PDA

View Full Version : help me ---- virtumonde


damnthenet
2007-08-08, 14:59
Spybot S&D finds something as virtumonde that exists even after removal....I created this log....
Please someone help me out


ComboFix 07-08-07.6 - "Daniel Moses" 2007-08-08 18:21:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.577 [GMT 5.5:30]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\DANIEL~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\RBGTC6KC\www.broadcaster.com
C:\DOCUME~1\DANIEL~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\DANIEL~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\instcat.dll


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-08 18:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 19:15 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-06 20:44 <DIR> d-------- C:\Program Files\Managed DirectX (0901)
2007-08-03 20:54 <DIR> d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\Reallusion
2007-08-03 20:47 <DIR> d-------- C:\Program Files\Common Files\Reallusion
2007-07-30 19:12 <DIR> d-------- C:\UninstNIITCourseware
2007-07-30 19:12 <DIR> d-------- C:\Program Files\Learning
2007-07-28 14:17 <DIR> d-------- C:\DOCUME~1\JOHNKE~1\APPLIC~1\Real
2007-07-28 13:38 <DIR> d-------- C:\DOCUME~1\JOHNKE~1\APPLIC~1\Ahead
2007-07-28 11:17 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-28 10:45 <DIR> d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\yamaha
2007-07-28 10:14 <DIR> d-------- C:\Program Files\Sibelius Software
2007-07-28 10:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yamaha
2007-07-27 19:32 <DIR> d-------- C:\Program Files\Google
2007-07-27 19:23 <DIR> d-------- C:\DOCUME~1\DANIEL~1\Contacts
2007-07-27 19:22 <DIR> d-------- C:\Program Files\MSN Messenger
2007-07-27 19:09 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-24 20:37 <DIR> d-------- C:\DOCUME~1\JOHNKE~1\APPLIC~1\WinRAR
2007-07-24 19:38 <DIR> d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\CyberLink
2007-07-24 19:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-24 19:37 <DIR> d-------- C:\Program Files\Cyberlink
2007-07-24 19:36 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2007-07-19 14:53 <DIR> d-------- C:\DOCUME~1\JOHNKE~1\APPLIC~1\ZapSpot
2007-07-17 12:39 <DIR> d-------- C:\DOCUME~1\JOHNKE~1\APPLIC~1\Broadband
2007-07-17 12:35 <DIR> d-------- C:\DOCUME~1\JOHNKE~1\APPLIC~1\Intel
2007-07-17 12:34 3,670,016 --ah----- C:\DOCUME~1\JOHNKE~1\NTUSER.DAT
2007-07-12 21:29 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-12 21:28 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-12 21:28 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-12 21:22 <DIR> d--h----- C:\WINDOWS\system32\CyberInstallerUninstallerSystem
2007-07-12 21:03 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2007-07-12 21:03 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-07-12 21:03 15,360 --a--c--- C:\WINDOWS\system32\dllcache\streamip.sys
2007-07-12 21:03 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-07-12 21:03 11,136 --a--c--- C:\WINDOWS\system32\dllcache\slip.sys
2007-07-12 21:03 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-07-12 21:03 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2007-07-12 21:03 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-07-12 21:02 85,376 --a--c--- C:\WINDOWS\system32\dllcache\nabtsfec.sys
2007-07-12 21:02 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-07-12 21:02 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-07-12 21:02 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-07-12 21:02 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-07-12 21:02 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-07-12 21:02 17,024 --a--c--- C:\WINDOWS\system32\dllcache\ccdecode.sys
2007-07-12 21:02 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-07-12 21:00 88,497 --------- C:\WINDOWS\system32\drivers\larganv.sys
2007-07-12 21:00 376,320 --------- C:\WINDOWS\unchdrv.exe
2007-07-12 21:00 11,802 --------- C:\WINDOWS\system32\drivers\largan.sys
2007-07-12 21:00 <DIR> d-------- C:\Chameleon


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 18:22 --------- d-------- C:\Program Files\Sify Broadband
2007-08-08 18:07 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\Broadband
2007-08-04 11:27 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-17 11:30 614 --a------ C:\WINDOWS\eReg.dat
2007-07-12 21:32 --------- d-------- C:\Program Files\MSBuild
2007-07-01 15:54 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\Microsoft Games
2007-06-30 19:54 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\ZapSpot
2007-06-19 20:27 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\My Games
2007-06-19 20:24 --------- d-------- C:\Program Files\Firaxis Games
2007-06-18 23:31 1901 --a------ C:\WINDOWS\panose.bin
2007-06-18 19:50 883599 ---hs---- C:\WINDOWS\system32\onnmp.bak2
2007-06-15 15:46 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-14 11:11 6528 ---hs---- C:\WINDOWS\system32\onnmp.bak1
2007-06-14 11:03 1281 --a------ C:\DOCUME~1\DANIEL~1\APPLIC~1\FNTCACHE.BIN
2007-06-14 11:01 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\Opera
2007-06-14 10:38 --------- d-------- C:\Program Files\Common Files\Vbox
2007-06-14 10:21 --------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-06-13 19:37 --------- d-------- C:\Program Files\Microsoft Works
2007-06-13 14:42 --------- d-------- C:\Program Files\SOFTWARE
2007-06-13 12:17 --------- d-------- C:\Program Files\JavaSoft
2007-06-13 11:54 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\Real
2007-06-12 16:29 --------- d-------- C:\Program Files\Trend Micro
2007-06-12 16:25 --------- d-------- C:\Program Files\Common Files\SpeechEngines
2007-06-12 16:25 --------- d-------- C:\Program Files\Common Files\ODBC
2007-06-12 15:46 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\WinRAR
2007-06-12 15:17 --------- d-------- C:\Program Files\Windows Media Components
2007-06-12 15:11 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-06-12 15:03 --------- d-------- C:\Program Files\Common Files\SWF Studio
2007-06-12 12:07 --------- d-------- C:\Program Files\Real
2007-06-12 12:07 --------- d-------- C:\Program Files\Common Files\Real
2007-06-12 12:06 --------- d-------- C:\Program Files\Logitech
2007-06-12 12:06 --------- d-------- C:\Program Files\Common Files\Logitech
2007-06-12 11:57 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\Ahead
2007-06-12 11:56 --------- d-------- C:\Program Files\Common Files\Ahead
2007-06-12 11:39 --------- d-------- C:\Program Files\InterVideo Information Service
2007-06-12 11:39 --------- d-------- C:\Program Files\InterVideo
2007-06-12 11:39 --------- d-------- C:\Program Files\Intel
2007-06-12 11:39 --------- d-------- C:\Program Files\Common Files\Ulead Systems
2007-06-12 11:39 --------- d-------- C:\Program Files\Common Files\InterVideo
2007-06-12 11:39 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-06-12 11:39 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\InterVideo
2007-06-12 11:39 --------- d-------- C:\DOCUME~1\DANIEL~1\APPLIC~1\Intel
2007-06-12 11:28 --------- d-------- C:\Program Files\Intel Audio Studio
2007-06-12 11:27 --------- d-------- C:\Program Files\SigmaTel
2007-06-12 11:20 --------- d-------- C:\Program Files\MSXML 4.0
2007-06-12 11:16 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-06-12 11:09 0 -rahs---- C:\MSDOS.SYS
2007-06-12 11:09 0 -rahs---- C:\IO.SYS
2007-06-12 11:09 0 --a------ C:\CONFIG.SYS
2007-06-12 11:09 0 --a------ C:\AUTOEXEC.BAT
2007-06-12 11:09 --------- d-------- C:\Program Files\microsoft frontpage
2007-06-12 11:08 --------- d--h----- C:\Program Files\WindowsUpdate
2007-06-12 11:07 --------- d-------- C:\Program Files\Movie Maker
2007-06-12 11:07 --------- d-------- C:\Program Files\Common Files\MSSoap
2007-06-12 11:06 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-06-12 11:06 --------- d-------- C:\Program Files\Windows NT
2007-06-12 11:06 --------- d-------- C:\Program Files\Online Services
2007-06-12 11:06 --------- d-------- C:\Program Files\MSN Gaming Zone
2007-06-12 11:06 --------- d-------- C:\Program Files\Messenger


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E58FB61-9E0D-4167-9475-C48F7A270E5E}]
C:\WINDOWS\system32\pmnno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E073AC78-2B55-4449-A82F-B7FB0BD229BF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-03-02 14:08]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-03-02 14:08]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 10:36]
"ipTray.exe"="C:\Program Files\Intel\IDU\iptray.exe" [2006-09-11 17:50]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 16:16]
"GrooveMonitor"="C:\Program Files\SOFTWARE\Office\MSOffice 2007\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-30 16:48]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-03-02 14:08]
"NWEReboot"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:26]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04]
"SpybotSD TeaTimer"="C:\Program Files\SOFTWARE\System\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\Documents and Settings\Daniel Moses\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Chameleon Monitor.lnk - C:\Chameleon\app\cmonitor.exe [2007-07-12 21:00:11]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\SOFTWARE\Office\MSOffice 2007\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\@ðø€]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljkhge]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\p (€]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnno]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GYM-O-FIZZ.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GYM-O-FIZZ.lnk
backup=C:\WINDOWS\pss\GYM-O-FIZZ.lnkCommon Startup

R0 imagedrv;imagedrv;C:\WINDOWS\system32\Drivers\imagedrv.sys
R0 imagesrv;imagesrv;C:\WINDOWS\system32\DRIVERS\imagesrv.sys
R2 ntrtscan;OfficeScanNT RealTime Scan;"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 TmFilter;Trend Micro Filter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
R2 tmlisten;OfficeScanNT Listener;"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"
R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
R2 VSApiNt;Trend Micro VSAPI NT;\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 HECI;Intel(R) Management Engine Interface;C:\WINDOWS\system32\DRIVERS\HECI.sys
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
R3 Iviaspi;IVI ASPI Shell;C:\WINDOWS\system32\drivers\iviaspi.sys
R3 sfng32;Sonic Focus Plugin for Sigmatel HDA;C:\WINDOWS\system32\drivers\sfng32.sys
R3 SMBios;Intel (R) System Management BIOS Service;C:\WINDOWS\system32\DRIVERS\SMBios.sys
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\system32\DRIVERS\intelsmb.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S2 LARGAN;Largan.sys Digital Still Camera;C:\WINDOWS\system32\Drivers\largan.sys
S2 LARGANV;LARGAN Chameleon Video Camera;C:\WINDOWS\system32\DRIVERS\larganv.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service;"C:\Program Files\SOFTWARE\Office\MSOffice 2007\Office12\GrooveAuditService.exe"
S3 odserv;Microsoft Office Diagnostics Service;"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"


Contents of the 'Scheduled Tasks' folder
2007-06-17 17:32:23 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 18:24:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 18:25:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 18:25

--- E O F ---
tashi
2007-08-08, 16:54
Hello.

I think you missed the information in the link I gave here: http://forums.spybot.info/showthread.php?t=16649

In this malware forum we ask for a HJT log and the results of an on-line anti virus scan. "BEFORE you POST"(READ this Procedure before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Previously I asked in the other forum topic, if Spybot-S&D had been ran in safe mode, which is also part of the procedure in this forum's sticky topic. ;)
tashi
2007-08-20, 23:23
Due to lack of feedback this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.