PDA

View Full Version : Help with Virtumonde and Smitfraude



Madclks
2007-06-21, 07:06
I notticed everybody who had the same problem posted the log.txt, so here is mine: hope it helps

ComboFix 07-06-18.2 - C:\Documents and Settings\Administrator\Desktop\junk\ComboFix.exe
"mobile" - 2007-06-20 22:09:15 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hlgtbjdf.dll
C:\WINDOWS\system32\lrlmamjk.dll
C:\WINDOWS\system32\nhlosqun.dll
C:\WINDOWS\system32\vcpwkcfx.dll
C:\WINDOWS\system32\kjmamlrl.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\nuqsolhn.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\yayywuu.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))


2007-06-20 22:07 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-19 22:11 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-13 22:57 92,160 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2007-06-09 03:24 <DIR> d-------- C:\DOCUME~1\100264~1\APPLIC~1\Logitech
2007-06-09 03:20 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
2007-06-09 03:18 94,208 --a------ C:\WINDOWS\KHALMNPR.Exe
2007-06-09 03:18 69,760 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
2007-06-09 03:18 55,808 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
2007-06-09 03:18 53,248 --a------ C:\WINDOWS\system32\KemXML.dll
2007-06-09 03:18 36,736 --a------ C:\WINDOWS\system32\drivers\LHidUsbK.sys
2007-06-09 03:18 27,008 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
2007-06-09 03:18 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
2007-06-09 03:18 126,976 --a------ C:\WINDOWS\system32\KemUtil.dll
2007-06-09 03:18 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
2007-06-09 03:17 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-06-07 00:53 <DIR> d-------- C:\Program Files\GoldEsel
2007-06-07 00:53 <DIR> d-------- C:\Program Files\Ahead
2007-06-06 15:59 5,504 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2007-06-06 15:59 125,184 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2007-06-06 15:58 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
2007-06-06 15:58 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
2007-06-06 15:58 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
2007-06-06 15:58 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-06-06 15:58 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-06-06 15:58 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
2007-06-06 15:58 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-06-05 14:33 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Real
2007-06-05 14:32 4,194,304 --ah----- C:\DOCUME~1\100286~1\ntuser.dat
2007-06-05 14:32 <DIR> d--h----- C:\DOCUME~1\100286~1\InstallAnywhere
2007-06-05 14:32 <DIR> d---s---- C:\DOCUME~1\100286~1\UserData
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\VMware
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Sonic
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\SolidWorks
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\SmartFTP
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Silicon Chalk
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\MathWorks
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Leadertech
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\InterVideo
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Intel
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\F-Secure
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\DWGeditor
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\ATI
2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Apple Computer
2007-05-29 12:39 <DIR> d-------- C:\DOCUME~1\100264~1\APPLIC~1\Help
2007-05-29 12:26 <DIR> d-------- C:\WINDOWS\system32\Fonts
2007-05-29 12:26 <DIR> d-------- C:\Program Files\DataStudio


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-12 01:07:15 -------- d-----w C:\Program Files\SPSS
2007-06-12 01:07:14 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-06-12 01:07:11 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-06-09 07:18:00 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-05 18:36:02 -------- d-----w C:\Program Files\Lexmark
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-16 03:55:49 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-05-14 23:22:04 -------- d-----w C:\Program Files\Lexmark_HostCD
2007-05-10 04:23:07 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-05-02 05:38:29 -------- d-----w C:\Program Files\QuickTime
2007-05-02 05:32:10 -------- d-----w C:\Program Files\Apple Software Update
2007-04-30 15:52:24 -------- d-----w C:\Program Files\Lexmark X6100 Series
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-07 04:24:11 13,013 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2007-04-07 04:23:36 4,103,032 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-04-07 04:07:29 2,951 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2007-04-05 21:19:19 118,842 ------r C:\WINDOWS\bwUnin-6.3.2.116-7681197L.exe
2007-03-30 15:38:47 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll [2007-03-19 04:47]
{53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2005-09-24 01:41]
{EDB66B70-9AF0-458B-8128-CAE4ED187205}=C:\Program Files\UGS\Teamcenter 2005 SR1\Visualization\Products\iSeries\WebBHO.dll [2006-03-27 02:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-23 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)
"DisableStatusMessages"=1 (0x1)
"LogonType"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=C:\WINDOWS\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
backup=C:\WINDOWS\pss\PASPortal.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
"C:\Program Files\F-Secure\Common\FSM32.EXE" /splash

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
"C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\nhlosqun.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAPMClient]
"C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"c:\Program Files\Microsoft IntelliType Pro\itype.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
"C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\niDevMon]
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
"C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
C:\WINDOWS\system32\TpScrLk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
d:\Program Files\Google\Gmail Notifier\gnotify.exe

*Newly Created Service* - NIPALK

Contents of the 'Scheduled Tasks' folder
2007-06-06 01:40:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-19 04:28:29 C:\WINDOWS\tasks\PMTask.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 22:23:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-20 22:24:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-20 22:24

--- E O F ---

tashi
2007-06-21, 07:13
Hello.

Please see this sticky: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Copy/paste the logs requested into this topic, and a helper will assist you when available.

Regards.