Results 1 to 2 of 2

Thread: Help with Virtumonde and Smitfraude

  1. #1
    Junior Member
    Join Date
    Jun 2007
    Posts
    1

    Default Help with Virtumonde and Smitfraude

    I notticed everybody who had the same problem posted the log.txt, so here is mine: hope it helps

    ComboFix 07-06-18.2 - C:\Documents and Settings\Administrator\Desktop\junk\ComboFix.exe
    "mobile" - 2007-06-20 22:09:15 - Service Pack 2 NTFS


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\hlgtbjdf.dll
    C:\WINDOWS\system32\lrlmamjk.dll
    C:\WINDOWS\system32\nhlosqun.dll
    C:\WINDOWS\system32\vcpwkcfx.dll
    C:\WINDOWS\system32\kjmamlrl.ini
    C:\WINDOWS\system32\kjllm.bak1
    C:\WINDOWS\system32\kjllm.bak2
    C:\WINDOWS\system32\kjllm.ini
    C:\WINDOWS\system32\nuqsolhn.ini
    C:\WINDOWS\system32\kjllm.bak1
    C:\WINDOWS\system32\kjllm.bak2
    C:\WINDOWS\system32\kjllm.ini
    C:\WINDOWS\system32\mlljk.dll
    C:\WINDOWS\system32\yayywuu.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    ((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))


    2007-06-20 22:07 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-19 22:11 <DIR> d-------- C:\Program Files\MSXML 4.0
    2007-06-13 22:57 92,160 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
    2007-06-09 03:24 <DIR> d-------- C:\DOCUME~1\100264~1\APPLIC~1\Logitech
    2007-06-09 03:20 13,568 --a------ C:\WINDOWS\system32\drivers\L8042Kbd.SYS
    2007-06-09 03:18 94,208 --a------ C:\WINDOWS\KHALMNPR.Exe
    2007-06-09 03:18 69,760 --a------ C:\WINDOWS\system32\drivers\LMouKE.Sys
    2007-06-09 03:18 55,808 --a------ C:\WINDOWS\system32\drivers\L8042MOU.SYS
    2007-06-09 03:18 53,248 --a------ C:\WINDOWS\system32\KemXML.dll
    2007-06-09 03:18 36,736 --a------ C:\WINDOWS\system32\drivers\LHidUsbK.sys
    2007-06-09 03:18 27,008 --a------ C:\WINDOWS\system32\drivers\LHidKE.Sys
    2007-06-09 03:18 155,648 --a------ C:\WINDOWS\system32\kemutb.dll
    2007-06-09 03:18 126,976 --a------ C:\WINDOWS\system32\KemUtil.dll
    2007-06-09 03:18 110,592 --a------ C:\WINDOWS\system32\KemWnd.dll
    2007-06-09 03:17 <DIR> d-------- C:\Program Files\Common Files\Logitech
    2007-06-07 00:53 <DIR> d-------- C:\Program Files\GoldEsel
    2007-06-07 00:53 <DIR> d-------- C:\Program Files\Ahead
    2007-06-06 15:59 5,504 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
    2007-06-06 15:59 125,184 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
    2007-06-06 15:58 476,320 --a------ C:\WINDOWS\system32\ImagXpr7.dll
    2007-06-06 15:58 471,040 --a------ C:\WINDOWS\system32\ImagXRA7.dll
    2007-06-06 15:58 262,144 --a------ C:\WINDOWS\system32\ImagXR7.dll
    2007-06-06 15:58 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
    2007-06-06 15:58 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
    2007-06-06 15:58 1,568,768 --a------ C:\WINDOWS\system32\ImagX7.dll
    2007-06-06 15:58 <DIR> d-------- C:\Program Files\Common Files\Ahead
    2007-06-05 14:33 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Real
    2007-06-05 14:32 4,194,304 --ah----- C:\DOCUME~1\100286~1\ntuser.dat
    2007-06-05 14:32 <DIR> d--h----- C:\DOCUME~1\100286~1\InstallAnywhere
    2007-06-05 14:32 <DIR> d---s---- C:\DOCUME~1\100286~1\UserData
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\VMware
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Sonic
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\SolidWorks
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\SmartFTP
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Silicon Chalk
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\MathWorks
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Leadertech
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\InterVideo
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Intel
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\F-Secure
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\DWGeditor
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\ATI
    2007-06-05 14:32 <DIR> d-------- C:\DOCUME~1\100286~1\APPLIC~1\Apple Computer
    2007-05-29 12:39 <DIR> d-------- C:\DOCUME~1\100264~1\APPLIC~1\Help
    2007-05-29 12:26 <DIR> d-------- C:\WINDOWS\system32\Fonts
    2007-05-29 12:26 <DIR> d-------- C:\Program Files\DataStudio


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-12 01:07:15 -------- d-----w C:\Program Files\SPSS
    2007-06-12 01:07:14 73 ----a-w C:\WINDOWS\system32\ssprs.dll
    2007-06-12 01:07:11 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
    2007-06-09 07:18:00 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-06-05 18:36:02 -------- d-----w C:\Program Files\Lexmark
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-16 03:55:49 737,280 ----a-w C:\WINDOWS\iun6002.exe
    2007-05-14 23:22:04 -------- d-----w C:\Program Files\Lexmark_HostCD
    2007-05-10 04:23:07 -------- d-----w C:\Program Files\Microsoft IntelliType Pro
    2007-05-02 05:38:29 -------- d-----w C:\Program Files\QuickTime
    2007-05-02 05:32:10 -------- d-----w C:\Program Files\Apple Software Update
    2007-04-30 15:52:24 -------- d-----w C:\Program Files\Lexmark X6100 Series
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-07 04:24:11 13,013 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
    2007-04-07 04:23:36 4,103,032 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
    2007-04-07 04:07:29 2,951 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
    2007-04-05 21:19:19 118,842 ------r C:\WINDOWS\bwUnin-6.3.2.116-7681197L.exe
    2007-03-30 15:38:47 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
    {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll [2007-03-19 04:47]
    {53707962-6F74-2D53-2644-206D7942484F}=D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
    {AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll [2005-09-24 01:41]
    {EDB66B70-9AF0-458B-8128-CAE4ED187205}=C:\Program Files\UGS\Teamcenter 2005 SR1\Visualization\Products\iSeries\WebBHO.dll [2006-03-27 02:29]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-01-23 05:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "disablecad"=0 (0x0)
    "SynchronousMachineGroupPolicy"=0 (0x0)
    "SynchronousUserGroupPolicy"=0 (0x0)
    "DisableStatusMessages"=1 (0x1)
    "LogonType"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"=1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
    ACNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
    backup=C:\WINDOWS\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PASPortal.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PASPortal.lnk
    backup=C:\WINDOWS\pss\PASPortal.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    "C:\Program Files\Adobe\Distillr\Acrotray.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
    rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
    "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
    "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
    rundll32.exe "C:\WINDOWS\system32\nhlosqun.dll",realset

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAPMClient]
    "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
    "c:\Program Files\Microsoft IntelliType Pro\itype.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X6100 Series]
    "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
    KHALMNPR.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\niDevMon]
    C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRMGRTR]
    rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
    C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]
    "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    C:\Program Files\Analog Devices\Core\smax4pnp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
    tp4ex.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
    C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKBDLED]
    C:\WINDOWS\system32\TpScrLk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
    C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
    TpShocks.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
    d:\Program Files\Google\Gmail Notifier\gnotify.exe

    *Newly Created Service* - NIPALK

    Contents of the 'Scheduled Tasks' folder
    2007-06-06 01:40:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-06-19 04:28:29 C:\WINDOWS\tasks\PMTask.job

    **************************************************************************

    catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-20 22:23:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-20 22:24:23 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-06-20 22:24

    --- E O F ---
    Last edited by tashi; 2007-06-21 at 07:12. Reason: Moved from the Spybot-S&D forum

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello.

    Please see this sticky: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Copy/paste the logs requested into this topic, and a helper will assist you when available.

    Regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •