"cafwc"="C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-01-17 18:59 1193224]
"capfasem"="C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-01-17 18:59 173320]
"capfupgrade"="C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-01-17 18:59 253952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 18:05:56]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-22 09:55:54]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 21:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-01-31 14:00 79368 C:\WINDOWS\SYSTEM32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Live Menu 3.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Live Menu 3.3.lnk
backup=C:\WINDOWS\pss\eFax Live Menu 3.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 3.3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 3.3.lnk
backup=C:\WINDOWS\pss\eFax Tray Menu 3.3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Weekly Compass.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Weekly Compass.lnk
backup=C:\WINDOWS\pss\Weekly Compass.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--------- 2004-05-16 20:18 528384 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--------- 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys [2007-05-31 12:43]
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys [2007-03-21 17:57]
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys [2007-03-16 03:39]
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys [2007-05-31 12:43]
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys [2007-07-24 16:00]
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys [2007-03-21 15:31]
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe" [2007-07-24 12:44]
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe" [2007-05-14 17:23]
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe" [2007-03-05 18:36]
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys [2007-03-19 18:06]
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2003-12-11 12:53]
S3 AIR555;Sierra Wireless AirCard 555 NIC + Modem (NIC Interface);C:\WINDOWS\system32\DRIVERS\air555.sys [2004-11-03 22:00]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-06-06 17:22]
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPCtlPriv.exe" [2007-08-31 08:30]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2005-10-08 15:32]
S3 WrKPoET2000;WrKPoET2000;C:\Program Files\WinPoET Broadband Connection\WrKPoET2000.sys [2000-10-30 14:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 00:13:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 17:41:20 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Rhonni at 11 26 AM.job"
- C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\CAAntiSpyware.exe
"2008-01-20 13:27:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 08:41:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 8:45:06
ComboFix-quarantined-files.txt 2008-01-20 13:44:56
ComboFix2.txt 2008-01-19 22:30:26
.
2008-01-18 02:02:54 --- E O F ---

**Rhonn1** · 2008-01-20, 14:49

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:20 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Rhonn1.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwatchers.com/commun...iewHidden=TRUE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144371875335
O16 - DPF: {7411047A-48E1-4EC9-8AC1-088087AD368F} (QuickBooks GLDownload Control) - https://cbspayroll.intuit.com/NetPay...GLDownload.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 9783 bytes

**Shaba** · 2008-01-20, 14:52

Hi

Try next if you can now scan with Kaspersky Online Scan.

If not, we scan with some offline scanner.

Post:

- a fresh HijackThis log
- kaspersky report

**Rhonn1** · 2008-01-20, 17:26

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:35 AM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Rhonn1.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weightwatchers.com/commun...iewHidden=TRUE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144371875335
O16 - DPF: {7411047A-48E1-4EC9-8AC1-088087AD368F} (QuickBooks GLDownload Control) - https://cbspayroll.intuit.com/NetPay...GLDownload.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 9800 bytes

**Rhonn1** · 2008-01-20, 17:33

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 20, 2008 11:32:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524777
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 130196
Number of viruses found: 23
Number of infected objects: 1045
Number of suspicious objects: 488
Duration of the scan process: 01:54:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12162006-103705.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip/windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip/windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw2.zip/windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00257728 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00282124/[From sadegonzalas23@hkbigwood.com][Date Thu, 27 Jan 2005 16:34:37 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00282124/[From sadegonzalas23@hkbigwood.com][Date Thu, 27 Jan 2005 16:34:37 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00282124 Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00282124 CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\006D12D9/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\006D12D9 ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\006D12D9 CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00800EC3 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\008762BC/[From postmaster@hotmail.com][Date Thu, 27 Jan 2005 22:53:18 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\008762BC/[From postmaster@hotmail.com][Date Thu, 27 Jan 2005 22:53:18 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\008762BC Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\008762BC CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01524F01 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02176FEB Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\022841D9 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\022B6BD6/[From webmaster@xnxx.com][Date Wed, 19 Jan 2005 20:23:02 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\022B6BD6/[From webmaster@xnxx.com][Date Wed, 19 Jan 2005 20:23:02 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\022B6BD6 Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\022B6BD6 CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\023569CB Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\024211BD Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02623599 Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02690992/[From kai.mustonen@muaythai.fi][Date Thu, 20 Jan 2005 01:19:13 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02690992/[From kai.mustonen@muaythai.fi][Date Thu, 20 Jan 2005 01:19:13 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02690992 Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\02690992 CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\027E1819/[From webmaster@netscape.com][Date Wed, 24 Nov 2004 17:44:13 -0500]/data26445.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\027E1819 Mail: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\027E1819 CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\029867FC/[From roughdawg4@hotmail.com][Date Wed, 24 Nov 2004 17:52:24 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\029867FC/[From roughdawg4@hotmail.com][Date Wed, 24 Nov 2004 17:52:24 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\029867FC/[From roughdawg4@hotmail.com][Date Wed, 24 Nov 2004 17:52:24 -0500]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\029867FC Mail: infected - 1, suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\029867FC CryptFF: infected - 1, suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A041D2/data.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A041D2 ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04A041D2 CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04B43DBC/[From wedg@wedg.com][Date Thu, 30 Dec 2004 15:07:20 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04B43DBC/[From wedg@wedg.com][Date Thu, 30 Dec 2004 15:07:20 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04B43DBC/[From wedg@wedg.com][Date Thu, 30 Dec 2004 15:07:20 -0500]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04B43DBC Mail: infected - 1, suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04B43DBC CryptFF: infected - 1, suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04E13E61/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04E13E61 ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04E13E61 CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04E2138B Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04FF3841/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04FF3841 ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04FF3841 CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\051F5C1D Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05230619/[From soo537@sp.edu.sg][Date Sun, 14 Nov 2004 23:50:27 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05230619/[From soo537@sp.edu.sg][Date Sun, 14 Nov 2004 23:50:27 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05230619 Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05230619 CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\052C040F/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\052C040F ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\052C040F CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\053D55FD Infected: Email-Worm.Win32.NetSky.q skipped

**Rhonn1** · 2008-01-20, 17:34

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054329F6/[From iseabalault@igma.com][Date Mon, 15 Nov 2004 01:04:46 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054329F6/[From iseabalault@igma.com][Date Mon, 15 Nov 2004 01:04:46 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054329F6 Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054329F6 CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\058571AE Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0592199F/[From deanwhitethaiboxing@telinco.co.uk][Date Mon, 15 Nov 2004 12:46:29 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0592199F/[From deanwhitethaiboxing@telinco.co.uk][Date Mon, 15 Nov 2004 12:46:29 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0592199F Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0592199F CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05A26B8D/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05A26B8D ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05A26B8D CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05D93550/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05D93550 ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05D93550 CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05EA073E Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05F40533/[From azeni_ajum@nyp.gov.sg][Date Mon, 15 Nov 2004 20:15:47 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05F40533/[From azeni_ajum@nyp.gov.sg][Date Mon, 15 Nov 2004 20:15:47 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05F40533 Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05F40533 CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0607011E Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0618530C/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0618530C ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0618530C CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06354CEC Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\063876E8/[From abdullauroc@xpz.com][Date Mon, 15 Nov 2004 23:47:12 -0800]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\063876E8/[From abdullauroc@xpz.com][Date Mon, 15 Nov 2004 23:47:12 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\063876E8 Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\063876E8 CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\063F486B Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\06524455/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped

Thread: Vitrumonde (the malware that shall not be named)

Thread Tools

Display

combo fix log, part 53

combo fix log, part 54

combo fix log

fresh hijackthis

Hijack this

Kaspersky results, part 1

Kaspersky results, part 2

Posting Permissions