PDA

View Full Version : virtumonde (i have both log files)



Igotavirus
2008-12-21, 23:16
Ok so I looked around the forums and found the solution. I renamed hijackthis and scanned, then I ran combofix. It rebooted, scanned and I have the log file. Then I ran hijackthis again, and have a new log file. So i have these log files, what do I do now??? Shaba?

BEFORE COMBOXFIX
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:07 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\lssa.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Home\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\somefiledude.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Service Processor] lssa.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Windows Service Processor] lssa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Home\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Home\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra 'Tools' menuitem: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221752696890
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: wxjacr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: PDAgent - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (file missing)
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9650 bytes

Igotavirus
2008-12-21, 23:17
COMBOFIX LOG

ComboFix 08-12-20.05 - Home 2008-12-21 15:31:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.573 [GMT -5:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Home\Application Data\inst.exe
c:\documents and settings\Home\Favorites\Download programs.url
c:\documents and settings\Home\Favorites\Games.url
c:\documents and settings\Home\Favorites\Translator.url
c:\documents and settings\Home\Favorites\Videos.url
c:\documents and settings\Home\Local Settings\SysPr.prx
c:\documents and settings\Home\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Mozilla Firefox\components\iamfamous.dll
c:\windows\system32\byXRkLfG.dll
c:\windows\system32\config\SAM.SAV
c:\windows\system32\Driveinfo.log
c:\windows\system32\drivers\msqpdxnujwstyu.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\fccDwXom.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\moXwDccf.ini
c:\windows\system32\moXwDccf.ini2
c:\windows\system32\msqpdxksilturx.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://bmt2.info
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 14:17 . 2008-12-21 14:18 <DIR> d-------- C:\32788R22FWJFW
2008-12-20 18:55 . 2008-12-20 18:55 <DIR> d-------- C:\VundoFix Backups
2008-12-20 17:56 . 2008-12-20 17:56 134 --a------ c:\windows\wininit.ini
2008-12-20 12:50 . 2008-12-20 12:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-20 12:49 . 2008-12-20 12:49 <DIR> d-------- c:\program files\IESurfBar
2008-12-16 23:39 . 2008-12-16 23:39 <DIR> d-------- c:\program files\MSECache
2008-12-12 23:15 . 2008-12-12 23:14 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-12 23:14 . 2008-12-12 23:14 <DIR> d-------- c:\program files\eRightSoft
2008-12-08 21:18 . 2008-12-08 21:19 <DIR> d-------- c:\documents and settings\Home\Application Data\vlc
2008-11-30 17:31 . 2008-11-30 17:34 <DIR> d-------- c:\program files\HyperCam 2
2008-11-30 16:26 . 2008-11-30 16:27 <DIR> d-------- c:\documents and settings\Home\Application Data\Red Alert 3 Demo
2008-11-28 21:44 . 2008-11-28 21:44 2,271 --a------ c:\windows\system32\TDSSdxgp.dll
2008-11-28 08:13 . 2008-12-15 16:10 <DIR> d-------- c:\program files\Wolfenstein - Enemy Territory
2008-11-25 22:08 . 2008-11-25 22:08 19 --a------ c:\windows\popcinfo.dat
2008-11-25 21:07 . 2008-11-25 22:10 <DIR> d-------- c:\program files\Shockwave.com
2008-11-21 21:47 . 2008-11-23 21:00 <DIR> d-------- c:\program files\Adobe Photoshop CS4
2008-11-21 21:34 . 2008-06-27 06:08 207,656 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-11-21 21:34 . 2008-06-02 14:55 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-11-21 21:34 . 2008-06-27 06:08 79,240 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-11-21 21:34 . 2008-06-27 06:08 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-11-21 21:34 . 2008-06-27 06:08 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-11-21 21:34 . 2008-06-20 05:41 34,152 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-11-21 21:33 . 2008-11-21 21:34 <DIR> d-------- c:\program files\McAfee.com
2008-11-21 21:33 . 2008-12-19 11:15 <DIR> d-------- c:\program files\McAfee
2008-11-21 21:33 . 2008-11-21 21:34 <DIR> d-------- c:\program files\Common Files\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 02:36 --------- d-----w c:\program files\Warcraft III
2008-12-20 23:02 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 22:59 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 22:57 --------- d-----w c:\documents and settings\Home\Application Data\uTorrent
2008-12-20 16:54 --------- d-----w c:\program files\Microsoft Visual Studio 9.0
2008-12-20 16:54 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 16:35 --------- d-----w c:\program files\PokerStars
2008-12-20 16:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 16:16 --------- d-----w c:\program files\Full Tilt Poker
2008-12-20 16:15 --------- d-----w c:\program files\Project64 1.6
2008-12-20 16:07 --------- d-----w c:\program files\mozilla.org
2008-12-20 03:45 --------- d-----w c:\program files\Steam
2008-12-19 21:46 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-18 04:53 7,768 ----a-w c:\documents and settings\Home\Application Data\wklnhst.dat
2008-12-15 21:02 --------- d-----w c:\program files\Microsoft SQL Server
2008-12-15 20:46 --------- d-----w c:\program files\PopCap Games
2008-12-08 19:24 --------- d-----w c:\program files\uTorrent
2008-12-06 18:43 --------- d-----w c:\program files\Starcraft
2008-12-06 03:23 31 ----a-w c:\documents and settings\Home\jagex_runescape_preferences.dat
2008-12-06 02:18 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-11-30 22:14 --------- d-----w c:\program files\HyperCam
2008-11-30 20:28 --------- d-----w c:\program files\Electronic Arts
2008-11-30 05:31 --------- d-----w c:\documents and settings\Home\Application Data\LimeWire
2008-11-29 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2008-11-28 21:32 --------- d-----w c:\program files\Quake III Arena
2008-11-28 13:40 138,512 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-26 03:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-24 15:44 --------- d-----w c:\program files\Common Files\Adobe
2008-11-23 12:36 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-11-23 12:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-18 10:57 2,829 -c--a-w c:\windows\War3Unin.pif
2008-11-18 10:57 139,264 ----a-w c:\windows\War3Unin.exe
2008-11-16 13:08 --------- d-----w c:\program files\Activision
2008-11-16 03:30 --------- d-----w c:\program files\GoldWave
2008-11-15 16:08 --------- d-----w c:\program files\WorldOfGoo
2008-11-15 16:08 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2008-11-15 15:38 --------- d-----w c:\program files\MyPlayCity.com
2008-11-13 14:37 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-11-13 11:18 --------- d-----w c:\program files\ATI Technologies
2008-11-12 22:56 --------- d-----w c:\documents and settings\Home\Application Data\gtk-2.0
2008-11-09 11:43 --------- d-----w c:\program files\Java
2008-11-08 02:42 --------- d-----w c:\program files\Cheetah Burner
2008-11-07 05:09 --------- d-----w c:\program files\directx
2008-11-04 05:02 --------- d-----w c:\program files\Ubisoft
2008-11-04 00:41 --------- d-----w c:\program files\Ventrilo
2008-11-04 00:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-01 09:42 --------- d-----w c:\program files\1964
2008-11-01 08:38 --------- d-----w c:\program files\PartyGaming
2008-11-01 08:34 --------- d-----w c:\program files\Vector Magic
2008-11-01 07:56 --------- d-----w c:\program files\Free iPod Video Converter
2008-11-01 07:41 --------- d-----w c:\program files\Dealio
2008-11-01 03:20 --------- d-----w c:\program files\PokerRoom.com
2008-11-01 03:17 --------- d-----w c:\program files\FlightGear
2008-10-30 06:27 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-27 19:45 --------- d-----w c:\program files\Eidos Interactive
2008-10-27 01:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-26 03:36 --------- d-----w c:\program files\DsNET Corp
2008-10-25 21:39 --------- d-----w c:\documents and settings\Home\Application Data\SanDisk
2008-10-25 05:52 --------- d-----w c:\documents and settings\Home\Application Data\flightgear.org
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 23:19 --------- d-----w c:\program files\GIMP-2.0
2008-10-22 01:22 --------- d-----w c:\program files\DirectX2008
2008-10-22 00:54 --------- d-----w c:\program files\Debugging Tools for Windows
2008-10-05 14:22 606,848 ----a-w c:\windows\flashax.exe
2008-10-05 14:22 194,560 ----a-w c:\windows\HB_Office_1600_04.scr
2008-10-05 14:22 12,288 ----a-w c:\windows\impborl.dll
2008-09-26 20:25 62,112 ----a-w c:\documents and settings\Home\Application Data\GDIPFONTCACHEV1.DAT
2008-08-19 22:28 47,360 ----a-w c:\documents and settings\Home\Application Data\pcouffin.sys
2007-03-04 05:27 357 ----a-w c:\documents and settings\Home\.cb_layout.bin
2002-08-29 17:00 24,576 ----a-w c:\documents and settings\sysprep\setupcl.exe
2002-08-29 17:00 15,360 ----a-w c:\documents and settings\sysprep\netcfg.exe
2002-08-29 17:00 120,832 ----a-w c:\documents and settings\sysprep\factory.exe
2002-08-29 17:00 112,640 ----a-w c:\documents and settings\sysprep\sysprep.exe
2007-03-10 22:32 848 --sha-w c:\windows\system32\KGyGaAvL.sys
2004-08-10 11:00 62,989 --sha-r c:\windows\system32\lssa.exe
.

------- Sigcheck -------

2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-09-16 22:58 502272 6225f14b8ce08ccba8b25ad27843c674 c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-08-08 691656]
"{6226BA26-C017-4007-928C-DE9715C6FA68}"= "c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll" [2008-06-07 2404352]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-08-08 691656]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SansaDispatch"="c:\documents and settings\Home\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-10-25 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-09 144792]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-10 158208]
"Windows Service Processor"="lssa.exe" [2004-08-10 c:\windows\system32\lssa.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Processor"="lssa.exe" [2004-08-10 c:\windows\system32\lssa.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-03-15 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wxjacr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Home^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 07:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 06:04 59392 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
--a------ 2008-07-11 16:48 641208 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2007-07-10 23:07 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-07-10 23:07 16132608 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Service Processor]
-rahs---- 2004-08-10 06:00 62989 c:\windows\system32\lssa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"CAISafe"=2 (0x2)
"VETMSGNT"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\cmac_86\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\condition zero\\hl.exe"=
"c:\\Program Files\\Java\\jre1.5.0_10\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Home\\Desktop\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\cmac_86\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\cmac_86\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\zombie panic! source\\hl2.exe"=
"c:\\Quake2\\quake2.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Steam\\steamapps\\kingofcomics\\day of defeat\\hl.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"<NO NAME>"= :Windows Service Processor

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-11-22 206096]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-12-19 21920]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe []
S4 EDXZGAVH;EDXZGAVH;c:\docume~1\Home\LOCALS~1\Temp\EDXZGAVH.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8f32f68-a2d6-11dd-b01f-001cc08046bd}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe []

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-21 c:\windows\Tasks\keauskyz.job
- c:\windows\system32\rundll32.exe [2004-08-10 06:00]

2008-11-22 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]

2008-11-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-07-09 18:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\byXRkLfG.dll
BHO-{B336E1B5-4A3B-41E8-B953-3300CE603E27} - c:\windows\system32\fccDwXom.dll
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\Home\Application Data\Microsoft\Windows\lsass.exe
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\byXRkLfG.dll
MSConfigStartUp-8c6fbffe - c:\windows\system32\hhvesxni.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {{6226BA26-C017-4007-928C-DE9715C6FA68} - {6226BA26-C017-4007-928C-DE9715C6FA68} - c:\program files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - -
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\ozxpnkg7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Home\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 15:44:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\Home\Application Data\Microsoft\Windows\lsass.exe?????????????????????B?????????????????????????????F

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\UAService7.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2008-12-21 16:03:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 21:02:06

Pre-Run: 43,858,575,360 bytes free
Post-Run: 43,904,184,320 bytes free

345 --- E O F --- 2008-12-19 05:17:53

Igotavirus
2008-12-21, 23:18
HIJACKTHIS AFTER COMBOFIX

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:07 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\lssa.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Home\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\somefiledude.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Service Processor] lssa.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Windows Service Processor] lssa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Home\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Home\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra 'Tools' menuitem: SurfLite Toolbar - {6226BA26-C017-4007-928C-DE9715C6FA68} - C:\Program Files\IESurfBar\SurfLite Toolbar\dyn_surflite_aff_1000.dll
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221752696890
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: wxjacr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: PDAgent - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe (file missing)
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9650 bytes

Igotavirus
2008-12-22, 01:24
Ok, I scanned again after everything, and all spybot found was smitfraud, which means I think i got rid of virtumonde now!! woohoo... I deleted smitfraud using spybot and rebooted to see if it reloaded when windows started. I scanned again with spybot and nothing was found!:) I hope I did everything right, theres no popups anymore.

Do I have to uninstall combofix now or should I just keep it on the computer in case this happens again?