Tech Support Forum - View Single Post - Programs Restricted/no desktop/Virtumonde

**bajanknight** · 11-16-2008, 12:53 PM

I assumed to try Normal-Steph

Preparing log report
“Do not run any programs until combofix has finished”
RUNDLL
Error loading C:\Windows\System32 something dll

We have Normal-Steph wallpaper,Desktop icons, lower Start/Taskbar, systrem tray!!!
Your computer might be at risk Warning from an application in the system tray that might be McAfee
Combofix is still running so we won't try to stop anything.

Log below:

ComboFix 08-11-14.01 - Administrator 2008-11-16 13:38:06.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1803 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFxx.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SYSTEM32\DLLCACHE\userinit.exe --> c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OTX83
-------\Legacy_TTUQNRGA
-------\Service_Otx83
-------\Service_TTUQNRGA

((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-16 14:29 . 1980-08-16 19:00 35,840 --a------ c:\windows\SYSTEM32\__c00387E4.dat
2008-11-16 14:29 . 1980-08-16 19:00 22,291 --a------ c:\windows\SYSTEM32\__c0024348.dat
2008-11-15 23:22 . 2008-11-15 23:36 <DIR> d-------- C:\ComboFix
2008-11-15 21:26 . 2008-11-15 21:27 <DIR> d-------- C:\Old_ComboFix
2008-11-09 23:30 . 2008-11-09 23:30 <DIR> d-------- C:\rsit
2008-11-09 23:26 . 2008-11-09 23:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 22:27 . 2008-11-09 22:54 250 --a------ c:\windows\gmer.ini
2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner
2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 22:35 . 2008-11-16 01:00 <DIR> d-------- C:\SDFix
2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable
2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:57 --------- d---a-w c:\program files\Lycos
2008-11-07 05:41 --------- d-----w c:\program files\Canon
2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun
2008-04-26 12:55 8,704 ----a-w c:\documents and settings\ME!\cftmon.exe
2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-09_22.38.53.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 04:54:51 753,664 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-16 05:45:32 3,567,616 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-11-06 04:54:51 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-11-16 05:45:32 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 1980-08-17 00:00:00 22,291 ----a-w c:\windows\SYSTEM32\__c0024348.dat
+ 1980-08-17 00:00:00 35,840 ----a-w c:\windows\SYSTEM32\__c00387E4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0024348]
1980-08-16 19:00 22291 c:\windows\SYSTEM32\__c0024348.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00387E4]
1980-08-16 19:00 35840 c:\windows\SYSTEM32\__c00387E4.dat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk
backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-24 24652]
R3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2004-06-10 86656]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2005-07-28 15104]
S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe -service []
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2004-06-10 15872]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKCU-Run-A00FF81BBF.exe - c:\docume~1\ME!\LOCALS~1\Temp\_A00FF81BBF.exe
HKCU-Run-A00F1DABB4.exe - c:\docume~1\ME!\LOCALS~1\Temp\_A00F1DABB4.exe
HKCU-Run-LiveAntispy - c:\program files\LiveAntispy\LiveAntispy.exe
HKCU-Run-BM03ea4254 - c:\windows\system32\oxvqlkrv.dll
HKCU-Run-tdsfjoys - c:\windows\system32\yhmtenkz.exe
HKCU-Run-Sonic RecordNow! - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 14:30:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-11-16 14:35:07 - machine was rebooted [ME!]
ComboFix-quarantined-files.txt 2008-11-16 19:35:04
ComboFix2.txt 2008-11-16 04:36:08
ComboFix3.txt 2008-11-10 03:39:36

Pre-Run: 63,218,106,368 bytes free
Post-Run: 61,652,594,688 bytes free

128
************* end ***********

I will wait for further instructions at this point

11-16-2008, 12:53 PM	#43 (permalink)
bajanknight I helped the forums. Join Date: Nov 2008 Location: Florida Posts: 34 OS: win xp home sp2	Re: Programs Restricted/no desktop/Virtumonde I assumed to try Normal-Steph Preparing log report “Do not run any programs until combofix has finished” RUNDLL Error loading C:\Windows\System32 something dll We have Normal-Steph wallpaper,Desktop icons, lower Start/Taskbar, systrem tray!!! Your computer might be at risk Warning from an application in the system tray that might be McAfee Combofix is still running so we won't try to stop anything. Log below: ComboFix 08-11-14.01 - Administrator 2008-11-16 13:38:06.3 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1803 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFxx.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\SYSTEM32\DLLCACHE\userinit.exe --> c:\windows\SYSTEM32\userinit.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_OTX83 -------\Legacy_TTUQNRGA -------\Service_Otx83 -------\Service_TTUQNRGA ((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 ))))))))))))))))))))))))))))))) . 2008-11-16 14:29 . 1980-08-16 19:00 35,840 --a------ c:\windows\SYSTEM32\__c00387E4.dat 2008-11-16 14:29 . 1980-08-16 19:00 22,291 --a------ c:\windows\SYSTEM32\__c0024348.dat 2008-11-15 23:22 . 2008-11-15 23:36 <DIR> d-------- C:\ComboFix 2008-11-15 21:26 . 2008-11-15 21:27 <DIR> d-------- C:\Old_ComboFix 2008-11-09 23:30 . 2008-11-09 23:30 <DIR> d-------- C:\rsit 2008-11-09 23:26 . 2008-11-09 23:26 <DIR> d-------- c:\program files\Trend Micro 2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt 2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-11-07 22:27 . 2008-11-09 22:54 250 --a------ c:\windows\gmer.ini 2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner 2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT 2008-11-05 22:35 . 2008-11-16 01:00 <DIR> d-------- C:\SDFix 2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable 2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll 2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys 2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-08 21:57 --------- d---a-w c:\program files\Lycos 2008-11-07 05:41 --------- d-----w c:\program files\Canon 2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun 2008-04-26 12:55 8,704 ----a-w c:\documents and settings\ME!\cftmon.exe 2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe . ((((((((((((((((((((((((((((( snapshot@2008-11-09_22.38.53.85 ))))))))))))))))))))))))))))))))))))))))) . - 2008-11-06 04:54:51 753,664 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-11-16 05:45:32 3,567,616 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT - 2008-11-06 04:54:51 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-11-16 05:45:32 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 1980-08-17 00:00:00 22,291 ----a-w c:\windows\SYSTEM32\__c0024348.dat + 1980-08-17 00:00:00 35,840 ----a-w c:\windows\SYSTEM32\__c00387E4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0024348] 1980-08-16 19:00 22291 c:\windows\SYSTEM32\__c0024348.dat [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00387E4] 1980-08-16 19:00 35840 c:\windows\SYSTEM32\__c00387E4.dat [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor] --a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2] --a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG] --a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144] R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-24 24652] R3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2004-06-10 86656] S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2005-07-28 15104] S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe -service [] S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2004-06-10 15872] . - - - - ORPHANS REMOVED - - - - WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file) HKCU-Run-A00FF81BBF.exe - c:\docume~1\ME!\LOCALS~1\Temp\_A00FF81BBF.exe HKCU-Run-A00F1DABB4.exe - c:\docume~1\ME!\LOCALS~1\Temp\_A00F1DABB4.exe HKCU-Run-LiveAntispy - c:\program files\LiveAntispy\LiveAntispy.exe HKCU-Run-BM03ea4254 - c:\windows\system32\oxvqlkrv.dll HKCU-Run-tdsfjoys - c:\windows\system32\yhmtenkz.exe HKCU-Run-Sonic RecordNow! - (no file) ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-16 14:30:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\SYSTEM32\TCPSVCS.EXE c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\SYSTEM32\wscntfy.exe c:\windows\SYSTEM32\rundll32.exe . ********************************************************************** . Completion time: 2008-11-16 14:35:07 - machine was rebooted [ME!] ComboFix-quarantined-files.txt 2008-11-16 19:35:04 ComboFix2.txt 2008-11-16 04:36:08 ComboFix3.txt 2008-11-10 03:39:36 Pre-Run: 63,218,106,368 bytes free Post-Run: 61,652,594,688 bytes free 128 ********* end ********* I will wait for further instructions at this point