Thread: Programs Restricted/no desktop/Virtumonde
View Single Post
Old 11-15-2008, 07:52 PM   #10 (permalink)
bajanknight
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
I don't think it overwrote it, that might have been the window I canceled out of?

Anyway, here it is

**Edited due to Log post instead of combofix.txt ....

ComboFix 08-11-07.01 - Administrator 2008-11-09 22:27:45.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1799 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WinXP_EN_HOM_BF.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\Altnet
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\iso.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mbox.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pst.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab
c:\program files\MyWay
c:\program files\MyWay\myBar\History\search
c:\program files\MyWay\myBar\Settings\prevcfg.htm
c:\program files\MyWay\myBar\Settings\settings.dat
c:\program files\MyWay\myBar\Settings\settings.htm
c:\program files\winupdates
c:\windows\BM03ea4254.txt
c:\windows\BM03ea4254.xml
c:\windows\cookies.ini
c:\windows\smdat32m.sys
c:\windows\system32\__c00160DE.dat
c:\windows\system32\__c00189E6.dat
c:\windows\system32\__c001E284.dat
c:\windows\system32\__c0048819.dat
c:\windows\system32\__c004C19B.dat
c:\windows\system32\__c007FDDE.dat
c:\windows\system32\__c0083504.dat
c:\windows\system32\__c008AF55.dat
c:\windows\system32\__c00AE885.exe
c:\windows\system32\__c00B8840.dat
c:\windows\system32\__c00C1414.dat
c:\windows\system32\__c00C322B.dat
c:\windows\system32\__c00DC8B6.exe
c:\windows\system32\__c00E797C.dat
c:\windows\system32\__c00EEB10.dat
c:\windows\system32\arcbhpap.ini
c:\windows\system32\bcnagfpm.ini
c:\windows\system32\bszip.dll
c:\windows\system32\datgeppv.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drpbfjdw.ini
c:\windows\system32\fgrohnjr.ini
c:\windows\system32\fmbdgnbw.ini
c:\windows\SYSTEM32\gjllm.ini
c:\windows\SYSTEM32\gjllm.ini2
c:\windows\system32\gtrtgwqp.ini
c:\windows\system32\ixfagyqt.ini
c:\windows\system32\jsobtrin.ini
c:\windows\system32\knmtjpaj.ini
c:\windows\system32\lbsdywmo.ini
c:\windows\system32\lhajxjxs.ini
c:\windows\system32\logxhcco.ini
c:\windows\system32\loudmcji.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mqqmctmd.ini
c:\windows\system32\mwreiscx.ini
c:\windows\system32\namuwfws.ini
c:\windows\system32\owferbls.ini
c:\windows\system32\pdtcigyt.ini
c:\windows\system32\qnphsdci.ini
c:\windows\system32\rvpyhmnc.ini
c:\windows\system32\seusttsd.ini
c:\windows\system32\sgkjsnfr.ini
c:\windows\system32\srkcdpbp.ini
c:\windows\system32\tllxxvmd.ini
c:\windows\system32\typuwend.ini
c:\windows\system32\vbalqrtr.ini
c:\windows\system32\vhjutprc.ini
c:\windows\system32\wmxtkmuh.ini
c:\windows\system32\xpgnrboq.ini
c:\windows\system32\ynkbubfr.ini
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_JQVM465HMYGEBKPP6
-------\Service_Iprip
-------\Service_jqvm465hmygebkpp6


((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19 . 2008-11-08 16:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 . 2008-11-08 16:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 22:27 . 2008-11-07 22:41 250 --a------ c:\windows\gmer.ini
2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner
2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 22:35 . 2008-11-07 00:23 <DIR> d-------- C:\SDFix
2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable
2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:57 --------- d---a-w c:\program files\Lycos
2008-11-08 21:57 --------- d-----w c:\program files\LiveAntispy
2008-11-07 05:41 --------- d-----w c:\program files\Canon
2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun
2004-06-13 14:45 36 ----a-w c:\documents and settings\LocalService\Application Data\tvmuknwrd.dll
2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2004-08-04 07:56 4,096 --sha-w c:\windows\SYSTEM32\1112.dat
.

------- Sigcheck -------

2002-08-29 06:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-27 18:09 24576 35929cc65abb63982c543369e83feb39 c:\windows\SYSTEM32\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\SYSTEM32\DLLCACHE\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3799CB4-CC4D-4367-AEF0-307D6EF89F7F}]
2008-02-05 12:21 326240 --------- c:\windows\system32\mlljg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77}]
2008-04-25 07:08 98880 --a------ c:\windows\system32\kcbgtcnu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3178"="command" [X]
"SpybotDeletingD7475"="del" [X]
"SpybotDeletingB7240"="command" [X]
"SpybotDeletingD9395"="del" [X]
"SpybotDeletingB7743"="command" [X]
"SpybotDeletingD4622"="del" [X]
"SpybotDeletingB7347"="command" [X]
"SpybotDeletingD4538"="del" [X]
"SpybotDeletingB497"="command" [X]
"SpybotDeletingD1761"="del" [X]
"SpybotDeletingB3792"="command" [X]
"SpybotDeletingD3745"="del" [X]
"SpybotDeletingB2934"="command" [X]
"SpybotDeletingD3154"="del" [X]
"SpybotDeletingB1312"="command" [X]
"SpybotDeletingD4995"="del" [X]
"SpybotDeletingB5066"="command" [X]
"SpybotDeletingD6844"="del" [X]
"SpybotDeletingB9161"="command" [X]
"SpybotDeletingD1914"="del" [X]
"SpybotDeletingB5601"="command" [X]
"SpybotDeletingD3315"="del" [X]
"SpybotDeletingB8289"="command" [X]
"SpybotDeletingD2483"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA9519"="command" [X]
"SpybotDeletingC3804"="del" [X]
"SpybotDeletingA6806"="command" [X]
"SpybotDeletingC1350"="del" [X]
"SpybotDeletingA6171"="command" [X]
"SpybotDeletingC9339"="del" [X]
"SpybotDeletingA3251"="command" [X]
"SpybotDeletingC5520"="del" [X]
"SpybotDeletingA7408"="command" [X]
"SpybotDeletingC3607"="del" [X]
"SpybotDeletingA4519"="command" [X]
"SpybotDeletingC7788"="del" [X]
"SpybotDeletingA4326"="command" [X]
"SpybotDeletingC7234"="del" [X]
"SpybotDeletingA9965"="command" [X]
"SpybotDeletingC2754"="del" [X]
"SpybotDeletingA3024"="command" [X]
"SpybotDeletingC3495"="del" [X]
"SpybotDeletingA3896"="command" [X]
"SpybotDeletingC1707"="del" [X]
"SpybotDeletingA2619"="command" [X]
"SpybotDeletingC7137"="del" [X]
"SpybotDeletingA8943"="command" [X]
"SpybotDeletingC2491"="del" [X]
"GrpConv"="grpconv -o" [X]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 4891472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx83.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk
backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00d971c8]
--a------ 2008-04-26 18:07 87104 c:\windows\SYSTEM32\cnmhypvr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM03ea4254]
--a------ 2008-04-26 07:02 106048 c:\windows\SYSTEM32\oxvqlkrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Otx83;Otx83;c:\windows\system32\Drivers\Otx83.sys [2008-04-28 24448]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2004-08-04 15104]
S2 IOPort;IOPort;c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe [ ]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2003-01-27 86656]
S3 TTUQNRGA;TTUQNRGA;c:\docume~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe [ ]
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2002-12-25 15872]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
Notify-__c001076A - c:\windows\System32\__c001076A.dat


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell4me.com/myway
R0 -: HKLM-Main,Search Bar =
O17 -: HKLM\CCS\Interface\{777B9D40-F35A-471A-A863-F6E7B3FC9751}: NameServer = 208.67.220.220,208.67.222.222
O17 -: HKLM\CCS\Interface\{861BEBB0-E147-491F-B363-309EEC201B53}: NameServer = 208.67.220.220,208.67.222.222
O17 -: HKLM\CCS\Interface\{9F1519AE-0148-44FB-9E19-8D4A8112F5C6}: NameServer = 208.67.220.220,208.67.222.222
O18 -: Handler: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - c:\windows\SYSTEM32\ebkp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 22:34:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 22:39:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 03:39:32

Pre-Run: 63,297,175,552 bytes free
Post-Run: 63,231,959,040 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

285
Last edited by bajanknight; 11-15-2008 at 07:58 PM. Reason: Edited due to Log post instead of combofix.txt
bajanknight is offline