Thread: Programs Restricted/no desktop/Virtumonde
View Single Post
Old 11-16-2008, 02:45 PM   #46 (permalink)
bajanknight
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
ComboFix 08-11-14.01 - ME! 2008-11-16 16:12:03.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1687 [GMT -5:00]
Running from: c:\documents and settings\ME!\Desktop\ComboFxx.exe
Command switches used :: c:\documents and settings\ME!\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\__c0024348.dat
c:\windows\SYSTEM32\__c00387E4.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ME!\cftmon.exe
c:\windows\SYSTEM32\__c0024348.dat
c:\windows\SYSTEM32\__c00387E4.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-15 23:22 . 2008-11-15 23:36 <DIR> d-------- C:\ComboFix
2008-11-15 21:26 . 2008-11-15 21:27 <DIR> d-------- C:\Old_ComboFix
2008-11-09 23:30 . 2008-11-09 23:30 <DIR> d-------- C:\rsit
2008-11-09 23:26 . 2008-11-09 23:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 . 2008-11-15 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 22:27 . 2008-11-09 22:54 250 --a------ c:\windows\gmer.ini
2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner
2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 22:35 . 2008-11-16 01:00 <DIR> d-------- C:\SDFix
2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable
2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:57 --------- d---a-w c:\program files\Lycos
2008-11-07 05:41 --------- d-----w c:\program files\Canon
2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun
2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-09_22.38.53.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 04:54:51 753,664 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-16 05:45:32 3,567,616 ----a-w c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-11-06 04:54:51 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-11-16 05:45:32 8,192 ----a-w c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-04-27 23:09:09 24,576 ----a-w c:\windows\SYSTEM32\userinit.exe
+ 2004-08-04 07:56:57 24,576 ----a-w c:\windows\SYSTEM32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk
backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-24 24652]
R3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2004-06-10 86656]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2005-07-28 15104]
S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe -service []
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2004-06-10 15872]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c0024348 - c:\windows\system32\__c0024348.dat
Notify-__c00387E4 - c:\windows\system32\__c00387E4.dat



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 16:14:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\TCPSVCS.EXE
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-11-16 16:19:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 21:19:47
ComboFix2.txt 2008-11-16 19:35:08
ComboFix3.txt 2008-11-16 04:36:08
ComboFix4.txt 2008-11-10 03:39:36

Pre-Run: 61,660,205,056 bytes free
Post-Run: 61,647,704,064 bytes free

115
********* END**********

GMER has scanned and I have attached.

OpenDNS is not something I think is being used intentionally.

Computer is allowing me access to files & folders but I have not given it Internet access yet. I thought that you might want me to run a Virus scan of some sort , I do have ClamWin... should i run it before I step out for a few hours?
Attached Files
File Type: txt gmer.txt (1.2 KB, 2 views)
bajanknight is offline