Virtumonde, etc. - pls help

[borik7]

Ran SpyBot and McAfee. SpyBot still finds:
Microsoft.WindowsSecurityCenter.FirewallBypass
Virtumonde
Virtumonde.prx

Symptoms:
Msconfig - startup: can't terminate a 'supilime' service - access denied.
Taskmgr does not work - if clicked on taskmgr.exe - message 'not found'.
The machine is a bit slow.
Appreciate the help.

DDS.txt:

DDS (Version 1.0) - NTFSx86
Run by Owner at 20:37:46.85 on Thu 12/04/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.882 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = https://wmusremote.ubs.com/Citrix/Me...uth/login.aspx
BHO: {37211d51-b7fb-4c33-9570-0f32563b5947} - c:\windows\system32\falukovo.dll
BHO: {421B0608-9183-8757-D91D-77F3D214EEED} - c:\windows\system32\iobhmxdatlther.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {ECD3EFDF-7EC0-46C3-850C-D9E9A03ED4C4} - c:\windows\system32\fccdefgf.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [davijawozu] Rundll32.exe "c:\windows\system32\supilime.dll",s
mRun: [CPMb759a5ea] Rundll32.exe "c:\windows\system32\feyimupa.dll",a
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-system: DisableTaskMgr = 0 (0x0)
IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {85F9F13A-8885-4FEC-B2F6-05358A6058E8} = 207.69.188.172,207.69.188.171
Notify: igfxcui - igfxdev.dll
Notify: nnnmnlKd - nnnmnlKd.dll
AppInit_DLLs: c:\windows\system32\jelukahu.dll c:\windows\system32\feyimupa.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\feyimupa.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\feyimupa.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\window~4\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccdefgf
LSA: Notification Packages = scecli c:\windows\system32\pejolido.dll c:\windows\system32\jelukahu.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-13 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-13 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-13 144704]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-13 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-13 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-13 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-13 40488]
R3 SQ931;Zoom 2.0 Webcam;c:\windows\system32\drivers\Capt931a.sys [2008-10-30 530432]
S1 8adc79fa;8adc79fa;c:\windows\system32\drivers\8adc79fa.sys []
S1 atinpdxxx;atinpdxxx;c:\windows\system32\drivers\atinpdxxx.sys []
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-13 33832]

=============== Created Last 30 ================

2008-12-04 17:57 1,995 ---sh--- c:\windows\system32\zeriweno.exe
2008-12-01 17:58 250 a------- c:\windows\gmer.ini
2008-12-01 08:27 134,144 a------- c:\windows\system32\REGEDIT.EXE
2008-12-01 01:12 <DIR> --d----- c:\windows\pss
2008-12-01 01:02 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2008-12-01 01:02 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2008-12-01 01:02 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2008-12-01 01:02 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2008-12-01 01:02 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2008-12-01 01:01 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2008-12-01 01:01 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2008-12-01 01:01 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2008-12-01 01:01 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2008-12-01 01:01 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2008-12-01 01:01 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2008-12-01 01:01 8,832 ac------ c:\windows\system32\dllcache\wmiacpi.sys
2008-12-01 01:01 154,624 ac------ c:\windows\system32\dllcache\wlluc48.sys
2008-12-01 01:01 34,890 ac------ c:\windows\system32\dllcache\wlandrv2.sys
2008-12-01 00:59 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2008-12-01 00:58 7,040 ac------ c:\windows\system32\dllcache\tandqic.sys
2008-12-01 00:57 28,160 ac------ c:\windows\system32\dllcache\sm91w.dll
2008-12-01 00:56 65,664 ac------ c:\windows\system32\dllcache\s3legacy.sys
2008-12-01 00:55 17,792 ac------ c:\windows\system32\dllcache\ppa.sys
2008-12-01 00:54 61,696 ac------ c:\windows\system32\dllcache\ohci1394.sys
2008-12-01 00:53 49,024 ac------ c:\windows\system32\dllcache\mstape.sys
2008-12-01 00:52 58,880 ac------ c:\windows\system32\dllcache\m3092dc.dll
2008-12-01 00:51 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2008-12-01 00:50 106,496 ac------ c:\windows\system32\dllcache\OLD3A5.tmp
2008-12-01 00:49 73,279 ac------ c:\windows\system32\dllcache\hsf_spkp.sys
2008-12-01 00:48 441,728 ac------ c:\windows\system32\dllcache\fpcmbase.sys
2008-12-01 00:47 634,134 ac------ c:\windows\system32\dllcache\el656ct5.sys
2008-12-01 00:46 20,928 ac------ c:\windows\system32\dllcache\defpa.sys
2008-12-01 00:45 56,320 ac------ c:\windows\system32\dllcache\OLD185.tmp
2008-12-01 00:44 66,082 ac------ c:\windows\system32\dllcache\c_1144.nls
2008-12-01 00:43 23,552 ac------ c:\windows\system32\dllcache\atixbar.sys
2008-12-01 00:42 101,888 ac------ c:\windows\system32\dllcache\adpu160m.sys
2008-12-01 00:41 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2008-12-01 00:41 2,145,280 ac------ c:\windows\system32\dllcache\OLD1B.tmp
2008-12-01 00:30 33,832 a------- c:\windows\system32\azcruaso.exe
2008-12-01 00:30 33,832 a------- c:\windows\system32\hyzebryr.exe
2008-12-01 00:27 121 ---sh--- c:\windows\system32\wpknomud.ini
2008-12-01 00:22 <DIR> --d----- c:\program files\NCH Swift Sound
2008-11-30 18:52 <DIR> --d----- c:\program files\Sierra Online
2008-11-30 18:39 <DIR> --d----- c:\docume~1\owner\applic~1\DeepBurner Pro
2008-11-30 18:37 <DIR> --d----- c:\program files\Astonsoft
2008-11-30 16:26 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-30 16:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-30 15:59 143 a------- c:\windows\system32\mcrh.tmp
2008-11-30 15:59 32,768 a------- c:\windows\system32\mlJCtusq.dll
2008-11-30 15:59 32,768 a------- c:\windows\system32\ddcATlJC.dll
2008-11-30 15:52 32,768 a------- c:\windows\system32\urqPfGAr.dll
2008-11-30 15:52 32,768 a------- c:\windows\system32\iifecaYq.dll
2008-11-30 15:51 47,598 a------- c:\windows\system32\iitkjhnousmet.exe
2008-11-30 15:50 32,768 a------- c:\windows\system32\vtUkhfec.dll
2008-11-30 15:50 32,768 a------- c:\windows\system32\awtsSmjK.dll
2008-11-30 15:50 32,768 a------- c:\windows\system32\hgGaxyYQ.dll
2008-11-30 15:49 <DIR> --d----- c:\windows\system32\vi
2008-11-30 15:49 <DIR> --d----- c:\windows\system32\op8
2008-11-30 15:49 <DIR> --d----- c:\windows\system32\giv
2008-11-30 15:49 <DIR> --d----- c:\temp\DIV55
2008-11-30 15:49 <DIR> --d----- c:\windows\system32\IN
2008-11-30 15:49 <DIR> --d----- c:\windows\system32\gi3
2008-11-30 15:49 <DIR> --d----- c:\windows\system32\TEC
2008-11-30 15:49 32,768 a------- c:\windows\system32\hgGabYSj.dll
2008-11-30 15:49 905,354 a------- c:\temp\uVN23L.exe
2008-11-30 15:38 403 a------- c:\windows\iexplore.htm
2008-11-30 15:30 <DIR> --d----- c:\program files\Sierra On-Line
2008-11-30 15:18 151 a------- c:\windows\wininit.ini
2008-11-30 12:08 <DIR> --d----- C:\SIERRA
2008-11-30 12:07 418 a------- c:\windows\SIERRA.INI
2008-11-30 12:07 231 a------- c:\windows\system.bak
2008-11-30 12:07 314,880 a------- c:\windows\IsUninst.exe
2008-11-30 12:07 <DIR> --d----- c:\documents and settings\owner\WINDOWS
2008-11-30 11:26 176,324,608 a------- C:\Image.iso
2008-11-30 11:00 <DIR> --d----- c:\docume~1\owner\applic~1\InfraRecorder
2008-11-30 10:21 31,049 a------- c:\windows\system32\LSHPRN.EXE
2008-11-30 10:21 255 a------- c:\windows\system32\44upd.dll
2008-11-30 10:21 255 a------- c:\windows\system32\43upd.dll
2008-11-30 10:21 256 a------- c:\windows\system32\46upd.dll
2008-11-30 10:21 255 a------- c:\windows\system32\45upd.dll
2008-11-30 10:21 25 a------- c:\windows\sc32.dll
2008-11-30 00:02 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-29 12:58 <DIR> --d----- C:\Old
2008-11-29 12:55 <DIR> --d----- c:\program files\DOSBox-0.72
2008-11-21 08:29 <DIR> --d----- C:\iEntertainment Network
2008-11-20 19:41 160,640 a------- c:\windows\system32\drivers\a347bus.sys
2008-11-20 19:41 5,248 a------- c:\windows\system32\drivers\a347scsi.sys
2008-11-20 19:41 <DIR> --d----- c:\program files\Alcohol Soft
2008-11-18 19:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Babylon
2008-11-18 19:11 <DIR> --d----- c:\docume~1\owner\applic~1\Babylon
2008-11-17 23:22 <DIR> --d----- c:\program files\FreeGamePick.com

==================== Find3M ====================

2008-12-03 20:20 85,557 a--sh--- c:\windows\system32\wonupago.dll
2008-12-03 20:20 64,565 a--sh--- c:\windows\system32\wewefove.dll
2008-12-01 20:23 86,580 a--sh--- c:\windows\system32\godobovo.dll
2008-12-01 20:23 65,076 a--sh--- c:\windows\system32\lapagoyi.dll
2008-12-01 00:43 33,832 a------- c:\windows\system32\upcrnhqy.exe
2008-11-30 12:17 <DIR> --d----- c:\program files\eMule
2008-11-29 14:57 <DIR> --d----- c:\docume~1\owner\applic~1\Vso
2008-11-29 14:37 <DIR> --d----- c:\docume~1\owner\applic~1\SolSuite
2008-11-08 01:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NCH Swift Sound
2008-11-04 20:05 <DIR> --d----- c:\program files\DivX
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-28 17:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-28 17:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-28 17:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-28 17:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-16 17:40 <DIR> --d----- c:\program files\Quicken
2008-10-16 17:37 <DIR> --d----- c:\docume~1\owner\applic~1\Intuit
2008-10-16 17:37 <DIR> --d----- c:\program files\common files\Palo Alto Software
2008-10-16 17:37 <DIR> --d----- c:\program files\common files\Intuit
2008-10-16 17:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2008-10-14 07:04 <DIR> --d----- c:\program files\Microsoft ActiveSync
2008-10-13 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2008-10-13 17:35 <DIR> --d----- c:\program files\ffdshow
2008-10-13 17:35 <DIR> --d----- c:\program files\AC3Filter
2008-10-13 17:33 <DIR> --d----- c:\program files\Xvid
2008-10-13 17:23 <DIR> --d----- c:\docume~1\owner\applic~1\ICAClient
2008-10-13 17:22 <DIR> --d----- c:\program files\Citrix
2008-10-13 17:14 <DIR> --d----- c:\program files\Messenger
2008-10-13 17:12 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-13 17:09 <DIR> --d----- c:\program files\VSO
2008-10-13 17:07 <DIR> --d----- c:\program files\WinZip Self-Extractor
2008-10-13 17:06 <DIR> --d----- c:\program files\Windows NT
2008-10-13 17:01 <DIR> --d----- c:\program files\SolSuite
2008-10-13 06:38 <DIR> --d----- c:\program files\McAfee
2008-10-13 06:24 <DIR> --d----- c:\program files\Online Services
2008-10-13 06:02 <DIR> --d-h--- c:\program files\WindowsUpdate
2008-10-13 04:31 <DIR> --d----- c:\program files\common files\McAfee
2008-10-13 04:31 <DIR> --d----- c:\program files\McAfee.com
2008-10-13 04:23 <DIR> --d----- c:\program files\Analog Devices
2008-10-13 02:02 <DIR> --d----- c:\program files\common files\MSSoap
2008-10-13 02:01 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-10-13 02:01 <DIR> --d----- c:\program files\MSN Gaming Zone
2008-10-12 20:16 <DIR> --d----- c:\program files\common files\ODBC
2008-10-12 20:16 <DIR> --d----- c:\program files\common files\SpeechEngines
2008-09-25 03:03 524,288 a------- c:\windows\system32\DivXsm.exe
2008-09-25 03:03 196,608 a------- c:\windows\system32\dtu100.dll
2008-09-25 03:03 81,920 a------- c:\windows\system32\dpl100.dll
2008-09-25 03:03 53,248 a------- c:\windows\system32\dpuGUI10.dll
2008-09-25 03:03 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-09-25 03:03 344,064 a------- c:\windows\system32\dpus11.dll
2008-09-25 03:03 57,344 a------- c:\windows\system32\dpv11.dll
2008-09-25 03:03 294,912 a------- c:\windows\system32\dpu11.dll
2008-09-25 03:03 294,912 a------- c:\windows\system32\dpu10.dll
2008-09-25 03:03 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 16:57 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-09-19 16:55 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-09-19 16:55 200,704 a------- c:\windows\system32\ssldivx.dll
2008-09-19 16:54 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-01 20:23 93,696 a--sh--- c:\windows\system32\biyedepu.dll
2008-09-03 20:20 64,565 a--sh--- c:\windows\system32\falukovo.dll
2008-09-03 20:20 64,565 a--sh--- c:\windows\system32\jelukahu.dll

============= FINISH: 20:38:30.25 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[borik7]

Quote:

Originally Posted by sUBs

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

Thanks for the quick reply. Please find the log. A comment: couldn't create XP recovery console because I have SP3. Everything else looks great so far. Best regards.

ComboFix 08-12-05.06 - Owner 2008-12-06 8:55:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.862 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Owner\Application Data\inst.exe
c:\windows\regedit.com
c:\windows\sc32.dll
c:\windows\system32\43upd.dll
c:\windows\system32\44upd.dll
c:\windows\system32\45upd.dll
c:\windows\system32\46upd.dll
c:\windows\system32\biyedepu.dll
c:\windows\system32\falukovo.dll
c:\windows\system32\godobovo.dll
c:\windows\system32\hosezora.dll
c:\windows\system32\jelukahu.dll
c:\windows\system32\lapagoyi.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\nevihezu.dll
c:\windows\system32\regedit.exe
c:\windows\system32\uzehiven.ini
c:\windows\system32\wewefove.dll
c:\windows\system32\wonupago.dll
c:\windows\system32\wpknomud.ini
c:\windows\Tasks\foilozho.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-04 17:57 . 2008-12-04 17:57 1,995 ---hs---- c:\windows\system32\zeriweno.exe
2008-12-01 17:58 . 2008-12-04 20:18 250 --a------ c:\windows\gmer.ini
2008-12-01 07:40 . 2008-12-01 07:40 <DIR> d-------- c:\documents and settings\Administrator
2008-12-01 01:02 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2008-12-01 01:02 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2008-12-01 01:02 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2008-12-01 01:02 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2008-12-01 01:02 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2008-12-01 01:01 . 2002-08-28 22:59 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys
2008-12-01 01:01 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2008-12-01 01:01 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys
2008-12-01 01:01 . 2003-03-31 07:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-01 01:01 . 2004-08-04 01:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2008-12-01 01:01 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2008-12-01 01:01 . 2004-08-04 01:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2008-12-01 01:01 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2008-12-01 01:01 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-12-01 00:59 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2008-12-01 00:58 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2008-12-01 00:57 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2008-12-01 00:56 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2008-12-01 00:55 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2008-12-01 00:54 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys
2008-12-01 00:53 . 2001-08-17 12:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys
2008-12-01 00:52 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2008-12-01 00:51 . 2003-03-31 07:00 311,359 --a--c--- c:\windows\system32\dllcache\OLD3B1.tmp
2008-12-01 00:50 . 2008-04-13 19:09 13,463,552 --a--c--- c:\windows\system32\dllcache\OLD371.tmp
2008-12-01 00:49 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2008-12-01 00:48 . 2001-08-17 12:17 629,952 --a--c--- c:\windows\system32\dllcache\eqn.sys
2008-12-01 00:47 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2008-12-01 00:46 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2008-12-01 00:45 . 2003-03-31 07:00 1,677,824 --a--c--- c:\windows\system32\dllcache\OLD17C.tmp
2008-12-01 00:44 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2008-12-01 00:43 . 2001-08-17 14:55 382,592 --a--c--- c:\windows\system32\dllcache\atidrab.dll
2008-12-01 00:42 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-12-01 00:41 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\OLD1B.tmp
2008-12-01 00:41 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2008-12-01 00:30 . 2008-12-01 00:30 33,832 --a------ c:\windows\system32\hyzebryr.exe
2008-12-01 00:30 . 2008-12-01 00:30 33,832 --a------ c:\windows\system32\azcruaso.exe
2008-12-01 00:22 . 2008-12-01 00:22 <DIR> d-------- c:\program files\NCH Swift Sound
2008-11-30 18:52 . 2008-11-30 18:52 <DIR> d-------- c:\program files\Sierra Online
2008-11-30 18:39 . 2008-12-01 00:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\DeepBurner Pro
2008-11-30 18:37 . 2008-11-30 18:37 <DIR> d-------- c:\program files\Astonsoft
2008-11-30 16:26 . 2008-12-01 09:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 16:26 . 2008-12-01 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 15:59 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\mlJCtusq.dll
2008-11-30 15:59 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\ddcATlJC.dll
2008-11-30 15:52 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\urqPfGAr.dll
2008-11-30 15:52 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\iifecaYq.dll
2008-11-30 15:51 . 2008-11-30 15:51 47,598 --a------ c:\windows\system32\iitkjhnousmet.exe
2008-11-30 15:50 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\vtUkhfec.dll
2008-11-30 15:50 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\hgGaxyYQ.dll
2008-11-30 15:50 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\awtsSmjK.dll
2008-11-30 15:49 . 2008-12-04 08:47 <DIR> d-------- c:\windows\system32\vi
2008-11-30 15:49 . 2008-11-30 16:13 <DIR> d-------- c:\windows\system32\TEC
2008-11-30 15:49 . 2008-12-04 08:47 <DIR> d-------- c:\windows\system32\op8
2008-11-30 15:49 . 2008-11-30 15:51 <DIR> d-------- c:\windows\system32\IN
2008-11-30 15:49 . 2008-11-30 15:49 <DIR> d-------- c:\windows\system32\giv
2008-11-30 15:49 . 2008-12-04 08:15 <DIR> d-------- c:\windows\system32\gi3
2008-11-30 15:49 . 2008-11-30 15:49 <DIR> d-------- c:\temp\DIV55
2008-11-30 15:49 . 2008-11-30 15:49 905,354 --a------ c:\temp\uVN23L.exe
2008-11-30 15:49 . 2008-11-30 16:50 32,768 --a------ c:\windows\system32\hgGabYSj.dll
2008-11-30 15:38 . 2008-12-01 01:14 403 --a------ c:\windows\iexplore.htm
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d-------- c:\program files\Sierra On-Line
2008-11-30 15:18 . 2008-12-03 21:42 151 --a------ c:\windows\wininit.ini
2008-11-30 12:08 . 2008-11-30 15:31 <DIR> d-------- C:\SIERRA
2008-11-30 12:07 . 2008-11-30 12:07 <DIR> d-------- c:\documents and settings\Owner\WINDOWS
2008-11-30 12:07 . 1997-06-02 12:32 314,880 --a------ c:\windows\IsUninst.exe
2008-11-30 12:07 . 2008-11-30 15:30 418 --a------ c:\windows\SIERRA.INI
2008-11-30 12:07 . 2008-10-12 20:16 231 --a------ c:\windows\system.bak
2008-11-30 11:26 . 2008-11-30 11:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\ImgBurn
2008-11-30 11:26 . 2008-11-30 11:26 176,324,608 --a------ C:\Image.iso
2008-11-30 11:24 . 2008-11-30 11:24 <DIR> d-------- c:\program files\ImgBurn
2008-11-30 11:00 . 2008-11-30 11:06 <DIR> d-------- c:\documents and settings\Owner\Application Data\InfraRecorder
2008-11-30 10:21 . 2008-11-30 10:22 31,049 --a------ c:\windows\system32\LSHPRN.EXE
2008-11-30 00:03 . 2008-11-30 00:03 <DIR> dr-h----- c:\documents and settings\Owner\Application Data\SecuROM
2008-11-30 00:02 . 2008-11-30 00:02 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-11-29 12:58 . 2008-11-29 13:45 <DIR> d-------- C:\Old
2008-11-29 12:55 . 2008-11-29 13:46 <DIR> d-------- c:\program files\DOSBox-0.72
2008-11-24 19:16 . 2008-11-24 19:16 <DIR> dr-h----- C:\MSOCache
2008-11-21 08:29 . 2008-11-21 08:29 <DIR> d-------- C:\iEntertainment Network
2008-11-20 19:41 . 2008-11-20 19:41 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-20 19:41 . 2004-04-30 09:37 160,640 --a------ c:\windows\system32\drivers\a347bus.sys
2008-11-20 19:41 . 2004-04-30 09:33 5,248 --a------ c:\windows\system32\drivers\a347scsi.sys
2008-11-18 19:11 . 2008-11-18 19:11 <DIR> d-------- c:\documents and settings\Owner\Application Data\Babylon
2008-11-18 19:11 . 2008-11-18 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Babylon
2008-11-17 23:22 . 2008-11-17 23:22 <DIR> d-------- c:\program files\FreeGamePick.com
2008-11-15 09:10 . 2008-11-15 09:10 <DIR> d-------- c:\documents and settings\Owner\Application Data\Apple Computer
2008-11-13 20:45 . 2008-11-13 20:45 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-13 20:44 . 2008-11-13 20:45 <DIR> d-------- c:\program files\QuickTime
2008-11-13 20:44 . 2008-11-13 20:44 <DIR> d-------- c:\program files\Apple Software Update
2008-11-13 20:44 . 2008-11-15 09:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-13 20:44 . 2008-11-13 20:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-09 09:29 . 2008-11-09 09:29 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-09 09:19 . 2008-11-09 09:22 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-09 09:06 . 2008-11-13 03:08 <DIR> d-------- c:\program files\NOS
2008-11-09 09:06 . 2008-11-13 03:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 05:43 33,832 ----a-w c:\windows\system32\upcrnhqy.exe
2008-11-30 23:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 17:17 --------- d-----w c:\program files\eMule
2008-11-29 19:57 --------- d-----w c:\documents and settings\Owner\Application Data\Vso
2008-11-29 19:37 --------- d-----w c:\documents and settings\Owner\Application Data\SolSuite
2008-11-08 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-05 01:05 --------- d-----w c:\program files\DivX
2008-10-30 19:59 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:40 --------- d-----w c:\program files\Quicken
2008-10-16 22:37 --------- d-----w c:\program files\Common Files\Palo Alto Software
2008-10-16 22:37 --------- d-----w c:\program files\Common Files\Intuit
2008-10-16 22:37 --------- d-----w c:\documents and settings\Owner\Application Data\Intuit
2008-10-16 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 12:04 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-14 12:02 --------- d-----w c:\program files\Microsoft.NET
2008-10-14 02:00 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2008-10-13 22:52 --------- d-----w c:\program files\Windows Defender
2008-10-13 22:35 --------- d-----w c:\program files\ffdshow
2008-10-13 22:35 --------- d-----w c:\program files\AC3Filter
2008-10-13 22:33 --------- d-----w c:\program files\Xvid
2008-10-13 22:33 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2008-10-13 22:23 --------- d-----w c:\documents and settings\Owner\Application Data\ICAClient
2008-10-13 22:22 --------- d-----w c:\program files\Citrix
2008-10-13 22:09 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-10-13 22:09 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2008-10-13 22:09 --------- d-----w c:\program files\VSO
2008-10-13 22:07 --------- d-----w c:\program files\WinZip Self-Extractor
2008-10-13 22:01 --------- d-----w c:\program files\SolSuite
2008-10-13 11:38 --------- d-----w c:\program files\McAfee
2008-10-13 09:32 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-13 09:31 --------- d-----w c:\program files\McAfee.com
2008-10-13 09:31 --------- d-----w c:\program files\Common Files\McAfee
2008-10-13 09:26 --------- d-----w c:\program files\Intel
2008-10-13 09:26 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-13 09:23 --------- d-----w c:\program files\Analog Devices
2008-10-13 07:03 --------- d-----w c:\program files\microsoft frontpage
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.XVID"= xvid.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\davijawozu

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinterSecurityLayer]
--a------ 2008-11-30 10:22 31049 c:\windows\system32\LSHPRN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQ931STI]
--a------ 2007-01-24 13:24 151552 c:\windows\SQ931STI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 SQ931;Zoom 2.0 Webcam;c:\windows\system32\Drivers\Capt931a.sys [2008-10-30 530432]
S1 8adc79fa;8adc79fa;c:\windows\system32\drivers\8adc79fa.sys []
S1 atinpdxxx;atinpdxxx;c:\windows\system32\drivers\atinpdxxx.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{37211d51-b7fb-4c33-9570-0f32563b5947} - c:\windows\system32\falukovo.dll
BHO-{421B0608-9183-8757-D91D-77F3D214EEED} - c:\windows\system32\iobhmxdatlther.dll
BHO-{ECD3EFDF-7EC0-46C3-850C-D9E9A03ED4C4} - c:\windows\system32\fccdefgf.dll
HKLM-Run-davijawozu - c:\windows\system32\supilime.dll
Notify-nnnmnlKd - nnnmnlKd.dll
MSConfigStartUp-b46a9676 - c:\windows\system32\wonupago.dll
MSConfigStartUp-CPMb759a5ea - c:\windows\system32\feyimupa.dll
MSConfigStartUp-mjkxwgfkmh - c:\windows\system32\iobhmxdatlther.dll
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe


.
------- Supplementary Scan -------
.
uStart Page = https://wmusremote.ubs.com/Citrix/Me...uth/login.aspx
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {85F9F13A-8885-4FEC-B2F6-05358A6058E8} = 207.69.188.172,207.69.188.171
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6zyxrz7w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 09:00:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-12-06 9:02:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 14:02:09

Pre-Run: 180,391,362,560 bytes free
Post-Run: 180,331,708,416 bytes free

302 --- E O F --- 2008-11-28 23:08:26

[sUBs]

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/320315-virtumonde-etc-pls-help.html
Collect::
c:\windows\system32\zeriweno.exe
c:\windows\system32\hyzebryr.exe
c:\windows\system32\azcruaso.exe
c:\windows\system32\mlJCtusq.dll
c:\windows\system32\ddcATlJC.dll
c:\windows\system32\urqPfGAr.dll
c:\windows\system32\iifecaYq.dll
c:\windows\system32\iitkjhnousmet.exe
c:\windows\system32\vtUkhfec.dll
c:\windows\system32\hgGaxyYQ.dll
c:\windows\system32\awtsSmjK.dll
c:\temp\uVN23L.exe
c:\windows\system32\hgGabYSj.dll
c:\windows\system32\LSHPRN.EXE
c:\windows\system32\drivers\8adc79fa.sys
c:\windows\system32\drivers\atinpdxxx.sys
File::
c:\windows\iexplore.htm
c:\windows\system.bak
c:\windows\system32\dllcache\OLD3B1.tmp
c:\windows\system32\dllcache\OLD371.tmp
c:\windows\system32\dllcache\OLD17C.tmp
c:\windows\system32\dllcache\atidrab.dll
c:\windows\system32\dllcache\OLD1B.tmp
Folder::
c:\windows\system32\vi
c:\windows\system32\TEC
c:\windows\system32\op8
c:\windows\system32\IN
c:\windows\system32\giv
c:\windows\system32\gi3
c:\temp\DIV55
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\davijawozu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinterSecurityLayer]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\ComboFix\\fdsv.cfexe"=-
"c:\\WINDOWS\\system32\\spoolsv.exe"=-
Driver::
8adc79fa
atinpdxxx

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include fresh logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[borik7]

The .zip file has been submitted. Please find the OnlineScanReprt and the latest ComboFix's log. I had no problems running the tests besides the fact that my McAfee does not give me the ability to stop, the only option I had is to uninstall. I also received a message informing me about newer version of ComboFix, but decided against upgrading at this time.
The only strange thing I experience is that msconfig's startup does not let me to apply any changes - tells me I need the Admin privileges. Everything else seems to be OK so far.
Thanks again.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 09:20:51
Records in database: 1441946
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 50122
Threat name: 7
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 01:25:43


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\giv\TNK53C0.exe.vir Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@9.29.zip Infected: Trojan-Downloader.Win32.Small.buy 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@9.29.zip Infected: Trojan-Downloader.Win32.Agent.arwj 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@9.29.zip Infected: Trojan.Win32.Agent.asjz 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@9.29.zip Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@9.29.zip Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@9.29.zip Infected: not-a-virus:AdWare.Win32.WebHancer.f 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-07@9.29.zip Infected: not-a-virus:AdWare.Win32.WebHancer.390 1

The selected area was scanned.

ComboFix 08-12-05.06 - Owner 2008-12-07 9:30:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.671 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\iexplore.htm
c:\windows\system.bak
c:\windows\system32\dllcache\atidrab.dll
c:\windows\system32\dllcache\OLD17C.tmp
c:\windows\system32\dllcache\OLD1B.tmp
c:\windows\system32\dllcache\OLD371.tmp
c:\windows\system32\dllcache\OLD3B1.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\temp\uVN23L.exe
c:\windows\iexplore.htm
c:\windows\system.bak
c:\windows\system32\awtsSmjK.dll
c:\windows\system32\azcruaso.exe
c:\windows\system32\ddcATlJC.dll
c:\windows\system32\dllcache\atidrab.dll
c:\windows\system32\dllcache\OLD17C.tmp
c:\windows\system32\dllcache\OLD1B.tmp
c:\windows\system32\dllcache\OLD371.tmp
c:\windows\system32\dllcache\OLD3B1.tmp
c:\windows\system32\gi3
c:\windows\system32\giv
c:\windows\system32\giv\TNK53C0.exe
c:\windows\system32\hgGabYSj.dll
c:\windows\system32\hgGaxyYQ.dll
c:\windows\system32\hyzebryr.exe
c:\windows\system32\iifecaYq.dll
c:\windows\system32\iitkjhnousmet.exe
c:\windows\system32\IN
c:\windows\system32\LSHPRN.EXE
c:\windows\system32\mlJCtusq.dll
c:\windows\system32\op8
c:\windows\system32\TEC
c:\windows\system32\urqPfGAr.dll
c:\windows\system32\vi
c:\windows\system32\vtUkhfec.dll
c:\windows\system32\zeriweno.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_8adc79fa
-------\Service_atinpdxxx


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 14:01 . 2008-12-06 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-12-06 13:57 . 2008-12-06 13:57 <DIR> d-------- c:\program files\Secunia
2008-12-01 17:58 . 2008-12-04 20:18 250 --a------ c:\windows\gmer.ini
2008-12-01 07:40 . 2008-12-01 07:40 <DIR> d-------- c:\documents and settings\Administrator
2008-12-01 01:02 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2008-12-01 01:02 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2008-12-01 01:02 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2008-12-01 01:02 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2008-12-01 01:02 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2008-12-01 01:01 . 2002-08-28 22:59 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys
2008-12-01 01:01 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2008-12-01 01:01 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys
2008-12-01 01:01 . 2003-03-31 07:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2008-12-01 01:01 . 2004-08-04 01:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2008-12-01 01:01 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2008-12-01 01:01 . 2004-08-04 01:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2008-12-01 01:01 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2008-12-01 01:01 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-12-01 00:59 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2008-12-01 00:58 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2008-12-01 00:57 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2008-12-01 00:56 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2008-12-01 00:55 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2008-12-01 00:54 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys
2008-12-01 00:53 . 2001-08-17 12:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys
2008-12-01 00:52 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2008-12-01 00:51 . 2008-04-13 20:12 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2008-12-01 00:50 . 2003-03-31 07:00 10,129,408 --a--c--- c:\windows\system32\dllcache\OLD374.tmp
2008-12-01 00:49 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2008-12-01 00:48 . 2001-08-17 12:17 629,952 --a--c--- c:\windows\system32\dllcache\eqn.sys
2008-12-01 00:47 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2008-12-01 00:46 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2008-12-01 00:45 . 2003-03-31 07:00 838,144 --a--c--- c:\windows\system32\dllcache\OLD17F.tmp
2008-12-01 00:44 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2008-12-01 00:43 . 2001-08-17 12:48 289,664 --a--c--- c:\windows\system32\dllcache\atimpab.sys
2008-12-01 00:42 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-12-01 00:41 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2008-12-01 00:22 . 2008-12-01 00:22 <DIR> d-------- c:\program files\NCH Swift Sound
2008-11-30 18:52 . 2008-11-30 18:52 <DIR> d-------- c:\program files\Sierra Online
2008-11-30 18:39 . 2008-12-01 00:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\DeepBurner Pro
2008-11-30 18:37 . 2008-11-30 18:37 <DIR> d-------- c:\program files\Astonsoft
2008-11-30 16:26 . 2008-12-01 09:22 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 16:26 . 2008-12-01 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d-------- c:\program files\Sierra On-Line
2008-11-30 15:18 . 2008-12-03 21:42 151 --a------ c:\windows\wininit.ini
2008-11-30 12:08 . 2008-11-30 15:31 <DIR> d-------- C:\SIERRA
2008-11-30 12:07 . 2008-11-30 12:07 <DIR> d-------- c:\documents and settings\Owner\WINDOWS
2008-11-30 12:07 . 1997-06-02 12:32 314,880 --a------ c:\windows\IsUninst.exe
2008-11-30 12:07 . 2008-11-30 15:30 418 --a------ c:\windows\SIERRA.INI
2008-11-30 11:26 . 2008-11-30 11:27 <DIR> d-------- c:\documents and settings\Owner\Application Data\ImgBurn
2008-11-30 11:26 . 2008-11-30 11:26 176,324,608 --a------ C:\Image.iso
2008-11-30 11:24 . 2008-11-30 11:24 <DIR> d-------- c:\program files\ImgBurn
2008-11-30 11:00 . 2008-11-30 11:06 <DIR> d-------- c:\documents and settings\Owner\Application Data\InfraRecorder
2008-11-30 00:03 . 2008-11-30 00:03 <DIR> dr-h----- c:\documents and settings\Owner\Application Data\SecuROM
2008-11-30 00:02 . 2008-11-30 00:02 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-11-29 12:58 . 2008-11-29 13:45 <DIR> d-------- C:\Old
2008-11-29 12:55 . 2008-11-29 13:46 <DIR> d-------- c:\program files\DOSBox-0.72
2008-11-24 19:16 . 2008-11-24 19:16 <DIR> dr-h----- C:\MSOCache
2008-11-21 08:29 . 2008-11-21 08:29 <DIR> d-------- C:\iEntertainment Network
2008-11-20 19:41 . 2008-11-20 19:41 <DIR> d-------- c:\program files\Alcohol Soft
2008-11-20 19:41 . 2004-04-30 09:37 160,640 --a------ c:\windows\system32\drivers\a347bus.sys
2008-11-20 19:41 . 2004-04-30 09:33 5,248 --a------ c:\windows\system32\drivers\a347scsi.sys
2008-11-18 19:11 . 2008-11-18 19:11 <DIR> d-------- c:\documents and settings\Owner\Application Data\Babylon
2008-11-18 19:11 . 2008-11-18 19:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Babylon
2008-11-18 08:36 . 2008-11-18 08:36 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-11-17 23:22 . 2008-11-17 23:22 <DIR> d-------- c:\program files\FreeGamePick.com
2008-11-15 09:10 . 2008-11-15 09:10 <DIR> d-------- c:\documents and settings\Owner\Application Data\Apple Computer
2008-11-13 20:45 . 2008-11-13 20:45 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-13 20:44 . 2008-11-13 20:45 <DIR> d-------- c:\program files\QuickTime
2008-11-13 20:44 . 2008-11-13 20:44 <DIR> d-------- c:\program files\Apple Software Update
2008-11-13 20:44 . 2008-11-15 09:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-13 20:44 . 2008-11-13 20:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-09 09:29 . 2008-11-09 09:29 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-09 09:19 . 2008-11-09 09:22 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-09 09:06 . 2008-11-13 03:08 <DIR> d-------- c:\program files\NOS
2008-11-09 09:06 . 2008-11-13 03:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 05:43 33,832 ----a-w c:\windows\system32\upcrnhqy.exe
2008-11-30 23:52 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-30 17:17 --------- d-----w c:\program files\eMule
2008-11-29 19:57 --------- d-----w c:\documents and settings\Owner\Application Data\Vso
2008-11-29 19:37 --------- d-----w c:\documents and settings\Owner\Application Data\SolSuite
2008-11-08 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-05 01:05 --------- d-----w c:\program files\DivX
2008-10-30 19:59 --------- d-----w c:\documents and settings\Owner\Application Data\InstallShield
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:40 --------- d-----w c:\program files\Quicken
2008-10-16 22:37 --------- d-----w c:\program files\Common Files\Palo Alto Software
2008-10-16 22:37 --------- d-----w c:\program files\Common Files\Intuit
2008-10-16 22:37 --------- d-----w c:\documents and settings\Owner\Application Data\Intuit
2008-10-16 22:37 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 12:04 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-14 12:02 --------- d-----w c:\program files\Microsoft.NET
2008-10-14 02:00 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2008-10-13 22:52 --------- d-----w c:\program files\Windows Defender
2008-10-13 22:35 --------- d-----w c:\program files\ffdshow
2008-10-13 22:35 --------- d-----w c:\program files\AC3Filter
2008-10-13 22:33 --------- d-----w c:\program files\Xvid
2008-10-13 22:33 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2008-10-13 22:23 --------- d-----w c:\documents and settings\Owner\Application Data\ICAClient
2008-10-13 22:22 --------- d-----w c:\program files\Citrix
2008-10-13 22:09 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-10-13 22:09 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2008-10-13 22:09 --------- d-----w c:\program files\VSO
2008-10-13 22:07 --------- d-----w c:\program files\WinZip Self-Extractor
2008-10-13 22:01 --------- d-----w c:\program files\SolSuite
2008-10-13 11:38 --------- d-----w c:\program files\McAfee
2008-10-13 09:32 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-10-13 09:31 --------- d-----w c:\program files\McAfee.com
2008-10-13 09:31 --------- d-----w c:\program files\Common Files\McAfee
2008-10-13 09:26 --------- d-----w c:\program files\Intel
2008-10-13 09:26 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-13 09:23 --------- d-----w c:\program files\Analog Devices
2008-10-13 07:03 --------- d-----w c:\program files\microsoft frontpage
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_ 9.01.27.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-06 19:01:38 632,320 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B2}\IconCD95F66110.exe
+ 2008-12-06 19:01:38 29,184 ----a-r c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B2}\IconCD95F6617.exe
- 2008-12-06 13:36:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-07 13:47:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-06 13:36:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-07 13:47:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-06 13:36:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 13:47:42 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-25 03:21:18 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-25 03:21:20 218,496 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-10-13 22:31:49 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-12-06 18:59:43 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.XVID"= xvid.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SQ931STI]
--a------ 2007-01-24 13:24 151552 c:\windows\SQ931STI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 SQ931;Zoom 2.0 Webcam;c:\windows\system32\Drivers\Capt931a.sys [2008-10-30 530432]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-11-18 7808]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = https://wmusremote.ubs.com/Citrix/Me...uth/login.aspx
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {85F9F13A-8885-4FEC-B2F6-05358A6058E8} = 207.69.188.172,207.69.188.171
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\6zyxrz7w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Mozilla Firefox\plugins\np_gp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 09:33:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
.
**************************************************************************
.
Completion time: 2008-12-07 9:35:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 14:35:18
ComboFix2.txt 2008-12-06 14:02:28

Pre-Run: 180,162,756,608 bytes free
Post-Run: 180,168,310,784 bytes free

302 --- E O F --- 2008-12-06 19:46:46

[sUBs]

Quote:

The only strange thing I experience is that msconfig's startup does not let me to apply any changes - tells me I need the Admin privileges. Everything else seems to be OK so far.

Reboot to safe mode & try it from there. Let me know how it went

[borik7]

The same 'Access denied' message.

[sUBs]

It's McDuffy that's causing problems. Please read this > http://forums.mcafeehelp.com/showthread.php?p=514762

[borik7]

Makes sense. You are amazing. Thanks a lot. Best regards.

[sUBs]

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[borik7]

Please mark this thread as resolved. I'm really impressed.
Thanks again.