Thread: Trojan.virtumonde found by Spyware doctor but infection still on pc
View Single Post
Old 12-06-2008, 06:16 PM   #9 (permalink)
pcnooby
Registered User
 
Join Date: Nov 2008
Posts: 12
OS: XP


Re: Trojan.virtumonde found by Spyware doctor but infection still on pc
That went all according to your post and here is the log....

ComboFix 08-12-06.04 - Michelle 2008-12-07 12:10:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.647 [GMT 11:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\drmHeader.bin
c:\windows\system32\ahtn.htm
c:\windows\system32\SpywareRemover.exe
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\drmHeader.bin
C:\VundoFix Backups
c:\windows\system32\ahtn.htm
c:\windows\system32\dcyklsoj.dll
c:\windows\system32\khfCvSKc.dll
c:\windows\system32\SpywareRemover.exe
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 09:51 . 2008-12-07 09:51 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 18:31 . 2008-12-03 18:31 250 --a------ c:\windows\gmer.ini
2008-11-30 19:53 . 2008-12-07 09:57 4,785 --a------ c:\windows\system32\warning.gif
2008-11-29 08:54 . 2008-11-30 21:13 <DIR> d-------- c:\documents and settings\Michelle\Application Data\Skype
2008-11-22 18:55 . 2008-11-22 18:55 <DIR> d-------- c:\documents and settings\Michelle\Application Data\DivX
2008-11-22 18:51 . 2008-11-22 18:51 <DIR> d-------- c:\program files\DivX
2008-11-22 18:51 . 2008-09-20 08:57 129,784 --------- c:\windows\system32\pxafs.dll
2008-11-22 18:51 . 2008-09-20 08:57 120,056 --------- c:\windows\system32\pxcpyi64.exe
2008-11-22 18:51 . 2008-09-20 08:57 118,520 --------- c:\windows\system32\pxinsi64.exe
2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Real
2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-22 17:36 . 2008-11-22 17:36 <DIR> d-------- c:\program files\Common Files\Real
2008-11-22 14:44 . 2008-12-03 18:32 <DIR> d-------- c:\program files\Spyware Doctor
2008-11-22 14:44 . 2008-11-22 14:44 <DIR> d-------- c:\documents and settings\Michelle\Application Data\PC Tools
2008-11-22 14:44 . 2008-12-07 09:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-22 14:44 . 2008-11-22 15:03 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-11-22 14:44 . 2008-11-22 15:04 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-11-22 14:44 . 2008-11-22 15:03 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-11-22 14:44 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-22 14:31 . 2008-11-22 14:31 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\program files\Skype
2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\program files\Common Files\Skype
2008-11-22 14:19 . 2008-11-22 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2008-11-22 14:05 . 2008-11-22 14:37 <DIR> d-------- c:\program files\Norton Security Scan
2008-11-22 14:05 . 2008-11-22 15:08 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2008-11-22 14:02 . 2008-11-22 14:02 <DIR> d-------- c:\program files\Picasa2
2008-11-22 14:02 . 2006-10-05 13:42 2,560 --------- c:\windows\system32\drivers\cdralw2k.sys
2008-11-22 14:02 . 2006-10-05 13:42 2,432 --------- c:\windows\system32\drivers\cdr4_xp.sys
2008-11-22 13:59 . 2008-11-22 13:59 <DIR> d-------- c:\windows\system32\runtime
2008-11-22 13:54 . 2008-11-22 14:09 <DIR> d-------- c:\program files\Google
2008-11-22 13:54 . 2008-12-07 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-15 14:50 . 2008-08-14 21:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-11-15 14:50 . 2008-08-14 21:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-11-15 14:50 . 2008-08-14 20:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-11-15 14:50 . 2008-08-14 20:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-11-15 14:16 . 2008-09-08 21:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-11-15 14:13 . 2008-09-15 23:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-11-15 13:58 . 2008-10-24 22:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-15 13:54 . 2008-10-16 03:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-11-15 13:50 . 2008-09-05 04:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-22 06:36 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-22 06:36 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-06 10:09 507,904 ----a-w c:\windows\system32\winlogon.exe
2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-08 20:17 1,159,168 ----a-w c:\windows\system32\op20pt32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_10.13.38.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 09:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-12-06 21:30:29 41,238 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-06 23:42:44 41,238 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-06 21:30:29 315,076 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-06 23:42:44 315,076 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-22 39408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-02-12 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-22 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-22 185872]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Michelle\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-10 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-08-10 20560]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-22 30192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-22 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bc1730c-938f-11dd-ac72-001302610412}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2ab953-66c1-11dd-ac62-d13e7f2a3693}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-11-22 c:\windows\Tasks\Norton Security Scan for Michelle.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SpywareCleaner - c:\windows\system32\SpywareRemover.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\t196yv3b.default\
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 12:13:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-07 12:14:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 01:14:39
ComboFix2.txt 2008-12-06 23:14:06

Pre-Run: 98,281,005,056 bytes free
Post-Run: 98,207,305,728 bytes free

220 --- E O F --- 2008-11-22 04:55:41
pcnooby is offline