Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.dll/combofix Results


  • Please log in to reply
No replies to this topic

#1 DakotaYoda

DakotaYoda

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 26 July 2008 - 09:36 AM

Howdy and, first off, my apologies for the Combofix log post before its requested -

Doing battle w/ a wonderful virtumonde.dll on my brother's pc. Understood on the risks of running Combofix but felt it was definitely worthwhile. I believe the virtumonde.dll is gone but am still getting several command prompt windows that pop up and quickly disappear on boot and a couple .dll errors, see below...


RUNDLL error on boot:

error loading c:\WINDOWS\system32\fmwunsux.dll - The specified module cannot be found.

Combofix log below and Hijackthis log available as well... any and all help is most appreciated. Thanks!!!!



ComboFix 08-07-25.3 - Owner 2008-07-25 22:59:58.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.335 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM53c84abe.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\ajfxmarv.dll
C:\WINDOWS\system32\bjdqxs.dll
C:\WINDOWS\system32\cjyhtcpx.dll
C:\WINDOWS\system32\ehtodvmo.ini
C:\WINDOWS\system32\errwbxlr.dll
C:\WINDOWS\system32\fmwunsux.dll
C:\WINDOWS\system32\hasxllgn.dll
C:\WINDOWS\system32\kuqcbiir.dll
C:\WINDOWS\system32\lgnfvkgv.dll
C:\WINDOWS\system32\ljJDTJyV.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nbqgkdpo.dll
C:\WINDOWS\system32\omvdothe.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rkohxv.dll
C:\WINDOWS\system32\sarcxi.dll
C:\WINDOWS\system32\ufmmpy.dll
C:\WINDOWS\system32\uhmnwevd.dll
C:\WINDOWS\system32\vwjmgy.dll
C:\WINDOWS\system32\VyJTDJjl.ini
C:\WINDOWS\system32\VyJTDJjl.ini2
C:\WINDOWS\system32\xpcthyjc.ini
C:\WINDOWS\system32\xusnuwmf.ini
C:\WINDOWS\system32\xxyaxXNF.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 20:06 . 2008-07-25 20:06 <DIR> d-------- C:\VundoFix Backups
2008-07-25 20:01 . 2008-07-25 20:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-25 17:22 . 2008-07-25 17:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-25 17:06 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-07-25 17:06 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-07-25 17:06 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-25 17:06 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-24 17:51 . 2008-07-25 19:59 314 --a------ C:\WINDOWS\wininit.ini
2008-07-24 17:23 . 2008-07-24 17:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-24 17:23 . 2008-07-24 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-23 19:59 . 2008-07-23 19:59 24,820 --a------ C:\WINDOWS\system32\cmkxhlbd.exe
2008-07-23 18:24 . 2008-07-24 18:00 1,179 --ahs---- C:\WINDOWS\system32\nqrgmgic.ini
2008-07-23 18:08 . 2008-07-23 18:10 295 --ahs---- C:\WINDOWS\system32\dnwwlxsl.ini
2008-07-23 01:33 . 2008-07-25 20:00 111,483 --a------ C:\WINDOWS\BM53c84abe.xml
2008-07-23 01:32 . 2008-07-23 01:32 44,037 --ahs---- C:\WINDOWS\system32\fdpokiut.tmp
2008-07-21 20:33 . 2008-07-22 02:41 44,037 --ahs---- C:\WINDOWS\system32\fdpokiut.ini
2008-07-21 20:26 . 2008-07-21 20:26 <DIR> d-------- C:\WINDOWS\system32\carH05
2008-07-21 20:26 . 2008-07-21 20:26 <DIR> d-------- C:\temp\btxv15
2008-07-21 17:08 . 2008-07-21 17:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-07-21 17:08 . 2008-07-21 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-07-21 17:07 . 2008-07-21 17:07 <DIR> d-------- C:\Program Files\Wal-Mart Music Downloads Store
2008-07-20 15:25 . 2008-07-20 15:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2008-07-20 15:25 . 2008-07-20 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-07-20 14:04 . 2008-07-20 14:04 <DIR> d-------- C:\Program Files\Levelator
2008-07-10 05:02 . 2008-07-10 05:02 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 01:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-07-26 01:20 --------- d-----w C:\Program Files\mypoints
2008-07-26 01:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-26 00:39 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-26 00:38 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-26 00:38 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-26 00:38 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-26 00:38 --------- d-----w C:\Program Files\Symantec
2008-07-26 00:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-23 06:43 --------- d-----w C:\Program Files\Phun
2008-07-21 22:07 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-21 17:20 --------- d-----w C:\Program Files\Picaboo
2008-06-20 17:05 --------- d-----w C:\Program Files\iTunes
2008-06-20 17:04 --------- d-----w C:\Program Files\iPod
2008-06-20 17:02 --------- d-----w C:\Program Files\QuickTime
2008-06-20 17:02 --------- d-----w C:\Program Files\Bonjour
2008-06-20 16:59 --------- d-----w C:\Program Files\Apple Software Update
2008-06-20 16:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-06-20 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-27 21:24 39,872 ----a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2007-03-29 00:00 39,872 ----a-w C:\Documents and Settings\Christie\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB9052"="command" [X]
"SpybotDeletingD7046"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34 213936]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18 443968]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-01-20 10:03:47 947544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 SNDMI13;Mega Pixel Camera (8105 SXGA);C:\WINDOWS\system32\DRIVERS\sndmi13.sys [2004-09-17 11:29]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-24 01:02:38 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-26 01:01:11 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
"2008-07-26 01:00:01 C:\WINDOWS\Tasks\{CC32DA8D-975B-4856-9581-8AA60BB73D54}_CHRISTIE-J_Gayle.job"
- C:\WINDOWS\system32\mobsync.exeE /Schedule=
.
- - - - ORPHANS REMOVED - - - -

BHO-{7CF1F212-A591-4F4A-B063-6A390B04B286} - (no file)
BHO-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
BHO-{CCCBDE71-CF03-473C-A709-3987E5C71892} - (no file)
BHO-{DB036A52-3A88-466B-BD39-05A6D9D9B18A} - (no file)
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
HKCU-Run-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
HKLM-Run-50fb7922 - C:\WINDOWS\system32\fmwunsux.dll
HKLM-Run-BM53c84abe - C:\WINDOWS\system32\senjydyf.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 23:14:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-25 23:30:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 04:29:53

Pre-Run: 49,015,521,280 bytes free
Post-Run: 50,101,362,688 bytes free

201 --- E O F --- 2008-07-09 02:50:40

Edited by DakotaYoda, 26 July 2008 - 09:37 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users