Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde "the Flavor Of The Month"


  • Please log in to reply
2 replies to this topic

#1 SGM

SGM

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 31 May 2008 - 09:23 PM

Per your excellant instructions on the removal of the Spyware Virtumonde, I down loaded and ran the programs required. It "seems" to have completely removed the infestation from my computer (and I was just getting good at clicking to close those pesky dialogue boxes). As a followup and per your instructions I am including the ComboFix log file for one of the resident Security experts to review. I just want to make sure that this thing is really dead and not waiting in the background for some type of alien rebirth. So her it is folks. Let me know how I stand.

As a side note, this is one teriffic site and I will pass the word to my other techie friends.

Thanks Again


ComboFix 08-05-29.1 - Ken Maness 2008-05-31 20:57:21.1 - NTFSx86
Running from: C:\Documents and Settings\Ken\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\winzzc32.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 20:09 . 2008-05-31 20:09 19,456 --a------ C:\WINDOWS\SYSTEM32\drvcos.dll
2008-05-31 07:04 . 2008-05-31 07:04 19,456 --a------ C:\WINDOWS\SYSTEM32\drvbof.dll
2008-05-30 18:09 . 2008-05-30 18:09 19,456 --a------ C:\WINDOWS\SYSTEM32\drvzuv.dll
2008-05-30 08:49 . 2008-05-30 08:49 19,456 --a------ C:\WINDOWS\SYSTEM32\drvdap.dll
2008-05-29 18:52 . 2008-05-29 18:52 19,456 --a------ C:\WINDOWS\SYSTEM32\drvzoj.dll
2008-05-29 18:52 . 2008-05-31 20:09 145 --a------ C:\WINDOWS\SYSTEM32\winver.bat
2008-05-29 17:08 . 2008-05-29 17:59 0 --a------ C:\WINDOWS\SYSTEM32\video.avs
2008-05-29 17:03 . 2008-05-29 17:39 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\dvdcss
2008-05-29 15:30 . 2008-05-29 16:29 5 --a------ C:\WINDOWS\SYSTEM32\SySdwavrip.dat
2008-05-29 15:08 . 2008-05-29 15:08 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\AVS4YOU
2008-05-28 14:04 . 2008-05-28 14:04 <DIR> d-------- C:\Program Files\Theme Generator
2008-05-19 14:47 . 2008-05-31 21:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-19 14:47 . 2008-05-19 14:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 14:45 . 2008-05-19 14:45 <DIR> d-------- C:\Program Files\iPod
2008-05-19 14:44 . 2008-05-19 14:46 <DIR> d-------- C:\Program Files\iTunes
2008-05-19 14:33 . 2008-05-19 14:35 <DIR> d-------- C:\Program Files\QuickTime
2008-05-19 14:23 . 2008-05-19 14:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-16 12:22 . 2008-05-29 18:55 2 --a------ C:\2019634371
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-16 00:49 . 2008-05-16 00:49 34 --ah----- C:\WINDOWS\SYSTEM32\Converter_sysquict.dat
2008-05-16 00:48 . 2008-05-16 00:50 <DIR> d-------- C:\Program Files\Cool Free All Video to Mp4 MPEG Converter
2008-05-10 10:19 . 2008-05-10 10:19 588 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-05-10 10:19 . 2008-05-10 10:19 588 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-05-10 10:17 . 2003-03-05 12:19 15,840 --------- C:\WINDOWS\SYSTEM32\DRIVERS\PFMODNT.SYS
2008-05-09 13:54 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-05-09 10:20 . 2008-05-09 10:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-09 10:20 . 2008-05-09 10:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-09 10:20 . 2008-05-09 10:20 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-09 09:43 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-05-09 09:41 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-05-09 09:40 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-05-08 10:12 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\SYSTEM32\audiopid.vxd
2008-05-08 09:53 . 2008-05-30 11:01 <DIR> d-------- C:\iSofterOutput
2008-05-08 09:35 . 2008-05-16 00:43 <DIR> d-------- C:\Program Files\iSofter
2008-05-05 12:12 . 2008-05-05 12:12 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-01 00:01 --------- d-----w C:\Program Files\QUICKENW
2008-05-31 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-31 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 23:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-30 21:59 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 21:59 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 21:59 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 21:59 --------- d-----w C:\Program Files\Symantec
2008-05-30 02:54 --------- d-----w C:\Program Files\Norton 360
2008-05-29 19:10 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-05-28 17:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-28 12:24 --------- d-----w C:\Program Files\AvantGo
2008-05-27 12:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-26 12:27 --------- d-----w C:\Program Files\Flash Effect Maker
2008-05-23 13:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-23 13:40 --------- d-----w C:\Program Files\MSECache
2008-05-23 02:49 --------- d-----w C:\Program Files\Lavasoft
2008-05-23 02:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 14:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-09 12:58 30,694 ----a-w C:\WINDOWS\system32\drivers\Mmc_2k.sys
2008-05-09 12:58 25,962 ----a-w C:\WINDOWS\system32\drivers\Dvd_2k.sys
2008-05-09 12:58 242,048 ----a-w C:\WINDOWS\system32\drivers\cdudf_xp.sys
2008-05-09 12:58 206,464 ----a-w C:\WINDOWS\system32\drivers\udfreadr_xp.sys
2008-05-09 12:58 151,066 ----a-w C:\WINDOWS\system32\drivers\pwd_2K.sys
2008-05-09 12:58 --------- d-----w C:\Program Files\Roxio
2008-05-09 12:58 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-05-08 14:12 --------- d-----w C:\Program Files\Creative
2008-05-07 13:10 61,440 ----a-w C:\WINDOWS\wnUninstall.exe
2008-05-07 13:10 --------- d-----w C:\Program Files\Common Files\WITN 7 First Alert
2008-05-03 03:26 --------- d-----w C:\Program Files\Savings Bond Wizard
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 12:06 --------- d-----w C:\Program Files\Picasa2
2008-04-21 23:42 --------- d-----w C:\Program Files\MediaComplete
2008-04-21 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaComplete
2008-04-20 02:12 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-04-19 11:23 --------- d-----w C:\Program Files\Google
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 04:42 202088]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 17:05 225280]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 08:25 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 08:25 11776]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 28672]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-05-09 08:58 684032]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-08-30 16:29 520192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 13:30 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-03 09:22 185632]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 14:16 49152]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"MSDisp32"="C:\WINDOWS\system32\drvcos.dll" [2008-05-31 20:09 19456]

C:\Documents and Settings\Ken\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-24 10:53:22 157008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-05-06 22:59:12 82026]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-08 11:14:45 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-17 22:18:13 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 05:00:46 972064]
RAMASST.lnk - C:\WINDOWS\SYSTEM32\RAMAsst.exe [2007-12-20 00:19:49 167936]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-05-05 12:39:18 106560]
WITN 7 First Alert.lnk - C:\Program Files\Common Files\WITN 7 First Alert\TrueWeather.exe [2004-12-09 13:33:43 5784576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\WITN 7 First Alert\\TrueWeather.exe"=
"C:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PrecSim;PrecSim;C:\WINDOWS\system32\DRIVERS\precsim.sys [2002-05-22 04:00]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 11:42]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6b44b18-d04c-11dc-857e-0007e9ef1ea9}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 19:57:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-22 12:12:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-12 12:12:38 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 21:07:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\SYSTEM32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\DVDRAMSV.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-05-31 21:28:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-01 01:28:11

Pre-Run: 79,872,368,640 bytes free
Post-Run: 79,885,758,464 bytes free

313 --- E O F --- 2008-05-23 02:21:20

BC AdBot (Login to Remove)

 


m

#2 SGM

SGM
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 01 June 2008 - 06:13 AM

My Bad!!!!
Before I could say "Clean at last" the pesky Virtumonde was back.
After going back a re-reading the instructions I found needed to run both the MBAM and the Combofix in that order.
So after doing that I am now ready to post the new logs.
I need one of the Security experts to look over these logs and proclaim me to be clean of this pesky malware.

Once proclaimed clean, do I need to delete the Combofix and related files and keep MBAM for any future infestations?
Also I have noticed that many of the posts that added after mine have been replied to and I have yet to receive a reply.
I am very new to this forum and wonder if I did something wrong in my initial post.



Malwarebytes' Anti-Malware 1.14
Database version: 811

11:19:35 PM 5/31/2008
mbam-log-5-31-2008 (23-19-35).txt

Scan type: Quick Scan
Objects scanned: 39534
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\drvdap.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\drvcos.dll (Trojan.Vundo) -> Delete on reboot.



ComboFix 08-05-29.1 - Ken Maness 2008-05-31 23:31:40.2 - NTFSx86
Running from: C:\Documents and Settings\Ken\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 22:53 . 2008-05-31 22:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-31 22:53 . 2008-05-31 22:53 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\Malwarebytes
2008-05-31 22:53 . 2008-05-31 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 22:53 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-31 22:53 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-31 07:04 . 2008-05-31 07:04 19,456 --a------ C:\WINDOWS\SYSTEM32\drvbof.dll
2008-05-30 18:09 . 2008-05-30 18:09 19,456 --a------ C:\WINDOWS\SYSTEM32\drvzuv.dll
2008-05-29 18:52 . 2008-05-29 18:52 19,456 --a------ C:\WINDOWS\SYSTEM32\drvzoj.dll
2008-05-29 18:52 . 2008-05-31 20:09 145 --a------ C:\WINDOWS\SYSTEM32\winver.bat
2008-05-29 17:08 . 2008-05-29 17:59 0 --a------ C:\WINDOWS\SYSTEM32\video.avs
2008-05-29 17:03 . 2008-05-29 17:39 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\dvdcss
2008-05-29 15:30 . 2008-05-29 16:29 5 --a------ C:\WINDOWS\SYSTEM32\SySdwavrip.dat
2008-05-29 15:08 . 2008-05-29 15:08 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\AVS4YOU
2008-05-28 14:04 . 2008-05-28 14:04 <DIR> d-------- C:\Program Files\Theme Generator
2008-05-19 14:47 . 2008-05-31 23:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-19 14:47 . 2008-05-19 14:47 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 14:45 . 2008-05-19 14:45 <DIR> d-------- C:\Program Files\iPod
2008-05-19 14:44 . 2008-05-19 14:46 <DIR> d-------- C:\Program Files\iTunes
2008-05-19 14:33 . 2008-05-19 14:35 <DIR> d-------- C:\Program Files\QuickTime
2008-05-19 14:23 . 2008-05-19 14:23 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-16 12:22 . 2008-05-29 18:55 2 --a------ C:\2019634371
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-05-16 00:49 . 2008-05-16 00:49 34 --ah----- C:\WINDOWS\SYSTEM32\Converter_sysquict.dat
2008-05-16 00:48 . 2008-05-16 00:50 <DIR> d-------- C:\Program Files\Cool Free All Video to Mp4 MPEG Converter
2008-05-10 10:19 . 2008-05-10 10:19 588 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-05-10 10:19 . 2008-05-10 10:19 588 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-05-10 10:17 . 2003-03-05 12:19 15,840 --------- C:\WINDOWS\SYSTEM32\DRIVERS\PFMODNT.SYS
2008-05-09 13:54 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-05-09 10:20 . 2008-05-09 10:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-05-09 10:20 . 2008-05-09 10:20 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-05-09 10:20 . 2008-05-09 10:20 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-09 09:43 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\SYSTEM32\wlanapi.dll
2008-05-09 09:41 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\SYSTEM32\mmcex.dll
2008-05-09 09:40 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-05-08 10:12 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\SYSTEM32\audiopid.vxd
2008-05-08 09:53 . 2008-05-30 11:01 <DIR> d-------- C:\iSofterOutput
2008-05-08 09:35 . 2008-05-16 00:43 <DIR> d-------- C:\Program Files\iSofter
2008-05-05 12:12 . 2008-05-05 12:12 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 02:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-01 02:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-01 00:01 --------- d-----w C:\Program Files\QUICKENW
2008-05-31 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-31 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 21:59 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-30 21:59 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-05-30 21:59 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-30 21:59 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-30 21:59 --------- d-----w C:\Program Files\Symantec
2008-05-30 02:54 --------- d-----w C:\Program Files\Norton 360
2008-05-29 19:10 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-05-28 17:26 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-28 12:24 --------- d-----w C:\Program Files\AvantGo
2008-05-27 12:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-05-26 12:27 --------- d-----w C:\Program Files\Flash Effect Maker
2008-05-23 13:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-23 13:40 --------- d-----w C:\Program Files\MSECache
2008-05-23 02:49 --------- d-----w C:\Program Files\Lavasoft
2008-05-23 02:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 02:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-10 14:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-09 12:58 49,152 ----a-w C:\WINDOWS\SYSTEM32\cdrtc.dll
2008-05-09 12:58 45,056 ----a-w C:\WINDOWS\SYSTEM32\cdral.dll
2008-05-09 12:58 30,694 ----a-w C:\WINDOWS\system32\drivers\Mmc_2k.sys
2008-05-09 12:58 25,962 ----a-w C:\WINDOWS\system32\drivers\Dvd_2k.sys
2008-05-09 12:58 242,048 ----a-w C:\WINDOWS\system32\drivers\cdudf_xp.sys
2008-05-09 12:58 206,464 ----a-w C:\WINDOWS\system32\drivers\udfreadr_xp.sys
2008-05-09 12:58 151,066 ----a-w C:\WINDOWS\system32\drivers\pwd_2K.sys
2008-05-09 12:58 --------- d-----w C:\Program Files\Roxio
2008-05-09 12:58 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2008-05-08 14:12 --------- d-----w C:\Program Files\Creative
2008-05-07 13:10 61,440 ----a-w C:\WINDOWS\wnUninstall.exe
2008-05-07 13:10 --------- d-----w C:\Program Files\Common Files\WITN 7 First Alert
2008-05-03 03:26 --------- d-----w C:\Program Files\Savings Bond Wizard
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-23 12:06 --------- d-----w C:\Program Files\Picasa2
2008-04-21 23:42 --------- d-----w C:\Program Files\MediaComplete
2008-04-21 23:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaComplete
2008-04-20 02:12 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-04-19 11:23 --------- d-----w C:\Program Files\Google
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\SYSTEM32\setupapi.dll
2008-04-14 09:42 11,264 ------w C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\SYSTEM32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\SYSTEM32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\SYSTEM32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\SYSTEM32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\SYSTEM32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\SYSTEM32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\SYSTEM32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\SYSTEM32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\SYSTEM32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\SYSTEM32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\SYSTEM32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-31_21.27.38.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-01 01:05:45 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-01 03:22:52 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 04:42 202088]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL" [2003-10-06 14:16 49152]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2002-12-13 17:05 225280]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2005-03-12 08:25 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-12 08:25 11776]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 28672]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-05-09 08:58 684032]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-08-30 16:29 520192]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 13:30 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-03 09:22 185632]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 21:54 116072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2003-10-06 14:16 49152]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 01:01 135264]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

C:\Documents and Settings\Ken\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-12-24 10:53:22 157008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-05-06 22:59:12 82026]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-08-08 11:14:45 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-04-17 22:18:13 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 05:00:46 972064]
RAMASST.lnk - C:\WINDOWS\SYSTEM32\RAMAsst.exe [2007-12-20 00:19:49 167936]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-05-05 12:39:18 106560]
WITN 7 First Alert.lnk - C:\Program Files\Common Files\WITN 7 First Alert\TrueWeather.exe [2004-12-09 13:33:43 5784576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"MSACM.CEGSM"= mobilev.acm
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\WITN 7 First Alert\\TrueWeather.exe"=
"C:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Intuit\\QuickBooks 2005\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PrecSim;PrecSim;C:\WINDOWS\system32\DRIVERS\precsim.sys [2002-05-22 04:00]
R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 17:09]
R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 17:09]
R2 mrtRate;mrtRate;C:\WINDOWS\system32\drivers\mrtRate.sys [2001-02-28 11:42]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6b44b18-d04c-11dc-857e-0007e9ef1ea9}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 19:57:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-22 12:12:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-12 12:12:38 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 23:43:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 23:55:12
ComboFix-quarantined-files.txt 2008-06-01 03:54:48
ComboFix2.txt 2008-06-01 01:28:39

Pre-Run: 80,489,324,544 bytes free
Post-Run: 80,483,176,448 bytes free

273 --- E O F --- 2008-05-23 02:21:20

#3 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 06 June 2008 - 09:12 AM

SGM

It is not recommended that you run Combofix without a Hijackthis helpers assistance.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad
File::
C:\WINDOWS\SYSTEM32\drvbof.dll
C:\WINDOWS\SYSTEM32\drvzuv.dll
C:\WINDOWS\SYSTEM32\drvzoj.dll
Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe
Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply
2. Rerun Hijackthis and post a fresh Hiajckthis log as well.
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users