Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Are WiFi Network Names Protected by the First Amendment?

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Photo

Help getting rid of Virtumonde

Started by caseface , Dec 28 2008 03:32 PM

  • This topic is locked This topic is locked
1 reply to this topic

#1 caseface

caseface

  • Members
  • 2 posts
  • OFFLINE
    •  
  • Local time:07:20 AM

Posted 28 December 2008 - 03:32 PM

Here is the log from ComboFix ,

Can some help me.....


ComboFix 08-12-28.01 - DADS 2008-12-28 12:17:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.650 [GMT -8:00]
Running from: J:\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Matthew\Application Data\FunWebProducts
c:\documents and settings\Matthew\Application Data\FunWebProducts\Data\Matthew\avatar.dat
c:\documents and settings\Matthew\Application Data\FunWebProducts\Data\Matthew\zbucks.dat
c:\windows\Install.txt
c:\windows\system32\Cache
c:\windows\system32\ddcYpnki.dll.vir
c:\windows\system32\ddcYppoO.dll
c:\windows\system32\geBrSiIY.dll.vir
c:\windows\system32\hpfgqk.dll
c:\windows\system32\jkkLBssS.dll
c:\windows\system32\OoppYcdd.ini
c:\windows\system32\OoppYcdd.ini2
c:\windows\system32\qhpmbvws.dll.vir
c:\windows\system32\rlnvdjqw.dll
c:\windows\system32\rqRKARhh.dll
c:\windows\system32\tmp0_753803216614.bk
c:\windows\system32\uegusbbg.dll
c:\windows\system32\vcyhfika.dll

----- BITS: Possible infected sites -----

hxxp://eh914.homeip.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_NOBICYT
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PERFMONS
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Service_AFinding
-------\Service_perfmons
-------\Service_perfs
-------\Service_Routing
-------\Service_WServing


((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-28 12:23 . 2008-12-28 12:23 <DIR> d-------- c:\windows\LastGood
2008-12-28 12:23 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-28 09:55 . 2008-12-28 10:26 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-28 09:55 . 2008-12-28 12:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-27 21:56 . 2008-12-27 21:56 <DIR> d-------- c:\program files\Trojan Remover
2008-12-27 21:56 . 2008-12-27 21:56 <DIR> d-------- c:\documents and settings\DADS\Application Data\Simply Super Software
2008-12-27 21:56 . 2008-12-27 21:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2008-12-27 21:56 . 2006-05-25 14:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2008-12-27 21:56 . 2003-02-02 19:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2008-12-27 21:56 . 2005-08-26 00:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2008-12-27 21:56 . 2002-03-06 00:00 75,264 --a------ c:\windows\system32\unacev2.dll
2008-12-27 21:56 . 2006-06-19 12:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2008-12-27 21:19 . 2008-12-27 21:20 <DIR> d-------- c:\program files\CCleaner
2008-12-27 16:20 . 2008-12-27 22:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 12:51 . 2008-12-27 12:51 132,096 --a------ c:\windows\ulugitul.dll.vir
2008-12-27 12:39 . 2008-12-27 12:39 2 --a------ C:\819263107
2008-12-27 12:38 . 2008-12-27 12:38 44,032 --a------ c:\windows\Vgofe.dll.vir
2008-12-27 12:38 . 2008-12-27 12:38 44,032 --a------ C:\iuauk.exe
2008-12-27 12:32 . 2008-12-27 12:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
2008-12-27 12:31 . 2008-12-27 12:31 <DIR> d-------- c:\documents and settings\Matthew\Application Data\Datel
2008-12-26 15:51 . 2008-12-26 15:51 <DIR> d-------- c:\documents and settings\Darren\Application Data\Sony
2008-12-26 15:14 . 2008-12-26 15:14 <DIR> d-------- c:\documents and settings\Matthew\Application Data\Sony
2008-12-26 15:14 . 2008-12-26 15:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2008-12-26 15:12 . 2008-12-26 15:12 <DIR> d-------- c:\program files\Common Files\Sony Shared
2008-12-26 15:10 . 2008-12-26 15:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Corporation
2008-12-23 16:39 . 2008-04-25 19:41 218,624 --a--c--- c:\windows\system32\dllcache\uxtheme.dll
2008-12-23 13:28 . 2008-12-24 06:56 <DIR> d-------- c:\documents and settings\Matthew\Application Data\PowerChallenge
2008-12-23 11:08 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-23 11:06 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-23 10:57 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-20 09:56 . 2008-12-20 09:56 <DIR> d-------- c:\program files\Apple Software Update
2008-12-14 17:31 . 2008-12-14 17:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-08 23:04 . 2008-12-08 23:04 <DIR> d-------- c:\program files\iTunes
2008-12-08 23:04 . 2008-12-08 23:04 <DIR> d-------- c:\program files\iPod
2008-12-08 23:04 . 2008-12-08 23:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 21:09 . 2008-12-02 21:09 <DIR> d-------- c:\program files\MSBuild
2008-12-02 21:08 . 2008-12-16 17:36 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-02 12:37 . 2008-12-20 19:45 <DIR> d-------- c:\documents and settings\DADS\Application Data\DVD Flick
2008-12-02 12:37 . 2004-03-09 00:00 609,824 --a------ c:\windows\system32\comctl32.ocx
2008-12-02 12:37 . 1998-06-24 00:00 164,144 --a------ c:\windows\system32\comct232.ocx
2008-12-02 12:37 . 2007-08-31 18:36 36,864 --a------ c:\windows\system32\trayicon_handler.ocx
2008-12-02 12:37 . 2008-08-31 13:27 28,672 --a------ c:\windows\system32\mousewheel.ocx
2008-11-30 20:37 . 2008-11-30 20:38 <DIR> d-------- c:\documents and settings\Darren\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 06:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-27 23:56 --------- d-----w c:\documents and settings\DADS\Application Data\uTorrent
2008-12-26 23:36 --------- d-----w c:\program files\Google
2008-12-26 23:12 --------- d-----w c:\program files\Sony
2008-12-26 18:52 --------- d-----w c:\documents and settings\Darren\Application Data\PowerChallenge
2008-12-24 07:58 --------- d-----w c:\program files\Bonjour
2008-12-23 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 17:56 --------- d-----w c:\program files\QuickTime
2008-12-15 01:30 --------- d-----w c:\program files\Java
2008-12-09 07:04 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 19:07 --------- d-----w c:\documents and settings\DADS\Application Data\Apple Computer
2008-11-12 03:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 03:50 --------- d-----w c:\program files\AnalyzerSoftware
2008-11-08 00:34 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-11-08 00:24 --------- d-----w c:\program files\McAfee
2008-11-08 00:24 --------- d-----w c:\program files\Common Files\Cisco Systems
2008-11-08 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-11-08 00:23 --------- d-----w c:\program files\Common Files\McAfee
2008-11-02 01:09 --------- d-----w c:\program files\Common Files\Sagekey Software
2008-11-02 01:08 --------- d-----w c:\program files\Snapshot Viewer
2008-10-17 00:37 30 ----a-w c:\documents and settings\Matthew\jagex_runescape_preferences.dat
2008-01-28 19:00 56,912 ----a-w c:\documents and settings\Darren\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=hpfgqk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRegistrationService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVLibraryService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNetworkService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVRecordingEngine.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVGuideDataLoader.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVSettingsService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVTaskManagerService.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVD3DShell.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\SetupWizard.exe"=
"f:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVNotifierService.exe"=
"c:\\Documents and Settings\\Darren\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"f:\\Azureus Downloads\\uTorrent.exe"=
"c:\\Documents and Settings\\DADS\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SnapStream Media\\Beyond TV\\BTVPlaybackEngine.exe"=
"c:\\Documents and Settings\\Matthew\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=
"f:\\New Folder\\Matthew's Documents\\PSP\\MediaManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 ConnectDaily;Connect Daily;"c:\program files\MH Software\Connect Daily\jakarta-tomcat-5.0.30-mhs\bin\tomcat5.exe" //RS//ConnectDaily []
S2 solewxte;solewxte Service;c:\windows\system32\solewxte.exe []
.
Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\durjmwhl.job
- c:\windows\system32\rundll32.exe [2008-04-13 16:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3B69DBDA-4B42-4E44-9638-389F224D1F45} - c:\windows\system32\ddcYppoO.dll
BHO-{D9327AE6-5340-42E0-AA99-2007F4D1CDA3} - c:\windows\system32\geBrSiIY.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://mytelus.com/
IE: &Search - ?p=ZJman000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: *.secure-sam.com
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} -

c:\windows\Downloaded Program Files\plinstll.dll - O16 -: {EAC139A9-D22D-4C29-8D1C-252BE63750F9}
hxxp://www.cooliris.com/shared/plinstll.cab
c:\windows\Downloaded Program Files\plinstll.inf
FF - ProfilePath - c:\documents and settings\DADS\Application Data\Mozilla\Firefox\Profiles\2tnflhvz.default\
FF - component: c:\documents and settings\DADS\Application Data\Mozilla\Firefox\Profiles\2tnflhvz.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 12:24:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
.
**************************************************************************
.
Completion time: 2008-12-28 12:26:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-28 20:26:24

Pre-Run: 3,051,855,872 bytes free
Post-Run: 3,546,968,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

243




Thanks

BC AdBot (Login to Remove)

 

#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
    •  
  • Location:Cleveland, Ohio
  • Local time:11:20 AM

Posted 28 December 2008 - 06:07 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·