BleepingComputer.com: Virtumonde.dll/combofix Results

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Virtumonde.dll/combofix Results

#1 User is offline   DakotaYoda 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 26-July 08

Posted 26 July 2008 - 09:36 AM

Howdy and, first off, my apologies for the Combofix log post before its requested -

Doing battle w/ a wonderful virtumonde.dll on my brother's pc. Understood on the risks of running Combofix but felt it was definitely worthwhile. I believe the virtumonde.dll is gone but am still getting several command prompt windows that pop up and quickly disappear on boot and a couple .dll errors, see below...


RUNDLL error on boot:

error loading c:\WINDOWS\system32\fmwunsux.dll - The specified module cannot be found.

Combofix log below and Hijackthis log available as well... any and all help is most appreciated. Thanks!!!!



ComboFix 08-07-25.3 - Owner 2008-07-25 22:59:58.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.335 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM53c84abe.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ajfxmarv.dll
C:\WINDOWS\system32\bjdqxs.dll
C:\WINDOWS\system32\cjyhtcpx.dll
C:\WINDOWS\system32\ehtodvmo.ini
C:\WINDOWS\system32\errwbxlr.dll
C:\WINDOWS\system32\fmwunsux.dll
C:\WINDOWS\system32\hasxllgn.dll
C:\WINDOWS\system32\kuqcbiir.dll
C:\WINDOWS\system32\lgnfvkgv.dll
C:\WINDOWS\system32\ljJDTJyV.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nbqgkdpo.dll
C:\WINDOWS\system32\omvdothe.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rkohxv.dll
C:\WINDOWS\system32\sarcxi.dll
C:\WINDOWS\system32\ufmmpy.dll
C:\WINDOWS\system32\uhmnwevd.dll
C:\WINDOWS\system32\vwjmgy.dll
C:\WINDOWS\system32\VyJTDJjl.ini
C:\WINDOWS\system32\VyJTDJjl.ini2
C:\WINDOWS\system32\xpcthyjc.ini
C:\WINDOWS\system32\xusnuwmf.ini
C:\WINDOWS\system32\xxyaxXNF.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 20:06 . 2008-07-25 20:06 <DIR> d-------- C:\VundoFix Backups
2008-07-25 20:01 . 2008-07-25 20:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-25 17:22 . 2008-07-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 17:06 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-25 17:06 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-25 17:06 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-25 17:06 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-24 17:51 . 2008-07-25 19:59 314 --a------ C:\WINDOWS\wininit.ini
2008-07-24 17:23 . 2008-07-24 17:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-24 17:23 . 2008-07-24 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-23 19:59 . 2008-07-23 19:59 24,820 --a------ C:\WINDOWS\system32\cmkxhlbd.exe
2008-07-23 18:24 . 2008-07-24 18:00 1,179 --ahs---- C:\WINDOWS\system32\nqrgmgic.ini
2008-07-23 18:08 . 2008-07-23 18:10 295 --ahs---- C:\WINDOWS\system32\dnwwlxsl.ini
2008-07-23 01:33 . 2008-07-25 20:00 111,483 --a------ C:\WINDOWS\BM53c84abe.xml
2008-07-23 01:32 . 2008-07-23 01:32 44,037 --ahs---- C:\WINDOWS\system32\fdpokiut.tmp
2008-07-21 20:33 . 2008-07-22 02:41 44,037 --ahs---- C:\WINDOWS\system32\fdpokiut.ini
2008-07-21 20:26 . 2008-07-21 20:26 <DIR> d-------- C:\WINDOWS\system32\carH05
2008-07-21 20:26 . 2008-07-21 20:26 <DIR> d-------- C:\temp\btxv15
2008-07-21 17:08 . 2008-07-21 17:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-07-21 17:08 . 2008-07-21 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-21 17:07 . 2008-07-21 17:07 <DIR> d-------- C:\Program Files\Wal-Mart Music Downloads Store
2008-07-20 15:25 . 2008-07-20 15:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-07-20 15:25 . 2008-07-20 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-07-20 14:04 . 2008-07-20 14:04 <DIR> d-------- C:\Program Files\Levelator
2008-07-10 05:02 . 2008-07-10 05:02 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 01:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-07-26 01:20 --------- d-----w C:\Program Files\mypoints
2008-07-26 01:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-26 00:39 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-26 00:38 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-26 00:38 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-26 00:38 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-26 00:38 --------- d-----w C:\Program Files\Symantec
2008-07-26 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-23 06:43 --------- d-----w C:\Program Files\Phun
2008-07-21 22:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-21 17:20 --------- d-----w C:\Program Files\Picaboo
2008-06-20 17:05 --------- d-----w C:\Program Files\iTunes
2008-06-20 17:04 --------- d-----w C:\Program Files\iPod
2008-06-20 17:02 --------- d-----w C:\Program Files\QuickTime
2008-06-20 17:02 --------- d-----w C:\Program Files\Bonjour
2008-06-20 16:59 --------- d-----w C:\Program Files\Apple Software Update
2008-06-20 16:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-20 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-27 21:24 39,872 ----a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2007-03-29 00:00 39,872 ----a-w C:\Documents and Settings\Christie\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB9052"="command" [X]
"SpybotDeletingD7046"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-20 10:03:47 947544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 SNDMI13;Mega Pixel Camera (8105 SXGA);C:\WINDOWS\system32\DRIVERS\sndmi13.sys [2004-09-17 11:29]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 01:02:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-26 01:01:11 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-07-26 01:00:01 C:\WINDOWS\Tasks\{CC32DA8D-975B-4856-9581-8AA60BB73D54}_CHRISTIE-J_Gayle.job"
- C:\WINDOWS\system32\mobsync.exeE /Schedule=
.
- - - - ORPHANS REMOVED - - - -

BHO-{7CF1F212-A591-4F4A-B063-6A390B04B286} - (no file)
BHO-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
BHO-{CCCBDE71-CF03-473C-A709-3987E5C71892} - (no file)
BHO-{DB036A52-3A88-466B-BD39-05A6D9D9B18A} - (no file)
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKCU-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
HKLM-Run-50fb7922 - C:\WINDOWS\system32\fmwunsux.dll
HKLM-Run-BM53c84abe - C:\WINDOWS\system32\senjydyf.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:14:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-25 23:30:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 04:29:53

Pre-Run: 49,015,521,280 bytes free
Post-Run: 50,101,362,688 bytes free

201 --- E O F --- 2008-07-09 02:50:40

This post has been edited by DakotaYoda: 26 July 2008 - 09:37 AM

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users