Virus that wont let me access antivirus sites...

[kokonutz]

Hi guys, I've recently been infected with this virus. It took me ages just to find a mirror to be able to download combofix, eventually I had to download it through torrent. Spybot SD shows up clean, so does MWBytes. I ran combofix, it got to stage 49 and makes a log, then closes.


ComboFix 08-10-24.02 - Kokonutz 2009-07-28 6:45:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.693 [GMT -7:00]
Running from: C:\Downloads\ComboFix - Must Have- Windows Antivirus Spyware remover- Smitfraud Virtuemoddll Vundo Pchurricane.com\ComboFix.exe
Command switches used :: u/

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-28 )))))))))))))))))))))))))))))))
.

2009-07-28 06:33 . 2009-07-28 06:33 200,192 --a------ C:\WINDOWS\system32\B.tmp
2009-07-28 06:33 . 2009-07-28 06:33 84 --a------ C:\WINDOWS\system32\8.tmp
2009-07-28 06:33 . 2009-07-28 06:33 1 --a------ C:\WINDOWS\system32\9.tmp
2009-07-28 05:56 . 2009-07-28 05:56 <DIR> d-------- C:\Documents and Settings\Kokonutz\Application Data\GetRightToGo
2009-07-28 05:54 . 2009-07-28 05:54 200,192 --a------ C:\WINDOWS\system32\7.tmp
2009-07-28 05:54 . 2009-07-28 05:54 84 --a------ C:\WINDOWS\system32\5.tmp
2009-07-28 05:54 . 2009-07-28 05:54 1 --a------ C:\WINDOWS\system32\6.tmp
2009-07-28 05:45 . 2009-07-28 05:45 <DIR> d-------- C:\WINDOWS\system32\regdacl
2009-07-28 05:45 . 2009-07-28 05:45 <DIR> d-------- C:\_backupD
2009-07-28 05:45 . 2009-07-28 05:45 110,592 --a------ C:\WINDOWS\system32\regdacl.exe
2009-07-28 05:45 . 2009-07-28 05:45 73,728 --a------ C:\WINDOWS\system32\process.exe
2009-07-28 05:45 . 2009-07-28 05:45 36,864 --a------ C:\WINDOWS\system32\restart.exe
2009-07-28 05:45 . 2009-07-28 05:45 27,648 --a------ C:\WINDOWS\system32\reboot.exe
2009-07-28 05:20 . 2009-07-28 05:20 200,192 --a------ C:\WINDOWS\system32\4.tmp
2009-07-28 05:20 . 2009-07-28 05:20 186,880 --a------ C:\WINDOWS\system32\drivers\mmedia.sys
2009-07-28 05:20 . 2009-07-28 05:20 84 --a------ C:\WINDOWS\system32\2.tmp
2009-07-28 05:20 . 2009-07-28 05:20 1 --a------ C:\WINDOWS\system32\3.tmp
2009-07-28 05:14 . 2009-07-28 05:14 61,440 --a------ C:\WINDOWS\system32\drivers\rwlbswzv.sys
2009-07-28 04:37 . 2009-07-28 04:37 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-28 04:37 . 2009-07-28 04:37 <DIR> d-------- C:\Documents and Settings\Kokonutz\Application Data\Malwarebytes
2009-07-28 04:37 . 2009-07-28 04:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-28 04:37 . 2009-06-17 11:27 38,160 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-07-28 04:37 . 2009-06-17 11:27 19,096 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-07-28 04:32 . 2009-07-28 04:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2009-07-28 04:32 . 2009-07-28 06:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-28 01:58 . 2009-07-28 01:58 91 --a------ C:\WINDOWS\system32\vsfoceaudgmrgf.dat
2009-07-28 01:49 . 2009-07-28 01:49 <DIR> d---s---- C:\WINDOWS\system32\config\systemprofile\UserData
2009-07-28 01:48 . 2009-07-28 01:48 35,840 --a------ C:\WINDOWS\system32\D0.tmp
2009-07-28 01:48 . 2009-07-28 01:48 44 --a------ C:\WINDOWS\system32\CF.tmp
2009-07-28 01:48 . 2009-07-28 01:48 0 --a------ C:\WINDOWS\system32\D1.tmp
2009-07-28 01:47 . 2009-07-28 01:47 <DIR> d-------- C:\Documents and Settings\Kokonutz\Application Data\pridl
2009-07-28 01:47 . 2009-07-28 01:47 66,560 --a------ C:\WINDOWS\system32\drivers\vsfoceumputoby.sys
2009-07-28 01:47 . 2009-07-28 01:47 41,472 --a------ C:\WINDOWS\system32\vsfocemsyplvdy.dll
2009-07-28 01:47 . 2009-07-28 01:58 18,432 --a------ C:\WINDOWS\system32\vsfocebivkqswb.dll
2009-07-28 01:47 . 2009-07-28 02:02 1,530 --a------ C:\WINDOWS\system32\vsfocemrxnkory.dat
2009-07-28 01:47 . 2009-07-28 01:47 0 --a------ C:\WINDOWS\SC.INS
2009-07-28 01:47 . 2009-07-28 01:47 0 --a------ C:\WINDOWS\sc.exe
2009-07-11 13:28 . 2009-07-11 13:28 <DIR> d-------- C:\Program Files\WIZnet
2009-07-11 13:28 . 2006-12-01 05:54 626,688 --a------ C:\Program Files\Common Files\MSVCR80.dll
2009-07-11 13:28 . 2007-08-23 02:33 422,256 --a------ C:\WINDOWS\system32\IMKR12.IME
2009-07-11 13:28 . 2009-01-13 14:45 102,400 --a------ C:\Program Files\Common Files\WIZ1x0SR_105SR_CFG.exe
2009-07-11 13:28 . 2004-12-06 11:21 102,160 --a------ C:\WINDOWS\system32\vb6ko.dll
2009-07-11 13:28 . 1998-07-22 00:00 14,336 --a------ C:\WINDOWS\system32\WINSKKO.DLL
2009-07-09 00:23 . 2009-07-28 01:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2009-07-09 00:23 . 2009-07-09 00:23 1,409 --a------ C:\WINDOWS\QTFont.for
2009-06-29 12:45 . 2009-06-10 06:03 19,495 --a------ C:\WINDOWS\system32\nvdisp.nvu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-28 08:48 182,144 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2009-07-28 05:13 --------- d-----w C:\Program Files\Warcraft III
2009-07-26 07:33 --------- d-----w C:\Documents and Settings\Kokonutz\Application Data\LimeWire
2009-07-20 06:28 --------- d-----w C:\Program Files\Starcraft
2009-07-11 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-06-29 19:14 --------- d-----w C:\Program Files\DriftCity
2009-06-29 19:14 --------- d-----w C:\Program Files\DivX
2009-06-25 01:24 --------- d-----w C:\Documents and Settings\Kokonutz\Application Data\U3
2009-06-10 15:28 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2009-06-10 15:28 4,022,272 ----a-w C:\WINDOWS\system32\nvdisps.dll
2009-06-10 15:28 3,510,272 ----a-w C:\WINDOWS\system32\nvgames.dll
2009-06-10 15:28 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2009-06-10 15:28 163,840 ----a-w C:\WINDOWS\system32\nvcolor.exe
2009-06-10 15:28 13,758,464 ----a-w C:\WINDOWS\system32\nvcpl.dll
2009-06-10 13:03 9,998,336 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2009-06-10 13:03 815,104 ----a-w C:\WINDOWS\system32\nvapi.dll
2009-06-10 13:03 8,087,712 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2009-06-10 13:03 671,744 ----a-w C:\WINDOWS\system32\nvcuvid.dll
2009-06-10 13:03 5,908,608 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2009-06-10 13:03 457,248 ----a-w C:\WINDOWS\system32\nvudisp.exe
2009-06-10 13:03 151,552 ----a-w C:\WINDOWS\system32\nvcodins.dll
2009-06-10 13:03 151,552 ----a-w C:\WINDOWS\system32\nvcod.dll
2009-06-10 13:03 1,720,320 ----a-w C:\WINDOWS\system32\nvcuda.dll
2009-06-10 13:03 1,580,550 ----a-w C:\WINDOWS\system32\nvdata.bin
2009-06-10 13:03 1,310,720 ----a-w C:\WINDOWS\system32\nvcuvenc.dll
2009-06-09 06:28 --------- d-----w C:\Program Files\Steam
2009-06-04 23:39 457,248 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2009-06-01 11:45 --------- d-----w C:\Program Files\WC3Banlist
2009-05-28 11:40 --------- d-----w C:\Program Files\LimeWire
2009-05-28 11:31 --------- d-----w C:\Program Files\AviSynth 2.5
2009-04-11 05:33 256 ----a-w C:\Documents and Settings\Kokonutz\pool.bin
2008-10-26 20:26 39,968 ----a-w C:\Documents and Settings\Kokonutz\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-03-11 19:19 34816 d0ec336582097eecea9a78ec06fb7c99 C:\WINDOWS\system32\svchost.exe
2004-03-11 19:19 34816 099b8be538bd5fd3377fb868703c197d C:\WINDOWS\system32\dllcache\svchost.exe

2004-03-11 19:19 526336 89ef975b4c91824e96e586ebb2b4873f C:\WINDOWS\system32\winlogon.exe
2004-03-11 19:19 524800 8bac23b3390213dd78607175cf501a41 C:\WINDOWS\system32\dllcache\winlogon.exe

2009-07-28 01:48 211712 db8ea964c507dfc0445e63c9a6ce6b42 C:\WINDOWS\system32\dllcache\ndis.sys
2009-07-28 01:48 211712 db8ea964c507dfc0445e63c9a6ce6b42 C:\WINDOWS\system32\drivers\ndis.sys

2004-03-11 19:19 1049088 4a1019fbe8856370055631c47f5acac6 C:\WINDOWS\explorer.exe
2004-03-11 19:19 1049088 97df9e671152b0211bf8ab32055b9247 C:\WINDOWS\system32\dllcache\explorer.exe

2004-03-11 19:18 34816 743ffbb9a6edeefe12a6ee959f2c85f8 C:\WINDOWS\system32\ctfmon.exe
2004-03-11 19:18 34816 897d9bb5c81080873f497ceb18e13d60 C:\WINDOWS\system32\dllcache\ctfmon.exe

2004-03-11 19:19 77312 135b16f27a9b15b61ab184d2d097b706 C:\WINDOWS\system32\spoolsv.exe
2004-03-11 19:19 77312 9d723ed47c1c6d9f0ebbd46f987b5e3b C:\WINDOWS\system32\dllcache\spoolsv.exe

2004-03-11 19:19 132096 9eacaae8711ee86f093931fd1b79a848 C:\WINDOWS\system32\wuauclt.exe
2004-03-11 19:19 132096 d31d7ef34dbde5fb0c5d8ef068855a33 C:\WINDOWS\system32\dllcache\wuauclt.exe

2004-03-11 19:19 45056 002465fabe5282995fb8890264c68c34 C:\WINDOWS\system32\userinit.exe
2004-03-11 19:19 45056 a81e22b3ae7d35888c5d4fe9a8848f23 C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-07-28_ 6.29.02.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-28 12:53:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-28 13:32:56 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2009-07-28 12:53:28 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-07-28 13:32:56 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-28 12:53:28 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-28 13:32:56 65,536 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-09-26 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-09-26 18:18 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 67112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-03-11 34816]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [2006-02-01 120512]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2009-06-10 86016]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2009-06-10 13758464]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-01 185896]
"nwiz"="nwiz.exe" [2009-06-10 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"pridl"="C:\Documents and Settings\Kokonutz\Application Data\pridl\pridl.exe" [2009-07-28 35328]

C:\Documents and Settings\Kokonutz\Start Menu\Programs\Startup\MultiRes
MultiRes.lnk - C:\Program Files\MultiRes\MultiRes.exe [2006-09-12 79360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.AP41"= APmpg4v1.dll
"VIDC.MPG4"= APmpg4v1.dll
"VIDC.MP42"= APmpg4v1.dll
"VIDC.DIV3"= APmpg4v1.dll
"VIDC.DIV4"= APmpg4v1.dll
"VIDC.MP43"= APmpg4v1.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kokonutz^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\Kokonutz\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kokonutz^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Kokonutz\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kokonutz^Start Menu^Programs^Startup^TokBox.lnk]
path=C:\Documents and Settings\Kokonutz\Start Menu\Programs\Startup\TokBox.lnk
backup=C:\WINDOWS\pss\TokBox.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-05-29 17:33 52840 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-03-11 19:18 34816 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 2004-06-14 20:54 221184 C:\Program Files\Gigabyte\ET5\GUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-08-28 23:25 29744 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 176128 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 01:38 188416 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 307200 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sealmon.exe]
--a------ 2009-03-13 12:02 370952 C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
--a------ 2004-11-02 16:59 218240 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-06-08 23:27 1217784 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-01-01 00:40 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 19:43 90112 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-05-27 11:47 16229888 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 19:04 2903040 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccISPwdSvc"=3 (0x3)
"AWLL5026 WLService"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\outlook.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\onenote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11214:TCP"= 11214:TCP:BitComet 11214 TCP
"11214:UDP"= 11214:UDP:BitComet 11214 UDP
"10808:TCP"= 10808:TCP:BitComet 10808 TCP
"10808:UDP"= 10808:UDP:BitComet 10808 UDP

R0 mmedia;Microsoft Multimedia Drive;C:\WINDOWS\system32\drivers\mmedia.sys [2009-07-28 186880]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;C:\WINDOWS\system32\DRIVERS\uacflt.sys [2002-05-03 21276]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 45056]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-28 29744]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2009-06-17 38160]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
S3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-17 19968]
S3 vmfilter303;vmfilter303;C:\WINDOWS\system32\drivers\vmfilter303.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{116bda67-2189-11dd-b05d-806d6172696f}]
\Shell\AutoRun\command - G:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e8cb58-85e3-11dc-b035-806d6172696f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ac112f9-e08b-11dd-b07e-806d6172696f}]
\Shell\AutoRun\command - H:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8327c88-0ea8-11dc-b01d-806d6172696f}]
\Shell\AutoRun\command - .\Recycled\Driveinfo.exe
\Shell\Open\Command - .\Recycled\Driveinfo.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kokonutz\Application Data\Mozilla\Firefox\Profiles\j73t9tuj.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Google\Picasa3\npPicasa3.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-28 06:45:53
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-28 6:50:36
ComboFix-quarantined-files.txt 2009-07-28 13:50:22
ComboFix2.txt 2009-07-28 13:29:44

Pre-Run: 39,243,845,632 bytes free
Post-Run: 39,278,096,384 bytes free

286

[kokonutz]

I redownloaded Combofix from a mirror here. Now it says combofix has been compromised and can't continue...I don't know how to edit my post, doesnt seem to work. Would also like to add that it keeps making IE shortcuts on my desktop. IEXPLORE.exe WAS running until i ran MWBytes, but I still can't access any AV sites. Sorry if this is an early bump!

[tetonbob]

A Reminder....

If you’ve read the Disclaimer (which you should have) you would have seen the statement in no uncertain terms that this tool is meant for private use and should never be used in an unsupervised environment.

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix

I suspect the machine is infected with Virut, which is a PE file infector, and the only recourse to ensure a safe machine going forward is to format.

I'd like to try to confirm that.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  C:\WINDOWS\system32\userinit.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply, or simply provide the link to the results page.
  
• Please repeat for the following files:
  
  • 
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\svchost.exe
    

[kokonutz]

I can not visit the VirusTotal site. Now, I also can not play music. My windows media player stops and redirects me to an RIAA website.

[tetonbob]

Based on items I see in the log, the report from ComboFix, and the fact that you cannot visit the file upload services, I think Virut is indeed in play, and your best course of action is to format.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:

http://miekiemoes.blogspot.com/2009/...-throwing.html