Thread: IE popups (Virtumonde?) and disabled Windows Update
View Single Post
Old 12-01-2008, 04:15 PM   #3 (permalink)
10011
Registered User
 
Join Date: Dec 2008
Posts: 7
OS: xp sp3


Re: IE popups (Virtumonde?) and disabled Windows Update
ComboFix ran fine. Kudos to you, sir. It appears to have removed the two .dlls that were identified as part of the Virtumonde trojan that I couldn't get rid of with SpyBot S&D (gebXQihe.dll
and pmnoMGxw.dll). Previously, when SpyBot removed them, they would subsequently be restored by some other hidden file. I'm tempted to run SpyBot to check for them again, but I'll wait for your advice.

ComboFix also removed c6501.cpl which was a file for my C-Media C6501 sound card. Not exactly sure what that file did (loads C-Media settings at startup?), but I don't know why ComboFix would remove it.

The only other oddity is that running ComboFix also has apparently added an Internet Explorer executable to my desktop. Not a shortcut, but an executable.

Anyways, thanks for picking up my case, sUBs. Looking forward to your advice.

ComboFix log below:

ComboFix 08-12-01.01 - 10011 2008-12-01 14:22:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1380 [GMT -8:00]
Running from: c:\documents and settings\10011\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\10011\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\drivers\npf.sys
c:\windows\system32\eralhq.dll
c:\windows\system32\gebXQihe.dll
c:\windows\system32\gihloesa.dll
c:\windows\system32\jkKawTjJ.dll
c:\windows\system32\packet.dll
c:\windows\system32\pmnoMGxw.dll
c:\windows\system32\syerjrpt.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wpv131227968766.cpx
c:\windows\system32\wpv431228088626.cpx
c:\windows\system32\wpv651228079860.cpx
c:\windows\system32\wxGMonmp.ini
c:\windows\system32\wxGMonmp.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-01 to 2008-12-01 )))))))))))))))))))))))))))))))
.

2008-12-01 11:43 . 2008-12-01 11:52 250 --a------ c:\windows\gmer.ini
2008-12-01 10:14 . 2008-12-01 10:14 173 --a------ c:\windows\wininit.ini
2008-12-01 03:57 . 2008-12-01 03:57 <DIR> d-------- c:\program files\Lavasoft
2008-12-01 03:57 . 2008-12-01 04:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-01 03:55 . 2008-12-01 03:55 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-01 03:52 . 2008-12-01 10:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-01 03:52 . 2008-12-01 10:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 18:59 . 2008-11-30 18:59 <DIR> d-------- c:\documents and settings\10011\Application Data\GetModule
2008-11-22 13:03 . 2008-11-22 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-11-22 13:02 . 2008-11-22 13:02 0 --a------ c:\windows\ativpsrm.bin
2008-11-22 12:59 . 2008-12-01 03:45 <DIR> d-------- c:\program files\ATI
2008-11-22 12:46 . 2008-11-22 12:46 <DIR> d-------- C:\ATI
2008-11-22 11:34 . 2008-11-22 11:35 <DIR> d-------- c:\program files\7-Zip
2008-11-22 11:31 . 2008-11-24 17:25 <DIR> d-------- c:\program files\Steam
2008-11-20 12:44 . 2008-11-20 12:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-17 14:22 . 2008-11-17 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-11 12:26 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 12:25 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 17:09 . 2008-11-01 17:09 <DIR> d-------- c:\documents and settings\10011\Application Data\Red Alert 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 19:20 --------- d-----w c:\documents and settings\10011\Application Data\U3
2008-12-01 18:19 --------- d-----w c:\program files\Xfire
2008-12-01 12:40 --------- d-----w c:\documents and settings\10011\Application Data\Azureus
2008-12-01 11:20 --------- d-----w c:\documents and settings\10011\Application Data\Xfire
2008-11-25 23:16 --------- d-----w c:\documents and settings\10011\Application Data\gtk-2.0
2008-11-23 18:14 --------- d-----w c:\program files\Folding@Home
2008-11-22 21:03 --------- d-----w c:\documents and settings\10011\Application Data\ATI
2008-11-22 20:58 --------- d-----w c:\program files\ATI Technologies
2008-11-22 20:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-21 19:42 --------- d-----w c:\program files\Azureus
2008-11-20 04:10 --------- d-----w c:\program files\Trend Micro
2008-11-17 22:23 --------- d-----w c:\program files\AIM6
2008-11-17 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-17 22:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-16 23:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-01 01:20 --------- d-----w c:\program files\Bethesda Softworks
2008-10-31 06:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-29 03:10 3,341,824 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-10-29 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-10-28 17:54 --------- d-----w c:\program files\Java
2008-10-25 18:34 --------- d-----w c:\program files\Electronic Arts
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 23:15 --------- d-----w c:\program files\Starcraft
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\Sites
2008-10-16 20:56 --------- d-----w c:\documents and settings\10011\Application Data\SiteClasses
2008-10-11 16:57 --------- d-----w c:\program files\SanrioTown
2008-10-04 18:44 --------- d-----w c:\documents and settings\10011\Application Data\SPORE
2008-10-03 00:40 --------- d-----w c:\documents and settings\10011\Application Data\Bioshock
2008-05-02 17:28 22,328 ----a-w c:\documents and settings\10011\Application Data\PnkBstrK.sys
2004-03-16 01:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 18:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 17:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"AsusStartupHelp"="c:\program files\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-13 363008]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 2007\pccguide.exe" [2006-12-28 3429904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-28 136600]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]

c:\documents and settings\10011\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Folding@Home 5.03.lnk - c:\program files\Folding@Home\winFAH.exe [2007-09-15 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eralhq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ac3filter"= ac3filter.acm
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Visicom Media\\AceFTP 3 Freeware\\Aceftp3free.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R2 cvintdrv;cvintdrv;c:\windows\system32\drivers\cvintdrv.sys [2007-02-21 4096]
R2 MSSQL$AUTODESKVAULT;SQL Server (AUTODESKVAULT);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sAUTODESKVAULT [2008-02-26 29183504]
R2 mxssvr;NI Configuration Manager;"c:\program files\National Instruments\MAX\nimxs.exe" [2007-02-22 12696]
R2 NITaggerService;National Instruments Variable Engine;"c:\program files\National Instruments\Shared\Tagger\tagsrv.exe" [2007-02-06 703264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-28 24652]
R3 cm102u32;C-Media CM6501 Like Sound Interface;c:\windows\system32\drivers\c6501.sys [2007-09-15 1419968]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b89869d2-71fa-11dc-8177-0018f30d24bf}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A63E645F-13BD-45ED-B15F-6E8C1BD57279} - (no file)
BHO-{C70B421F-A5D8-4D0E-A525-49A0C9C0FAB3} - c:\windows\system32\pmnoMGxw.dll
HKLM-Run-C6501Sound - c6501.cpl
Notify-gebXQihe - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\10011\Application Data\Mozilla\Firefox\Profiles\9lg9mm8v.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\thriXXX\WebLaunch\Binaries\npWebLaunch.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 14:29:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-01 14:39:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-01 22:39:01

Pre-Run: 8,522,563,584 bytes free
Post-Run: 8,480,497,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

233 --- E O F --- 2008-11-11 22:24:43
Last edited by sUBs; 12-01-2008 at 04:26 PM.
10011 is offline