Virtumond + Vundo ... Very Stubborn Viruses :(

**Shaba** · 2009-04-28, 09:58

We are not done yet

Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\loader49.exe
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\guvuvara.exe
c:\windows\system32\prnet.tmp
c:\windows\system32\appmgmt\bdsm.dll

Folder::
c:\documents and settings\Spook\Local Settings\Application Data\Ares
c:\program files\Jcore
c:\documents and settings\Spook\Application Data\pidle
C:\Documents and Settings\Spook\Application Data\Twain

DDS::
Trusted Zone: antimalwareguard.com

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh combofix log
- a fresh HijackThis log

**GirLovesWaffles** · 2009-04-28, 20:54

A lot of things seem better now, but the popups are still coming.

I didnt need to end any processes, it ran very well. Thanks so far!

ComboFix 09-04-27.05 - Spook 04/28/2009 15:37.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.542 [GMT -3:00]
Running from: c:\documents and settings\Spook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spook\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\appmgmt\bdsm.dll
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\guvuvara.exe
c:\windows\system32\loader49.exe
c:\windows\system32\prnet.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Spook\Application Data\pidle
c:\documents and settings\Spook\Application Data\pidle\pidle.exe
c:\documents and settings\Spook\Application Data\Twain
c:\documents and settings\Spook\Application Data\Twain\Twain.exe
c:\documents and settings\Spook\Local Settings\Application Data\Ares
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\ChatroomIPs.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\default.m3u
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\DHTnodes.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\FailedSNodes.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\PHashIdx.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\ShareH.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\ShareL.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\SNodes.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_9589AB653DF41498B3685388B371C103F5AE047F.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_992F5D14ACAF36A73D27D313A397318B0EF74E19.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_BD0D749C9A81FF1D5DC0777C91430C3BEDA9235E.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_DA760775015A529CC2C5E76EEC6A1DE22AF256D0.dat
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\Cpvff.stt
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Jcore
c:\program files\Jcore\Jcore2.dll
c:\windows\SysNotifier.exe
c:\windows\system32\appmgmt\bdsm.dll
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\garowori.dll
c:\windows\system32\guvuvara.exe
c:\windows\system32\ibosahom.ini
c:\windows\system32\loader49.exe
c:\windows\system32\mohasobi.dll
c:\windows\system32\prnet.tmp
c:\windows\system32\tukibazi.dll
c:\windows\system32\vuhuviti.dll
c:\windows\system32\zinipelu.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 07:08 . 2009-04-28 07:08 -------- d-----w c:\documents and settings\Spook\Application Data\digifast
2009-04-28 06:58 . 2009-04-28 06:58 -------- d-----w c:\program files\WWShow
2009-04-28 06:41 . 2009-04-28 06:41 -------- d-sh--w C:\FOUND.000
2009-04-27 08:39 . 2009-04-27 08:39 -------- d-----w c:\program files\ERUNT
2009-04-27 03:47 . 2009-04-27 03:47 -------- d-----w c:\program files\Trend Micro
2009-04-18 05:28 . 2009-04-18 05:28 -------- d-----w c:\documents and settings\Spook\Application Data\Armagetron
2009-04-15 16:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 04:54 . 2009-04-14 04:54 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Help
2009-04-12 02:27 . 2009-04-12 02:27 -------- d-----w c:\documents and settings\Spook\Application Data\DivX
2009-04-05 02:55 . 2009-04-05 02:55 -------- d-----w c:\documents and settings\Spook\Application Data\teamspeak2
2009-04-05 02:54 . 2009-04-05 02:54 -------- d-----w c:\program files\Teamspeak2_RC2
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\dllcache\usbaudio.sys
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
2009-03-31 20:45 . 2009-03-31 20:45 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-31 20:44 . 2009-03-31 20:44 -------- d-----w c:\documents and settings\Spook\Application Data\SPORE Creature Creator
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w C:\ProgramData
2009-03-31 20:14 . 2009-03-31 20:14 3858 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 18:44 . 2008-08-04 05:43 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-28 07:26 . 2009-01-28 07:26 61952 --sha-w c:\windows\system32\sobipore.exe
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\DivX
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 02:53 . 2009-04-05 02:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Viewpoint
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Common Files\AOL
2009-03-26 05:01 . 2009-03-26 05:01 -------- d-----w c:\program files\AIM6
2009-03-21 02:02 . 2009-03-21 02:02 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-21 01:37 . 2009-03-21 01:37 -------- d-----w c:\program files\EA GAMES
2009-03-17 04:33 . 2009-03-10 04:49 35190 ----a-w c:\windows\scunin.dat
2009-03-17 04:33 . 2009-03-10 04:49 967 ----a-w c:\windows\ScUnin.pif
2009-03-17 04:33 . 2009-03-10 04:49 94208 ----a-w c:\windows\ScUnin.exe
2009-03-16 05:18 . 2006-06-01 20:59 84632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViSplore
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\WinFlip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\TrueTransparency
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\VisualTooltip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViStart
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViOrb
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Rainbar
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Styler
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Drive Icon
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\LClock
2009-03-16 04:31 . 2009-03-16 04:31 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Microsoft
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-16 04:23 . 2009-03-16 04:23 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-11 21:17 . 2009-03-11 20:50 746 ----a-w c:\windows\eReg.dat
2009-03-11 20:49 . 2009-03-11 20:49 -------- d-----w c:\program files\Electronic Arts
2009-03-11 20:47 . 2009-03-11 20:47 -------- d-----w c:\program files\Maxis
2009-03-09 08:19 . 2008-12-10 21:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-24 19:35 . 2009-04-06 06:09 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-06 06:09 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-06 06:09 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-06 06:09 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-06 06:09 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:35 . 2005-05-12 21:54 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-15 15:29 . 2009-02-11 16:51 35391 ----a-w c:\windows\DIIUnin.dat
2009-02-15 15:28 . 2009-02-11 17:04 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-02-15 15:28 . 2009-02-11 17:04 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-02-15 15:28 . 2009-02-11 17:04 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-02-11 16:51 . 2009-02-11 16:51 94208 ----a-w c:\windows\DIIUnin.exe
2009-02-11 16:51 . 2009-02-11 16:51 2829 ----a-w c:\windows\DIIUnin.pif
2009-02-09 12:10 . 2004-08-10 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:03 . 2009-02-06 22:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 21:52 . 2009-02-06 21:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-10 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 23:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-10 23:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:01 . 2009-02-03 20:00 127 ----a-w c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-02-03 19:59 . 2004-08-10 23:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
2009-04-28 07:09 . 2009-04-28 07:09 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1423872 6A8B0B64F8D7EBEF70B16FF689C3C76D c:\windows\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-10 23:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_06.54.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 18:24 . 2009-04-28 18:24 16384 c:\windows\Temp\Perflib_Perfdata_fd0.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_a8.dat
+ 2009-04-28 18:46 . 2009-04-28 18:46 16384 c:\windows\Temp\Perflib_Perfdata_98c.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_520.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
+ 2009-04-28 18:20 . 2009-04-28 18:20 16384 c:\windows\Temp\Perflib_Perfdata_168.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2008-11-12 602112]
"TrueTransparency"="c:\program files\TrueTransparency\TrueTransparency.exe" [2008-06-25 372224]
"DigiFast"="c:\documents and settings\Spook\Application Data\digifast\digifast.exe" [2009-04-28 225792]
"SfKg6wIPuSpdc"="c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe" [2009-04-28 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BDMCon"="c:\progra~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 290816]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spook^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Spook\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58255:TCP"= 58255:TCP:Pando Media Booster
"58255:UDP"= 58255:UDP:Pando Media Booster
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; [x]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\User_Feed_Synchronization-{6A6751F0-5C2A-427A-B368-B6246AD69287}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 05:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5595b6b9-ed14-4735-a42e-c4b84a714505} - c:\windows\system32\tukibazi.dll
BHO-{74FA5D99-38CD-4E3E-B765-54FAD4BDA166} - c:\windows\system32\appmgmt\bdsm.dll
HKCU-Run-prnet - c:\windows\system32\prnet.tmp
HKCU-Run-pidle - c:\documents and settings\Spook\Application Data\pidle\pidle.exe
HKLM-Run-prnet - c:\windows\system32\prnet.tmp
Notify-bdsm - c:\windows\system32\appmgmt\bdsm.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Spook\Application Data\Mozilla\Firefox\Profiles\q0vhrz2h.default\
FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 15:47
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(3456)
c:\program files\TrueTransparency\TrueTransparencyHook.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\program files\ViStart\StartHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\acer\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\MAPLE STORY\NPKCMSVC.EXE
c:\windows\EHOME\RMSVC.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER UPDATE SERVICE\LIVESRV.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\program files\COMMON FILES\PURE NETWORKS SHARED\PLATFORM\NMSRVC.EXE
c:\program files\SOFTWIN\BITDEFENDER10\VSSERV.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\windows\EHOME\EHMSAS.EXE
c:\program files\LAUNCH MANAGER\LMANAGER.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-28 15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 18:50
ComboFix2.txt 2009-04-28 07:00

Pre-Run: 16,237,297,664 bytes free
Post-Run: 16,243,490,816 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
347 --- E O F --- 2009-04-16 07:33

----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:16 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maple Story\npkcmsvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Documents and Settings\Spook\Application Data\digifast\digifast.exe
C:\Documents and Settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\GirLovesWaffles.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [DigiFast] C:\Documents and Settings\Spook\Application Data\digifast\digifast.exe
O4 - HKCU\..\Run: [SfKg6wIPuSpdc] C:\Documents and Settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Maple Story\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9056 bytes

**Shaba** · 2009-04-28, 20:59

Yes there are still some files.

Please click this link-->Jotti

Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\windows\explorer.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

**GirLovesWaffles** · 2009-04-28, 21:21

Everything is good for that particular file

**Shaba** · 2009-04-28, 21:25

Good. Then that was due to Vista packs.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
c:\windows\system32\sobipore.exe
c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe

Folder::
c:\documents and settings\Spook\Application Data\digifast

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58255:TCP"=-
"58255:UDP"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**GirLovesWaffles** · 2009-04-28, 21:37

Ran faster than ever this time

ComboFix 09-04-27.05 - Spook 04/28/2009 16:30.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.512 [GMT -3:00]
Running from: c:\documents and settings\Spook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spook\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
c:\windows\system32\sobipore.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Spook\Application Data\digifast
c:\documents and settings\Spook\Application Data\digifast\config.cfg
c:\documents and settings\Spook\Application Data\digifast\DFUninstall.exe
c:\documents and settings\Spook\Application Data\digifast\digifast.exe
c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\Cpvff.stt
c:\windows\system32\sobipore.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 06:58 . 2009-04-28 06:58 -------- d-----w c:\program files\WWShow
2009-04-28 06:41 . 2009-04-28 06:41 -------- d-sh--w C:\FOUND.000
2009-04-27 08:39 . 2009-04-27 08:39 -------- d-----w c:\program files\ERUNT
2009-04-27 03:47 . 2009-04-27 03:47 -------- d-----w c:\program files\Trend Micro
2009-04-18 05:28 . 2009-04-18 05:28 -------- d-----w c:\documents and settings\Spook\Application Data\Armagetron
2009-04-15 16:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 04:54 . 2009-04-14 04:54 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Help
2009-04-12 02:27 . 2009-04-12 02:27 -------- d-----w c:\documents and settings\Spook\Application Data\DivX
2009-04-05 02:55 . 2009-04-05 02:55 -------- d-----w c:\documents and settings\Spook\Application Data\teamspeak2
2009-04-05 02:54 . 2009-04-05 02:54 -------- d-----w c:\program files\Teamspeak2_RC2
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\dllcache\usbaudio.sys
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
2009-03-31 20:45 . 2009-03-31 20:45 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-31 20:44 . 2009-03-31 20:44 -------- d-----w c:\documents and settings\Spook\Application Data\SPORE Creature Creator
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w C:\ProgramData
2009-03-31 20:14 . 2009-03-31 20:14 3858 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 19:31 . 2008-08-04 05:43 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\DivX
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 02:53 . 2009-04-05 02:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Viewpoint
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Common Files\AOL
2009-03-26 05:01 . 2009-03-26 05:01 -------- d-----w c:\program files\AIM6
2009-03-21 02:02 . 2009-03-21 02:02 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-21 01:37 . 2009-03-21 01:37 -------- d-----w c:\program files\EA GAMES
2009-03-17 04:33 . 2009-03-10 04:49 35190 ----a-w c:\windows\scunin.dat
2009-03-17 04:33 . 2009-03-10 04:49 967 ----a-w c:\windows\ScUnin.pif
2009-03-17 04:33 . 2009-03-10 04:49 94208 ----a-w c:\windows\ScUnin.exe
2009-03-16 05:18 . 2006-06-01 20:59 84632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViSplore
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\WinFlip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\TrueTransparency
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\VisualTooltip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViStart
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViOrb
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Rainbar
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Styler
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Drive Icon
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\LClock
2009-03-16 04:31 . 2009-03-16 04:31 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Microsoft
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-16 04:23 . 2009-03-16 04:23 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-11 21:17 . 2009-03-11 20:50 746 ----a-w c:\windows\eReg.dat
2009-03-11 20:49 . 2009-03-11 20:49 -------- d-----w c:\program files\Electronic Arts
2009-03-11 20:47 . 2009-03-11 20:47 -------- d-----w c:\program files\Maxis
2009-03-09 08:19 . 2008-12-10 21:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-24 19:35 . 2009-04-06 06:09 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-06 06:09 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-06 06:09 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-06 06:09 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-06 06:09 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:35 . 2005-05-12 21:54 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-15 15:29 . 2009-02-11 16:51 35391 ----a-w c:\windows\DIIUnin.dat
2009-02-15 15:28 . 2009-02-11 17:04 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-02-15 15:28 . 2009-02-11 17:04 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-02-15 15:28 . 2009-02-11 17:04 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-02-11 16:51 . 2009-02-11 16:51 94208 ----a-w c:\windows\DIIUnin.exe
2009-02-11 16:51 . 2009-02-11 16:51 2829 ----a-w c:\windows\DIIUnin.pif
2009-02-09 12:10 . 2004-08-10 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:03 . 2009-02-06 22:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 21:52 . 2009-02-06 21:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-10 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 23:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-10 23:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:01 . 2009-02-03 20:00 127 ----a-w c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-02-03 19:59 . 2004-08-10 23:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
2009-04-28 07:09 . 2009-04-28 07:09 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1423872 6A8B0B64F8D7EBEF70B16FF689C3C76D c:\windows\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-10 23:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_06.54.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_a8.dat
+ 2009-04-28 18:46 . 2009-04-28 18:46 16384 c:\windows\Temp\Perflib_Perfdata_98c.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_520.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2008-11-12 602112]
"TrueTransparency"="c:\program files\TrueTransparency\TrueTransparency.exe" [2008-06-25 372224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BDMCon"="c:\progra~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 290816]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spook^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Spook\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; [x]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\User_Feed_Synchronization-{6A6751F0-5C2A-427A-B368-B6246AD69287}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 05:01]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DigiFast - c:\documents and settings\Spook\Application Data\digifast\digifast.exe
HKCU-Run-SfKg6wIPuSpdc - c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Spook\Application Data\Mozilla\Firefox\Profiles\q0vhrz2h.default\
FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 16:33
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
.
Completion time: 2009-04-28 16:35
ComboFix-quarantined-files.txt 2009-04-28 19:35
ComboFix2.txt 2009-04-28 18:50
ComboFix3.txt 2009-04-28 07:00

Pre-Run: 16,186,867,712 bytes free
Post-Run: 16,181,198,848 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
266 --- E O F --- 2009-04-16 07:33

**Shaba** · 2009-04-28, 21:39

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

**GirLovesWaffles** · 2009-04-28, 22:09

Half way through updating kaspersky it failed, and im going out for a while so i wont be back until tonight. Ill try it again later and if it doesnt work the second time, ill let you know.

**GirLovesWaffles** · 2009-04-29, 05:59

Took a very long time to complete that scan, about 2.5 hours actually. I had to go through it a few times because it wouldnt work properly on firefox, had to use IE. But finally, here is the log.

Also, just as a note, there is a file call WWshow in my program files with a wwshow.dll file in it that was not there before.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 01:57:39
Records in database: 2088355
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 109048
Threat name: 12
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 02:43:33

File name / Threat name / Threats count
C:\WINDOWS\system32\viwc.exe Infected: Trojan.Win32.Agent2.cdb 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048904.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048918.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048920.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048921.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048922.dll Infected: Trojan.Win32.Tdss.aald 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0049936.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0049962.exe Infected: Trojan.Win32.Agent.ccwx 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0049995.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050137.EXE Infected: Trojan-Downloader.Win32.Agent.bsdk 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050138.exe Infected: Trojan.Win32.Agent.ccwx 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050140.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050141.dll Infected: not-a-virus:FraudTool.Win32.XPShield.o 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP170\A0050272.exe Infected: Trojan-Downloader.Win32.Agent.bozu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthknixshtprnyokvxvnpvjdlirmkoiwsji.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthauonskkcnoetlrcwtlmivxxqcwuulvdy.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthcddebeaamhbejcauvslgtheqrjliirac.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthsaxmhpkdatewcxjaqvunfpjilrnqplth.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\appmgmt\bdsm.dll.vir Infected: not-a-virus:FraudTool.Win32.XPShield.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prnet.tmp.vir Infected: Trojan.Win32.Agent.ccwg 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\664953284.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\SysNotifier.exe.vir Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\Qoobox\Quarantine\C\Documents and Settings\Spook\Application Data\pidle\pidle.exe.vir Infected: Trojan-Downloader.Win32.Agent.bsdk 1
C:\Qoobox\Quarantine\C\Documents and Settings\Spook\Application Data\Twain\Twain.exe.vir Infected: Trojan.Win32.Agent.ccwx 1
C:\Qoobox\Quarantine\C\Documents and Settings\Spook\Application Data\digifast\digifast.exe.vir Infected: Trojan-Downloader.Win32.Agent.bozu 1

The selected area was scanned.

--------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:06 AM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maple Story\npkcmsvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ViStart\ViStart.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\GirLovesWaffles.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Maple Story\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8617 bytes

**Shaba** · 2009-04-29, 06:14

Please scan this file next in jotti/virustotal and post back results:

C:\WINDOWS\system32\viwc.exe

Thread: Virtumond + Vundo ... Very Stubborn Viruses :(

Thread Tools

Display

Posting Permissions