Virtumonde, pop-up trojan, etc

**chadrico** · 2009-01-09, 22:21

I know I'm not supposed to use ComboFix on my own, but I followed the instructions for someone who had exactly the same problem as I have been having. I think ComboFix solved my problems, but I'd appreciate it if someone can review the log and give me any recommendations to further clean my system and better protect it in the future.
Brief description of problem before ComboFix: Virtumonde and some pop-up trojan repeatedly reinstalled themselves immediately after I cleaned my system MANY times with SpyBot, Ad-Aware, SpyWare Doctor, as well as several other reputable resources.

Before ComboFix could run, it said I needed to make note of three files and then it rebooted my system.
C:\windows\system32\drivers\senekasbppvaiq.sys
C:\windows\system32\senekafnhylalw.dll
C:\windows\system32\senekaynadivbn.dll

The following is the log:

ComboFix 09-01-08.05 - Chad 2009-01-09 13:41:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1539 [GMT -7:00]
Running from: c:\documents and settings\Chad\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chad\Local Settings\Temporary Internet Files\fbk.sts
c:\recycler\ADAPT_Installer.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_004065_.tmp.dll
c:\windows\system32\_004073_.tmp.dll
c:\windows\system32\_004081_.tmp.dll
c:\windows\system32\_004089_.tmp.dll
c:\windows\system32\_004097_.tmp.dll
c:\windows\system32\_004105_.tmp.dll
c:\windows\system32\_004113_.tmp.dll
c:\windows\system32\_004121_.tmp.dll
c:\windows\system32\_004129_.tmp.dll
c:\windows\system32\_004137_.tmp.dll
c:\windows\system32\_004153_.tmp.dll
c:\windows\system32\_004161_.tmp.dll
c:\windows\system32\_004169_.tmp.dll
c:\windows\system32\_004177_.tmp.dll
c:\windows\system32\_004211_.tmp.dll
c:\windows\system32\_004212_.tmp.dll
c:\windows\system32\_004215_.tmp.dll
c:\windows\system32\_004219_.tmp.dll
c:\windows\system32\_004220_.tmp.dll
c:\windows\system32\_004221_.tmp.dll
c:\windows\system32\_004222_.tmp.dll
c:\windows\system32\_004228_.tmp.dll
c:\windows\system32\_004230_.tmp.dll
c:\windows\system32\_004235_.tmp.dll
c:\windows\system32\_004236_.tmp.dll
c:\windows\system32\_004237_.tmp.dll
c:\windows\system32\_004238_.tmp.dll
c:\windows\system32\_004243_.tmp.dll
c:\windows\system32\_004244_.tmp.dll
c:\windows\system32\_004245_.tmp.dll
c:\windows\system32\_004246_.tmp.dll
c:\windows\system32\_004251_.tmp.dll
c:\windows\system32\_004252_.tmp.dll
c:\windows\system32\_004253_.tmp.dll
c:\windows\system32\_004254_.tmp.dll
c:\windows\system32\_004259_.tmp.dll
c:\windows\system32\_004260_.tmp.dll
c:\windows\system32\_004261_.tmp.dll
c:\windows\system32\_004262_.tmp.dll
c:\windows\system32\_004267_.tmp.dll
c:\windows\system32\_004268_.tmp.dll
c:\windows\system32\_004269_.tmp.dll
c:\windows\system32\_004270_.tmp.dll
c:\windows\system32\_004275_.tmp.dll
c:\windows\system32\_004276_.tmp.dll
c:\windows\system32\_004277_.tmp.dll
c:\windows\system32\_004278_.tmp.dll
c:\windows\system32\_004283_.tmp.dll
c:\windows\system32\_004284_.tmp.dll
c:\windows\system32\_004285_.tmp.dll
c:\windows\system32\_004286_.tmp.dll
c:\windows\system32\_004291_.tmp.dll
c:\windows\system32\_004292_.tmp.dll
c:\windows\system32\_004293_.tmp.dll
c:\windows\system32\_004294_.tmp.dll
c:\windows\system32\_004299_.tmp.dll
c:\windows\system32\_004300_.tmp.dll
c:\windows\system32\_004301_.tmp.dll
c:\windows\system32\_004302_.tmp.dll
c:\windows\system32\_004307_.tmp.dll
c:\windows\system32\_004308_.tmp.dll
c:\windows\system32\_004309_.tmp.dll
c:\windows\system32\_004310_.tmp.dll
c:\windows\system32\_004315_.tmp.dll
c:\windows\system32\_004316_.tmp.dll
c:\windows\system32\_004317_.tmp.dll
c:\windows\system32\_004318_.tmp.dll
c:\windows\system32\_004323_.tmp.dll
c:\windows\system32\_004324_.tmp.dll
c:\windows\system32\_004325_.tmp.dll
c:\windows\system32\_004326_.tmp.dll
c:\windows\system32\_004331_.tmp.dll
c:\windows\system32\_004332_.tmp.dll
c:\windows\system32\_004333_.tmp.dll
c:\windows\system32\_004334_.tmp.dll
c:\windows\system32\_004339_.tmp.dll
c:\windows\system32\_004340_.tmp.dll
c:\windows\system32\_004341_.tmp.dll
c:\windows\system32\_004342_.tmp.dll
c:\windows\system32\_004347_.tmp.dll
c:\windows\system32\_004348_.tmp.dll
c:\windows\system32\_004349_.tmp.dll
c:\windows\system32\_004350_.tmp.dll
c:\windows\system32\_005149_.tmp.dll
c:\windows\system32\_005150_.tmp.dll
c:\windows\system32\_005151_.tmp.dll
c:\windows\system32\_005152_.tmp.dll
c:\windows\system32\_005159_.tmp.dll
c:\windows\system32\_005160_.tmp.dll
c:\windows\system32\_005161_.tmp.dll
c:\windows\system32\_005162_.tmp.dll
c:\windows\system32\_005163_.tmp.dll
c:\windows\system32\_005164_.tmp.dll
c:\windows\system32\_005165_.tmp.dll
c:\windows\system32\_005166_.tmp.dll
c:\windows\system32\_005167_.tmp.dll
c:\windows\system32\_005168_.tmp.dll
c:\windows\system32\_005169_.tmp.dll
c:\windows\system32\_005170_.tmp.dll
c:\windows\system32\_005171_.tmp.dll
c:\windows\system32\_005172_.tmp.dll
c:\windows\system32\_005173_.tmp.dll
c:\windows\system32\_005174_.tmp.dll
c:\windows\system32\_005175_.tmp.dll
c:\windows\system32\_005176_.tmp.dll
c:\windows\system32\_005177_.tmp.dll
c:\windows\system32\_005178_.tmp.dll
c:\windows\system32\_005179_.tmp.dll
c:\windows\system32\_005180_.tmp.dll
c:\windows\system32\_005183_.tmp.dll
c:\windows\system32\_005184_.tmp.dll
c:\windows\system32\_005185_.tmp.dll
c:\windows\system32\_005186_.tmp.dll
c:\windows\system32\_005187_.tmp.dll
c:\windows\system32\_005188_.tmp.dll
c:\windows\system32\_005189_.tmp.dll
c:\windows\system32\_005191_.tmp.dll
c:\windows\system32\_005192_.tmp.dll
c:\windows\system32\_005193_.tmp.dll
c:\windows\system32\_005194_.tmp.dll
c:\windows\system32\_005195_.tmp.dll
c:\windows\system32\_005196_.tmp.dll
c:\windows\system32\_005197_.tmp.dll
c:\windows\system32\_005198_.tmp.dll
c:\windows\system32\_005199_.tmp.dll
c:\windows\system32\_005200_.tmp.dll
c:\windows\system32\_005201_.tmp.dll
c:\windows\system32\_005202_.tmp.dll
c:\windows\system32\_005205_.tmp.dll
c:\windows\system32\_005206_.tmp.dll
c:\windows\system32\_005207_.tmp.dll
c:\windows\system32\_005209_.tmp.dll
c:\windows\system32\_005210_.tmp.dll
c:\windows\system32\_005211_.tmp.dll
c:\windows\system32\_005212_.tmp.dll
c:\windows\system32\_005213_.tmp.dll
c:\windows\system32\_005214_.tmp.dll
c:\windows\system32\_005215_.tmp.dll
c:\windows\system32\_005216_.tmp.dll
c:\windows\system32\_005217_.tmp.dll
c:\windows\system32\_005218_.tmp.dll
c:\windows\system32\_005219_.tmp.dll
c:\windows\system32\_005221_.tmp.dll
c:\windows\system32\_005222_.tmp.dll
c:\windows\system32\_005223_.tmp.dll
c:\windows\system32\_005224_.tmp.dll
c:\windows\system32\_005226_.tmp.dll
c:\windows\system32\_005228_.tmp.dll
c:\windows\system32\_005229_.tmp.dll
c:\windows\system32\_005230_.tmp.dll
c:\windows\system32\_005231_.tmp.dll
c:\windows\system32\_005232_.tmp.dll
c:\windows\system32\_005233_.tmp.dll
c:\windows\system32\_005234_.tmp.dll
c:\windows\system32\_005236_.tmp.dll
c:\windows\system32\_005237_.tmp.dll
c:\windows\system32\_005238_.tmp.dll
c:\windows\system32\_005239_.tmp.dll
c:\windows\system32\_005240_.tmp.dll
c:\windows\system32\_005241_.tmp.dll
c:\windows\system32\_005242_.tmp.dll
c:\windows\system32\_005243_.tmp.dll
c:\windows\system32\_005245_.tmp.dll
c:\windows\system32\_005246_.tmp.dll
c:\windows\system32\_005248_.tmp.dll
c:\windows\system32\_005249_.tmp.dll
c:\windows\system32\_005251_.tmp.dll
c:\windows\system32\_005252_.tmp.dll
c:\windows\system32\_005256_.tmp.dll
c:\windows\system32\_005257_.tmp.dll
c:\windows\system32\_005259_.tmp.dll
c:\windows\system32\_005262_.tmp.dll
c:\windows\system32\_005264_.tmp.dll
c:\windows\system32\_005265_.tmp.dll
c:\windows\system32\_005266_.tmp.dll
c:\windows\system32\_005267_.tmp.dll
c:\windows\system32\_005270_.tmp.dll
c:\windows\system32\_005271_.tmp.dll
c:\windows\system32\_005272_.tmp.dll
c:\windows\system32\_005273_.tmp.dll
c:\windows\system32\_005274_.tmp.dll
c:\windows\system32\_005279_.tmp.dll
c:\windows\system32\_005281_.tmp.dll
c:\windows\system32\_005282_.tmp.dll
c:\windows\system32\_006508_.tmp.dll
c:\windows\system32\_006509_.tmp.dll
c:\windows\system32\_006510_.tmp.dll
c:\windows\system32\_006511_.tmp.dll
c:\windows\system32\_006518_.tmp.dll
c:\windows\system32\_006519_.tmp.dll
c:\windows\system32\_006520_.tmp.dll
c:\windows\system32\_006521_.tmp.dll
c:\windows\system32\_006523_.tmp.dll
c:\windows\system32\_006524_.tmp.dll
c:\windows\system32\_006527_.tmp.dll
c:\windows\system32\_006528_.tmp.dll
c:\windows\system32\_006530_.tmp.dll
c:\windows\system32\_006531_.tmp.dll
c:\windows\system32\_006532_.tmp.dll
c:\windows\system32\_006534_.tmp.dll
c:\windows\system32\_006537_.tmp.dll
c:\windows\system32\_006538_.tmp.dll
c:\windows\system32\_006542_.tmp.dll
c:\windows\system32\_006543_.tmp.dll
c:\windows\system32\_006545_.tmp.dll
c:\windows\system32\_006548_.tmp.dll
c:\windows\system32\_006550_.tmp.dll
c:\windows\system32\_006551_.tmp.dll
c:\windows\system32\_006552_.tmp.dll
c:\windows\system32\_006553_.tmp.dll
c:\windows\system32\_006554_.tmp.dll
c:\windows\system32\_006557_.tmp.dll
c:\windows\system32\_006558_.tmp.dll
c:\windows\system32\_006559_.tmp.dll
c:\windows\system32\_006560_.tmp.dll
c:\windows\system32\_006561_.tmp.dll
c:\windows\system32\_006566_.tmp.dll
c:\windows\system32\_006568_.tmp.dll
c:\windows\system32\_006569_.tmp.dll
c:\windows\system32\cbXRJBut.dll
c:\windows\system32\dppsakcs.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekasbppvaiq.sys
c:\windows\system32\Drivers\TDSSmxfe.sys
c:\windows\system32\jfpcihdo.dll
c:\windows\system32\kfwbodlx.dll
c:\windows\system32\koprntvf.ini
c:\windows\system32\pjwcmd.dll
c:\windows\system32\qoMgggET.dll
c:\windows\system32\rmtjfvkr.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekafnhylalw.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaynadiubn.dll
c:\windows\system32\tuvUMghI.dll
c:\windows\system32\wnzyke.dll
c:\windows\system32\wreymjpa.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA

((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-08 23:24 . 2008-11-23 02:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DivX
2009-01-08 23:24 . 2009-01-08 23:24 <DIR> d-------- c:\documents and settings\Administrator
2009-01-08 22:00 . 2009-01-09 12:24 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-08 22:00 . 2009-01-08 22:00 <DIR> d-------- c:\documents and settings\Chad\Application Data\PC Tools
2009-01-08 22:00 . 2009-01-09 13:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-08 22:00 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-08 22:00 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-08 22:00 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-08 22:00 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-08 21:22 . 2009-01-08 21:42 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-08 19:15 . 2009-01-08 19:05 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-08 19:05 . 2009-01-08 19:18 <DIR> d-------- c:\documents and settings\Chad\.housecall6.6
2009-01-08 15:46 . 2009-01-08 16:16 725 --a------ c:\windows\wininit.ini
2009-01-08 14:34 . 2009-01-08 14:34 <DIR> d-------- c:\documents and settings\Chad\Application Data\cogad
2009-01-07 10:24 . 2009-01-07 10:24 <DIR> d-------- C:\CrashReport
2009-01-07 09:31 . 2009-01-09 10:47 <DIR> d-------- c:\program files\Runes of Magic
2009-01-05 17:05 . 2009-01-05 17:05 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-27 15:07 . 2008-12-27 15:09 <DIR> d-------- C:\NETHERW
2008-12-26 18:36 . 2008-12-26 18:36 <DIR> d-------- c:\program files\THQ
2008-12-19 22:03 . 2008-12-19 22:02 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-11 17:50 . 2008-10-03 03:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-08 21:45 806 -c--a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 21:45 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 21:45 10,635 -c--a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 21:45 --------- d-----w c:\program files\Symantec
2009-01-06 03:01 --------- d--h--w c:\documents and settings\Chad\Application Data\Move Networks
2009-01-05 05:13 31 ----a-w c:\documents and settings\Chad\jagex_runescape_preferences.dat
2009-01-02 02:28 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-28 18:14 --------- d-----w c:\documents and settings\Chad\Application Data\Azureus
2008-12-28 18:03 --------- d-----w c:\program files\Vuze
2008-12-27 18:41 --------- d-----w c:\program files\StarportGE
2008-12-27 18:41 --------- d-----w c:\program files\SCAR 3.13
2008-12-27 18:41 --------- d-----w c:\program files\SCAR 3.12
2008-12-27 18:41 --------- d-----w c:\program files\SCAR 3.11
2008-12-27 16:50 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-24 01:43 --------- d-----w c:\program files\Saga
2008-12-20 05:02 --------- d-----w c:\program files\Java
2008-12-12 19:00 --------- d-----w c:\program files\DivX
2008-11-30 15:16 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-30 15:15 --------- d-----w c:\program files\Lavasoft
2008-11-30 15:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-26 16:24 0 ----a-w c:\documents and settings\Chad\reset.cmd
2008-11-26 05:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-26 05:34 --------- d-----w c:\program files\NoAdware
2008-11-22 16:29 79,360 ----a-r c:\windows\system32\drivers\nvatabus.sys
2008-11-22 16:29 68,224 ----a-r c:\windows\system32\drivers\nvraid.sys
2008-11-22 16:29 56,960 ----a-r c:\windows\system32\drivers\nvnrm.sys
2008-11-22 16:29 33,280 ----a-r c:\windows\system32\drivers\NVENETFD.sys
2008-11-22 16:29 21,760 ----a-r c:\windows\system32\drivers\nv_agp.SYS
2008-11-22 16:29 191,232 ----a-r c:\windows\system32\drivers\nvsnpu.sys
2008-11-22 16:29 12,928 ----a-r c:\windows\system32\drivers\nvnetbus.sys
2008-09-12 08:15 353,246,365 ----a-w c:\program files\SpaceRangers2_Setup-2.bin
2008-09-12 04:37 989,575,552 ----a-w c:\program files\SpaceRangers2_Setup-1.bin
2008-09-11 20:07 423,937 ----a-w c:\program files\SpaceRangers2_Setup.exe
2007-02-19 15:25 40,973 -c--a-w c:\documents and settings\Incomplete\downloads.dat
2003-07-17 17:26 448,640 -c--a-w c:\windows\inf\EL2K_N64.sys
2003-07-17 17:22 147,328 -c--a-w c:\windows\inf\EL2K_XP.sys
2003-06-03 22:47 147,328 -c--a-w c:\windows\inf\EL2K_2K.sys
2006-10-18 15:03 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012006101820061019\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-01-11 972432]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-06 718704]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"NVRaidService"="c:\windows\System32\nvraidservice.exe" [2008-11-22 83968]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"nwiz"="nwiz.exe" [2006-08-11 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ognafy.dll wnzyke.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"47851:UDP"= 47851:UDP:ryzom
"5000:UDP"= 5000:UDP:azureus

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2003-12-12 77312]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-15 99376]
R4 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2006-04-24 3744]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
R4 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2006-04-24 3904]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-08 356920]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-07 33752]
S3 UCORESYS;UCORESYS;\??\c:\documents and settings\Chad\Local Settings\Temp\UCORESYS.SYS --> c:\documents and settings\Chad\Local Settings\Temp\UCORESYS.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-07 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe []

2009-01-05 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe []

2009-01-08 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Chad.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 07:05]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1D19E510-20D6-4D7A-9DBD-A24A1706EC34} - (no file)
BHO-{23676E37-C9D9-4A8F-B533-EE041B60BE7D} - (no file)
BHO-{6351FA77-2E74-4A99-8953-F6297DE71BD0} - (no file)
BHO-{726CF4BF-A037-4AB5-B038-5D94A5EAB4D0} - (no file)
Notify-rqRHxywX - rqRHxywX.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: update.microsoft.com
Trusted Zone: download.windowsupdate.com

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\kb6wk80r.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Chad\Application Data\Mozilla\Firefox\Profiles\kb6wk80r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 13:58:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1409082233-1500820517-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*NULL*]
"??"=hex:8d,e1,5c,45,21,03,3b,54,6d,91,3c,f6,f0,1a,20,27,1e,02,54,b1,d0,df,fd,
88,78,be,3c,ca,94,a0,1e,5a,f1,aa,70,95,ec,17,e1,01,da,f0,1d,23,62,a2,23,1e,\
"??"=hex:1e,db,c9,00,06,e0,bd,5a,98,8c,d9,e5,9e,ca,6c,82

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):e3,a3,cb,26,8d,50,80,98,36,c6,9a,a1,fb,04,6a,15,e9,b9,10,ca,4d,
78,fb,a8,f0,cf,bd,03,d8,93,f2,ec,fd,3f,a0,63,23,97,b3,91,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{faea7642-bd95-4af3-af14-884a92b677b6}]
@Denied: (Full) (Everyone)
"Model"=dword:000000a5
"Therad"=dword:00000022
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,a3,4d,8a,86,a6,1f,8c,ed,c4,9f,27,cf,25,5d,\

[HKEY_LOCAL_MACHINE\software\Classes\htafile\CLSID]
@DACL=(02 0000)
@="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-01-09 14:03:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 21:03:08

Pre-Run: 18,812,428,288 bytes free
Post-Run: 18,876,506,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

463 --- E O F --- 2008-12-12 18:20:03

**Shaba** · 2009-01-10, 11:57

Hello chadrico

You are correct, you shouldn't run combofix and also not follow instructions given for someone else as instructions are user specific

Please see this next

Please follow the instructions in the above thread and then start a fresh topic with the logs required.

Regards.

Thread: Virtumonde, pop-up trojan, etc

Thread Tools

Display

Virtumonde, pop-up trojan, etc

Posting Permissions