Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Virtumonde, Please Help!!!! Virtumonde, Please Help!!!!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 01-23-2008, 10:16 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: XP Service Pack 2


Virtumonde, Please Help!!!!
I desperately need help. I can not remove the Virtumonde and it keeps reloading.

Here s the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:46 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask .exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr .exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe
O3 - Toolbar: (no name) - {E6064609-3386-4954-AFC1-AD569B53BC20} - (no file)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxdm117YYUS
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02b.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rra...X/RraainAX.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

--
End of file - 12078 bytes
Vegasmma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-26-2008, 03:33 AM   #2 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,966
OS: xp


Re: Virtumonde, Please Help!!!!
Hi Vegasmma and welcome to TSF

Sorry for the delay in getting to you, the forum has been really busy.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-26-2008, 11:46 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: XP Service Pack 2


Re: Virtumonde, Please Help!!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:32 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\WgaTray.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {E6064609-3386-4954-AFC1-AD569B53BC20} - (no file)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda.com/rraaapps/rra...X/RraainAX.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/...or/Outside.cab
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

--
End of file - 10827 bytes
Vegasmma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-26-2008, 11:57 PM   #4 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,966
OS: xp


Re: Virtumonde, Please Help!!!!
Hi Vegasmma

Could you please post C:\ComboFix.txt
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-27-2008, 10:00 AM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: XP Service Pack 2


Re: Virtumonde, Please Help!!!!
Sorry for the delay...It thas taken quite sometime to load a page on this website.

ComboFix 08-01-23.1C - Owner 2008-01-27 9:14:36.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-26 10:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 13:16 . 2008-01-25 13:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-25 13:16 . 2008-01-25 13:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 20:38 . 2008-01-21 20:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-20 09:05 . 2008-01-20 09:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-19 20:23 . 2008-01-20 20:32 <DIR> d-------- C:\Program Files\RegistryFix
2008-01-18 21:35 . 2008-01-18 21:41 <DIR> d-------- C:\Program Files\Nimbuzz
2008-01-16 22:12 . 2008-01-20 10:44 <DIR> d-------- C:\VundoFix Backups
2008-01-07 16:52 . 2008-01-07 16:52 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 23:21 . 2008-01-06 01:32 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-02 23:21 . 2008-01-06 01:32 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-02 21:55 . 2008-01-02 21:55 497,376 --a------ C:\WINDOWS\p_981116.exe
2008-01-02 21:55 . 2008-01-02 21:55 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-02 21:55 . 2008-01-02 21:55 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-02 20:00 . 2008-01-02 20:00 0 --a------ C:\Install
2008-01-02 19:55 . 2008-01-02 19:55 <DIR> d-------- C:\Program Files\Neoretix
2008-01-02 19:44 . 2008-01-02 19:52 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-01-02 18:08 . 2008-01-26 12:44 <DIR> d-------- C:\Program Files\QuickTime
2008-01-01 13:47 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-01 13:47 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-01 13:47 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-01 13:47 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 05:41 --------- d-----w C:\Program Files\Common Files\Mediafour
2008-01-26 20:44 --------- d-----w C:\Program Files\iTunes
2008-01-26 11:23 --------- d-----w C:\Program Files\Common Files\Command Software
2008-01-21 04:12 --------- d-----w C:\Program Files\Java
2008-01-20 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 00:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-03 07:11 --------- d-----w C:\Program Files\Kazaa
2008-01-03 02:05 --------- d-----w C:\Program Files\Apple Software Update
2007-12-18 02:55 --------- d-----w C:\Program Files\Hanes T-ShirtMaker Lite
2007-12-18 02:55 --------- d-----w C:\Program Files\Application
2007-12-06 19:57 --------- d-----w C:\Program Files\Virtual Earth 3D
2007-12-06 19:36 --------- d-----w C:\Program Files\Google
2007-11-29 18:05 --------- d-----w C:\Program Files\Mediafour
2007-11-27 19:54 --------- d-----w C:\Program Files\Canon
2007-11-27 19:53 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2007-11-27 19:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-27 19:52 --------- d-----w C:\Program Files\ScanSoft
2007-11-27 19:51 --------- d-----w C:\Program Files\ArcSoft
2007-11-27 19:48 --------- d--h--w C:\Program Files\CanonBJ
2007-08-30 05:46 22 ----a-w C:\Program Files\3wPlayer.zip
2006-12-28 17:09 25,755,448 ----a-w C:\Program Files\wmp11-windowsxp-x86-enu.exe
2001-08-30 09:20 991 ----a-r C:\Program Files\14AF136D45A676B5D98749C2E4458213
2001-08-30 09:20 990 ----a-r C:\Program Files\B59FC2EED30704599DCED8A8972A8869
2001-08-30 09:20 989 ----a-r C:\Program Files\957E70B155C8352A9CB447A6709D2871
2001-08-30 09:20 989 ----a-r C:\Program Files\6268B2DE42EBC53668D8B7444C3FF5EA
2001-08-30 09:20 987 ----a-r C:\Program Files\ABEDB0D115AFE55768D8B7444C3FF5EA
2001-08-30 09:20 983 ----a-r C:\Program Files\2DFA15AC29FF84BC68D8B7444C3FF5EA
2001-08-30 09:20 973 ----a-r C:\Program Files\A8C84B24B45D79D0D98749C2E4458213
2001-08-30 09:20 973 ----a-r C:\Program Files\77F9277AE49C042FD98749C2E4458213
2001-08-30 09:20 970 ----a-r C:\Program Files\9BEA1CBCB3BCDB649CB447A6709D2871
2001-08-30 09:20 968 ----a-r C:\Program Files\EC480444BE051BF19CB447A6709D2871
2001-08-30 09:20 959 ----a-r C:\Program Files\A7C65690A21A9FF132691ED4234B0F9768D8B7444C3FF5EA
2001-08-30 09:20 959 ----a-r C:\Program Files\9258E108122751779DCED8A8972A8869
2001-08-30 09:20 959 ----a-r C:\Program Files\27B0B93042C513549CB447A6709D2871
2001-08-30 09:20 957 ----a-r C:\Program Files\F86485A2DC115BD29CB447A6709D2871
2001-08-30 09:20 957 ----a-r C:\Program Files\C4CCFB6F2594165557ACCA3954F05310
2001-08-30 09:20 954 ----a-r C:\Program Files\10BD8158E3A9BC3AD98749C2E4458213
2001-08-30 09:20 953 ----a-r C:\Program Files\3DC6B199407998E12FD2DBB586F912F1
2001-08-30 09:20 952 ----a-r C:\Program Files\7677F8D6015386A0
2001-08-30 09:20 943 ----a-r C:\Program Files\629F4421B3F068377EED2F70507FAF8A
2001-08-30 09:20 941 ----a-r C:\Program Files\3D03CB27A00A90329DCED8A8972A8869
2001-08-30 09:20 941 ----a-r C:\Program Files\3AC0FF22E2A805C22FD2DBB586F912F1
2001-08-30 09:20 939 ----a-r C:\Program Files\938F1546D631FEBC68D8B7444C3FF5EA
2001-08-30 09:20 937 ----a-r C:\Program Files\36485C55F3544281FD947A0B9DA1E5E3
2001-08-30 09:20 937 ----a-r C:\Program Files\07F405A790D097592FD2DBB586F912F1
2001-08-30 09:20 929 ----a-r C:\Program Files\CAAC6EB96E76B6E4D98749C2E4458213
2001-08-30 09:20 925 ----a-r C:\Program Files\797A672DEA9E59D1
2001-08-30 09:20 913 ----a-r C:\Program Files\5B499C0E6AD01072D98749C2E4458213
2001-08-30 09:20 911 ----a-r C:\Program Files\19BF8638CAE0089B9DCED8A8972A8869
2001-08-30 09:20 906 ----a-r C:\Program Files\E5106503A81B5139D98749C2E4458213
2001-08-30 09:20 9,630 ----a-r C:\Program Files\36485C55F354428168D8B7444C3FF5EA
2001-08-30 09:20 897 ----a-r C:\Program Files\6758836328296BBE
2001-08-30 09:20 895 ----a-r C:\Program Files\D7769BD9600CC0E368D8B7444C3FF5EA
2001-08-30 09:20 890 ----a-r C:\Program Files\E6BE113A2C77D79F68D8B7444C3FF5EA
2001-08-30 09:20 890 ----a-r C:\Program Files\3497ABE46F99CBB59CB447A6709D2871
2001-08-30 09:20 888 ----a-r C:\Program Files\947DE603F86843929CB447A6709D2871
2001-08-30 09:20 887 ----a-r C:\Program Files\0E0C7AAF9C349FC1
2001-08-30 09:20 884 ----a-r C:\Program Files\1D92321BCE9415B19CB447A6709D2871
2001-08-30 09:20 881 ----a-r C:\Program Files\2E5D1D3ABABBAA5E9CB447A6709D2871
2001-08-30 09:20 881 ----a-r C:\Program Files\21818B424916A28F68D8B7444C3FF5EA
2001-08-30 09:20 879 ----a-r C:\Program Files\A7C65690A21A9FF1F76307E864B37F25
2001-08-30 09:20 877 ----a-r C:\Program Files\8BBB5273585E99D24F1E31390980824F
2001-08-30 09:20 875 ----a-r C:\Program Files\49DBD4D7E8BAFC31D98749C2E4458213
2001-08-30 09:20 874 ----a-r C:\Program Files\CAB346CB522E77579CB447A6709D2871
2001-08-30 09:20 871 ----a-r C:\Program Files\261C4DB1AFDCB7972FD2DBB586F912F1
2001-08-30 09:20 865 ----a-r C:\Program Files\FFCF5FCD6FB8BA87D98749C2E4458213
2001-08-30 09:20 865 ----a-r C:\Program Files\C20BC971E41A64BFD98749C2E4458213
2001-08-30 09:20 865 ----a-r C:\Program Files\856F25B37B57FDB69CB447A6709D2871
2001-08-30 09:20 865 ----a-r C:\Program Files\3033EC1C1C52EF91D63FF4810F54AB57
2001-08-30 09:20 863 ----a-r C:\Program Files\E1A9B3CA2B06E1B8D98749C2E4458213
2001-08-30 09:20 863 ----a-r C:\Program Files\C42F47A27812F2FD
2001-08-30 09:20 859 ----a-r C:\Program Files\64B811DCE59E5B14D98749C2E4458213
2001-08-30 09:20 849 ----a-r C:\Program Files\E4DDE91603A66FD94F1E31390980824F
2001-08-30 09:20 849 ----a-r C:\Program Files\A8124A98DE88B67BD98749C2E4458213
2001-08-30 09:20 849 ----a-r C:\Program Files\A365BD726523CAA2F67191B868AB247A
2001-08-30 09:20 849 ----a-r C:\Program Files\83C254292EF258E9D98749C2E4458213
2001-08-30 09:20 849 ----a-r C:\Program Files\18505C7B14230E9FFC6476F73DFD099D68D8B7444C3FF5EA
2001-08-30 09:20 844 ----a-r C:\Program Files\A1368EC7746C8003
2001-08-30 09:20 833 ----a-r C:\Program Files\FBAA2CC490B69FAA
2001-08-30 09:20 833 ----a-r C:\Program Files\E42D7FBE355FC1FD9CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\8EDE47393915C1509CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\8873D513005CE3289DCED8A8972A8869
2001-08-30 09:20 833 ----a-r C:\Program Files\6DB34399DD8A93719CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\6ABDD4E3680EA6959CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\2C4D0B89F3FAE77B9CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\087F22B452F84774D98749C2E4458213
2001-08-30 09:20 831 ----a-r C:\Program Files\FDEC777047A284EC9CB447A6709D2871
2001-08-30 09:20 831 ----a-r C:\Program Files\E7B3F53D4011F1D89CB447A6709D2871
2001-08-30 09:20 831 ----a-r C:\Program Files\4858A5171C529BF3D98749C2E4458213
2001-08-30 09:20 817 ----a-r C:\Program Files\D1A7DE369B338517BD438AAE4386CE99
2001-08-30 09:20 815 ----a-r C:\Program Files\51F0B8CF1DAE6059D98749C2E4458213
2001-08-30 09:20 814 ----a-r C:\Program Files\6CDBA3180A186E2BE9C1F8FB99B8A88F
2001-08-30 09:20 811 ----a-r C:\Program Files\3B1227EECC7B782E9CB447A6709D2871
2001-08-30 09:20 810 ----a-r C:\Program Files\88DFE0B1FB0ABEABD98749C2E4458213
2001-08-30 09:20 810 ----a-r C:\Program Files\38A7421063A91248BCEE04EDB38C491704D64AFBDE6580362FD2DBB586F912F1
2001-08-30 09:20 808 ----a-r C:\Program Files\69CE51850BC03E5768D8B7444C3FF5EA
2001-08-30 09:20 801 ----a-r C:\Program Files\B1227395A9F3027C68D8B7444C3FF5EA
2001-08-30 09:20 801 ----a-r C:\Program Files\A7D22A152A9BEFF42FD2DBB586F912F1
2001-08-30 09:20 801 ----a-r C:\Program Files\352DECE97604BAE99F7BC7ED334C30E8
2001-08-30 09:20 801 ----a-r C:\Program Files\07669A27490019999CB447A6709D2871
2004-03-25 03:03 220 --sha-w C:\WINDOWS\dwin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-26_12.54.43.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-26 18:29:00 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 17:14:28 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-26 18:29:00 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 17:14:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-26 18:29:00 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-27 17:14:29 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-27 17:14:29 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 17:14:29 6,561,792 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-26 18:29:01 196,608 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 17:14:29 196,608 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 17:20:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_428.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-01-23 08:27 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-06 01:32 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [ ]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [ ]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
HOTLLAMA Update Check.lnk - C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe [2004-12-31 11:45:49 162834]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"= 0 (0x0)
"disabletaskmgr"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 GRTdiMon;GR TDI Mon;C:\WINDOWS\system32\Drivers\GRTdiMon.sys [2004-11-10 07:50]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 03:27:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 13:46:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 09:20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 9:24:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 17:24:40
ComboFix2.txt 2008-01-27 05:48:30
ComboFix3.txt 2008-01-26 20:55:33
.
2008-01-09 11:05:12 --- E O F ---
Vegasmma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-27-2008, 10:18 AM   #6 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,966
OS: xp


Re: Virtumonde, Please Help!!!!
Hi Vegasmma

It would appear you run ComboFix a total of 3 times. We will need to see the previous logs. Please click Start > run and type

C:\qoobox\ComboFix2.txt


press enter to open C:\qoobox\ComboFix2.txt then do the same for C:\qoobox\ComboFix3.txt

Post the contents of ComboFix2.txt and ComboFix3.txt in your next reply
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-27-2008, 10:27 AM   #7 (permalink)
Analyst, Security Team
 
MoralTerror's Avatar
 
Join Date: Nov 2005
Location: UK
Posts: 1,966
OS: xp


Re: Virtumonde, Please Help!!!!
After you post the above logs please go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




Download the file & save it as its originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
__________________

Proud member of ASAP since 2007

Proud member of UNITE since 2008

Our help is completely free but please consider donating to the site to help keep it running
MoralTerror is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-27-2008, 11:34 AM   #8 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: XP Service Pack 2


Re: Virtumonde, Please Help!!!!
I attached all 3 logs. The first log has way too many pages to post. I attached all log instead of posting because it takes way too long for a page on this website to load.
Attached Files
File Type: txt combofixlog.txt (615.4 KB, 1 views)
File Type: txt Combofixlog2.txt (14.3 KB, 1 views)
File Type: txt Combofixlog3.txt (14.3 KB, 2 views)
Vegasmma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 01-27-2008, 01:41 PM   #9 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 6
OS: XP Service Pack 2


Re: Virtumonde, Please Help!!!!
CF-RC.txt

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

I also have a red "X" in place of my "C:" drive icon in "My Computer"?

Also should I delete all these files since I bought my computer in 2003 and these files are from 2001:

2001-08-30 09:20 991 ----a-r C:\Program Files\14AF136D45A676B5D98749C2E4458213
2001-08-30 09:20 990 ----a-r C:\Program Files\B59FC2EED30704599DCED8A8972A8869
2001-08-30 09:20 989 ----a-r C:\Program Files\957E70B155C8352A9CB447A6709D2871
2001-08-30 09:20 989 ----a-r C:\Program Files\6268B2DE42EBC53668D8B7444C3FF5EA
2001-08-30 09:20 987 ----a-r C:\Program Files\ABEDB0D115AFE55768D8B7444C3FF5EA
2001-08-30 09:20 983 ----a-r C:\Program Files\2DFA15AC29FF84BC68D8B7444C3FF5EA
2001-08-30 09:20 973 ----a-r C:\Program Files\A8C84B24B45D79D0D98749C2E4458213
2001-08-30 09:20 973 ----a-r C:\Program Files\77F9277AE49C042FD98749C2E4458213
2001-08-30 09:20 970 ----a-r C:\Program Files\9BEA1CBCB3BCDB649CB447A6709D2871
2001-08-30 09:20 968 ----a-r C:\Program Files\EC480444BE051BF19CB447A6709D2871
2001-08-30 09:20 959 ----a-r C:\Program Files\A7C65690A21A9FF132691ED4234B0F9768D8B7444C3FF5EA
2001-08-30 09:20 959 ----a-r C:\Program Files\9258E108122751779DCED8A8972A8869
2001-08-30 09:20 959 ----a-r C:\Program Files\27B0B93042C513549CB447A6709D2871
2001-08-30 09:20 957 ----a-r C:\Program Files\F86485A2DC115BD29CB447A6709D2871
2001-08-30 09:20 957 ----a-r C:\Program Files\C4CCFB6F2594165557ACCA3954F05310
2001-08-30 09:20 954 ----a-r C:\Program Files\10BD8158E3A9BC3AD98749C2E4458213
2001-08-30 09:20 953 ----a-r C:\Program Files\3DC6B199407998E12FD2DBB586F912F1
2001-08-30 09:20 952 ----a-r C:\Program Files\7677F8D6015386A0
2001-08-30 09:20 943 ----a-r C:\Program Files\629F4421B3F068377EED2F70507FAF8A
2001-08-30 09:20 941 ----a-r C:\Program Files\3D03CB27A00A90329DCED8A8972A8869
2001-08-30 09:20 941 ----a-r C:\Program Files\3AC0FF22E2A805C22FD2DBB586F912F1
2001-08-30 09:20 939 ----a-r C:\Program Files\938F1546D631FEBC68D8B7444C3FF5EA
2001-08-30 09:20 937 ----a-r C:\Program Files\36485C55F3544281FD947A0B9DA1E5E3
2001-08-30 09:20 937 ----a-r C:\Program Files\07F405A790D097592FD2DBB586F912F1
2001-08-30 09:20 929 ----a-r C:\Program Files\CAAC6EB96E76B6E4D98749C2E4458213
2001-08-30 09:20 925 ----a-r C:\Program Files\797A672DEA9E59D1
2001-08-30 09:20 913 ----a-r C:\Program Files\5B499C0E6AD01072D98749C2E4458213
2001-08-30 09:20 911 ----a-r C:\Program Files\19BF8638CAE0089B9DCED8A8972A8869
2001-08-30 09:20 906 ----a-r C:\Program Files\E5106503A81B5139D98749C2E4458213
2001-08-30 09:20 9,630 ----a-r C:\Program Files\36485C55F354428168D8B7444C3FF5EA
2001-08-30 09:20 897 ----a-r C:\Program Files\6758836328296BBE
2001-08-30 09:20 895 ----a-r C:\Program Files\D7769BD9600CC0E368D8B7444C3FF5EA
2001-08-30 09:20 890 ----a-r C:\Program Files\E6BE113A2C77D79F68D8B7444C3FF5EA
2001-08-30 09:20 890 ----a-r C:\Program Files\3497ABE46F99CBB59CB447A6709D2871
2001-08-30 09:20 888 ----a-r C:\Program Files\947DE603F86843929CB447A6709D2871
2001-08-30 09:20 887 ----a-r C:\Program Files\0E0C7AAF9C349FC1
2001-08-30 09:20 884 ----a-r C:\Program Files\1D92321BCE9415B19CB447A6709D2871
2001-08-30 09:20 881 ----a-r C:\Program Files\2E5D1D3ABABBAA5E9CB447A6709D2871
2001-08-30 09:20 881 ----a-r C:\Program Files\21818B424916A28F68D8B7444C3FF5EA
2001-08-30 09:20 879 ----a-r C:\Program Files\A7C65690A21A9FF1F76307E864B37F25
2001-08-30 09:20 877 ----a-r C:\Program Files\8BBB5273585E99D24F1E31390980824F
2001-08-30 09:20 875 ----a-r C:\Program Files\49DBD4D7E8BAFC31D98749C2E4458213
2001-08-30 09:20 874 ----a-r C:\Program Files\CAB346CB522E77579CB447A6709D2871
2001-08-30 09:20 871 ----a-r C:\Program Files\261C4DB1AFDCB7972FD2DBB586F912F1
2001-08-30 09:20 865 ----a-r C:\Program Files\FFCF5FCD6FB8BA87D98749C2E4458213
2001-08-30 09:20 865 ----a-r C:\Program Files\C20BC971E41A64BFD98749C2E4458213
2001-08-30 09:20 865 ----a-r C:\Program Files\856F25B37B57FDB69CB447A6709D2871
2001-08-30 09:20 865 ----a-r C:\Program Files\3033EC1C1C52EF91D63FF4810F54AB57
2001-08-30 09:20 863 ----a-r C:\Program Files\E1A9B3CA2B06E1B8D98749C2E4458213
2001-08-30 09:20 863 ----a-r C:\Program Files\C42F47A27812F2FD
2001-08-30 09:20 859 ----a-r C:\Program Files\64B811DCE59E5B14D98749C2E4458213
2001-08-30 09:20 849 ----a-r C:\Program Files\E4DDE91603A66FD94F1E31390980824F
2001-08-30 09:20 849 ----a-r C:\Program Files\A8124A98DE88B67BD98749C2E4458213
2001-08-30 09:20 849 ----a-r C:\Program Files\A365BD726523CAA2F67191B868AB247A
2001-08-30 09:20 849 ----a-r C:\Program Files\83C254292EF258E9D98749C2E4458213
2001-08-30 09:20 849 ----a-r C:\Program Files\18505C7B14230E9FFC6476F73DFD099D68D8B7444C3FF5EA
2001-08-30 09:20 844 ----a-r C:\Program Files\A1368EC7746C8003
2001-08-30 09:20 833 ----a-r C:\Program Files\FBAA2CC490B69FAA
2001-08-30 09:20 833 ----a-r C:\Program Files\E42D7FBE355FC1FD9CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\8EDE47393915C1509CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\8873D513005CE3289DCED8A8972A8869
2001-08-30 09:20 833 ----a-r C:\Program Files\6DB34399DD8A93719CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\6ABDD4E3680EA6959CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\2C4D0B89F3FAE77B9CB447A6709D2871
2001-08-30 09:20 833 ----a-r C:\Program Files\087F22B452F84774D98749C2E4458213
2001-08-30 09:20 831 ----a-r C:\Program Files\FDEC777047A284EC9CB447A6709D2871
2001-08-30 09:20 831 ----a-r C:\Program Files\E7B3F53D4011F1D89CB447A6709D2871
2001-08-30 09:20 831 ----a-r C:\Program Files\4858A5171C529BF3D98749C2E4458213
2001-08-30 09:20 817 ----a-r C:\Program Files\D1A7DE369B338517BD438AAE4386CE99
2001-08-30 09:20 815 ----a-r C:\Program Files\51F0B8CF1DAE6059D98749C2E4458213
2001-08-30 09:20 814 ----a-r C:\Program Files\6CDBA3180A186E2BE9C1F8FB99B8A88F
2001-08-30 09:20 811 ----a-r C:\Program Files\3B1227EECC7B782E9CB447A6709D2871
2001-08-30 09:20 810 ----a-r C:\Program Files\88DFE0B1FB0ABEABD98749C2E4458213
2001-08-30 09:20 810 ----a-r C:\Program Files\38A7421063A91248BCEE04EDB38C491704D64AFBDE6580362FD2DBB586F912F1
2001-08-30 09:20 808 ----a-r C:\Program Files\69CE51850BC03E5768D8B7444C3FF5EA
Vegasmma is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote