Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.dll Removal/combofix


  • This topic is locked This topic is locked
1 reply to this topic

#1 DakotaYoda

DakotaYoda

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 26 July 2008 - 08:59 AM

Howdy -

Doing battle w/ a wonderful virtumonde.dll on my brother's pc. Running much better now but am still getting several command prompt windows on boot and a couple .dll error which I neglected to write down but can sure get the info and repost if necessary.

Combofix log... any and all help is most appreciated. Thanks!!!!



ComboFix 08-07-25.3 - Owner 2008-07-25 22:59:58.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.335 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM53c84abe.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ajfxmarv.dll
C:\WINDOWS\system32\bjdqxs.dll
C:\WINDOWS\system32\cjyhtcpx.dll
C:\WINDOWS\system32\ehtodvmo.ini
C:\WINDOWS\system32\errwbxlr.dll
C:\WINDOWS\system32\fmwunsux.dll
C:\WINDOWS\system32\hasxllgn.dll
C:\WINDOWS\system32\kuqcbiir.dll
C:\WINDOWS\system32\lgnfvkgv.dll
C:\WINDOWS\system32\ljJDTJyV.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nbqgkdpo.dll
C:\WINDOWS\system32\omvdothe.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rkohxv.dll
C:\WINDOWS\system32\sarcxi.dll
C:\WINDOWS\system32\ufmmpy.dll
C:\WINDOWS\system32\uhmnwevd.dll
C:\WINDOWS\system32\vwjmgy.dll
C:\WINDOWS\system32\VyJTDJjl.ini
C:\WINDOWS\system32\VyJTDJjl.ini2
C:\WINDOWS\system32\xpcthyjc.ini
C:\WINDOWS\system32\xusnuwmf.ini
C:\WINDOWS\system32\xxyaxXNF.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 20:06 . 2008-07-25 20:06 <DIR> d-------- C:\VundoFix Backups
2008-07-25 20:01 . 2008-07-25 20:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-25 17:22 . 2008-07-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 17:06 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-25 17:06 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-25 17:06 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-25 17:06 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-24 17:51 . 2008-07-25 19:59 314 --a------ C:\WINDOWS\wininit.ini
2008-07-24 17:23 . 2008-07-24 17:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-24 17:23 . 2008-07-24 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-23 19:59 . 2008-07-23 19:59 24,820 --a------ C:\WINDOWS\system32\cmkxhlbd.exe
2008-07-23 18:24 . 2008-07-24 18:00 1,179 --ahs---- C:\WINDOWS\system32\nqrgmgic.ini
2008-07-23 18:08 . 2008-07-23 18:10 295 --ahs---- C:\WINDOWS\system32\dnwwlxsl.ini
2008-07-23 01:33 . 2008-07-25 20:00 111,483 --a------ C:\WINDOWS\BM53c84abe.xml
2008-07-23 01:32 . 2008-07-23 01:32 44,037 --ahs---- C:\WINDOWS\system32\fdpokiut.tmp
2008-07-21 20:33 . 2008-07-22 02:41 44,037 --ahs---- C:\WINDOWS\system32\fdpokiut.ini
2008-07-21 20:26 . 2008-07-21 20:26 <DIR> d-------- C:\WINDOWS\system32\carH05
2008-07-21 20:26 . 2008-07-21 20:26 <DIR> d-------- C:\temp\btxv15
2008-07-21 17:08 . 2008-07-21 17:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-07-21 17:08 . 2008-07-21 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-21 17:07 . 2008-07-21 17:07 <DIR> d-------- C:\Program Files\Wal-Mart Music Downloads Store
2008-07-20 15:25 . 2008-07-20 15:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-07-20 15:25 . 2008-07-20 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-07-20 14:04 . 2008-07-20 14:04 <DIR> d-------- C:\Program Files\Levelator
2008-07-10 05:02 . 2008-07-10 05:02 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 01:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-07-26 01:20 --------- d-----w C:\Program Files\mypoints
2008-07-26 01:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-26 00:39 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-26 00:38 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-26 00:38 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-26 00:38 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-26 00:38 --------- d-----w C:\Program Files\Symantec
2008-07-26 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-23 06:43 --------- d-----w C:\Program Files\Phun
2008-07-21 22:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-21 17:20 --------- d-----w C:\Program Files\Picaboo
2008-06-20 17:05 --------- d-----w C:\Program Files\iTunes
2008-06-20 17:04 --------- d-----w C:\Program Files\iPod
2008-06-20 17:02 --------- d-----w C:\Program Files\QuickTime
2008-06-20 17:02 --------- d-----w C:\Program Files\Bonjour
2008-06-20 16:59 --------- d-----w C:\Program Files\Apple Software Update
2008-06-20 16:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-20 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-27 21:24 39,872 ----a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2007-03-29 00:00 39,872 ----a-w C:\Documents and Settings\Christie\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB9052"="command" [X]
"SpybotDeletingD7046"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-20 10:03:47 947544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 SNDMI13;Mega Pixel Camera (8105 SXGA);C:\WINDOWS\system32\DRIVERS\sndmi13.sys [2004-09-17 11:29]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 01:02:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-26 01:01:11 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-07-26 01:00:01 C:\WINDOWS\Tasks\{CC32DA8D-975B-4856-9581-8AA60BB73D54}_CHRISTIE-J_Gayle.job"
- C:\WINDOWS\system32\mobsync.exeE /Schedule=
.
- - - - ORPHANS REMOVED - - - -

BHO-{7CF1F212-A591-4F4A-B063-6A390B04B286} - (no file)
BHO-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
BHO-{CCCBDE71-CF03-473C-A709-3987E5C71892} - (no file)
BHO-{DB036A52-3A88-466B-BD39-05A6D9D9B18A} - (no file)
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKCU-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
HKLM-Run-50fb7922 - C:\WINDOWS\system32\fmwunsux.dll
HKLM-Run-BM53c84abe - C:\WINDOWS\system32\senjydyf.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:14:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-25 23:30:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 04:29:53

Pre-Run: 49,015,521,280 bytes free
Post-Run: 50,101,362,688 bytes free

201 --- E O F --- 2008-07-09 02:50:40

Edited by DakotaYoda, 26 July 2008 - 09:09 AM.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:43 PM

Posted 26 July 2008 - 09:17 AM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

I will have a moderator close this topic.

dc3

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users