PDA

View Full Version : Virtumonde.crack ComboFix Log


coultshe
2008-01-14, 01:42
Hello! I did the combofix and the log follows. Thanks for helping me get rid of this thing! I'll be waiting to hear from you for the next step!

ComboFix 08-01-14.1 - Sherry 2008-01-13 17:06:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.150 [GMT -5:00]
Running from: C:\Documents and Settings\Sherry\Local Settings\Temporary Internet Files\Content.IE5\LF8IC4R4\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ymbols~1
C:\Program Files\ymbols~1\?ymbols\
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\fflkkclk.ini
C:\WINDOWS\system32\gikkj.ini
C:\WINDOWS\system32\gikkj.ini2
C:\WINDOWS\system32\mkxheetd.ini
C:\WINDOWS\system32\msacm32.drv
C:\WINDOWS\system32\mvthvqti.ini
C:\WINDOWS\system32\nuinopsd
C:\WINDOWS\system32\nuinopsd\bg1.gif
C:\WINDOWS\system32\nuinopsd\bgtop.gif
C:\WINDOWS\system32\nuinopsd\bottom1.gif
C:\WINDOWS\system32\nuinopsd\essentials.gif
C:\WINDOWS\system32\nuinopsd\icon1.ico
C:\WINDOWS\system32\nuinopsd\install1.gif
C:\WINDOWS\system32\nuinopsd\left1.gif
C:\WINDOWS\system32\nuinopsd\li.gif
C:\WINDOWS\system32\nuinopsd\logo.gif
C:\WINDOWS\system32\nuinopsd\main.htm
C:\WINDOWS\system32\nuinopsd\mainframe.htm
C:\WINDOWS\system32\nuinopsd\reinstall1.gif
C:\WINDOWS\system32\nuinopsd\right1.gif
C:\WINDOWS\system32\nuinopsd\s1.htm
C:\WINDOWS\system32\nuinopsd\s2.htm
C:\WINDOWS\system32\nuinopsd\s3.htm
C:\WINDOWS\system32\nuinopsd\SMTop1.gif
C:\WINDOWS\system32\nuinopsd\SMTop2.gif
C:\WINDOWS\system32\nuinopsd\SMTop3.gif
C:\WINDOWS\system32\nuinopsd\SMTop4.gif
C:\WINDOWS\system32\nuinopsd\soft1_off.gif
C:\WINDOWS\system32\nuinopsd\soft1_off_ext.gif
C:\WINDOWS\system32\nuinopsd\soft1_on.gif
C:\WINDOWS\system32\nuinopsd\soft1_on_ext.gif
C:\WINDOWS\system32\nuinopsd\soft2_off.gif
C:\WINDOWS\system32\nuinopsd\soft2_off_ext.gif
C:\WINDOWS\system32\nuinopsd\soft2_on.gif
C:\WINDOWS\system32\nuinopsd\soft2_on_ext.gif
C:\WINDOWS\system32\nuinopsd\soft3_off.gif
C:\WINDOWS\system32\nuinopsd\soft3_off_ext.gif
C:\WINDOWS\system32\nuinopsd\soft3_on.gif
C:\WINDOWS\system32\nuinopsd\soft3_on_ext.gif
C:\WINDOWS\system32\nuinopsd\softbottom_off.gif
C:\WINDOWS\system32\nuinopsd\softbottom_on.gif
C:\WINDOWS\system32\nuinopsd\softleft_off.gif
C:\WINDOWS\system32\nuinopsd\softleft_on.gif
C:\WINDOWS\system32\nuinopsd\top1.gif
C:\WINDOWS\system32\nuinopsd\top2.gif
C:\WINDOWS\system32\nuinopsd\turnoff1.gif
C:\WINDOWS\system32\nuinopsd\turnon1.gif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 17:05 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-11 21:55 . 2008-01-11 21:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 18:59 . 2004-02-27 07:04 38,771 --------- C:\WINDOWS\hpomdl03.dat
2008-01-11 18:59 . 2008-01-11 19:04 29,744 --------- C:\WINDOWS\hpoins03.dat
2008-01-08 20:15 . 2008-01-08 20:15 1,355 --a------ C:\WINDOWS\imsins.BAK
2007-12-19 15:14 . 2004-02-27 07:04 38,771 --------- C:\WINDOWS\hpomdl03.dat.temp
2007-12-19 15:14 . 2008-01-11 19:04 29,744 --------- C:\WINDOWS\hpoins03.dat.temp
2007-12-14 12:10 . 2007-12-14 12:10 <DIR> d-------- C:\Documents and Settings\Sherry\Application Data\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 22:13 --------- d-----w C:\Documents and Settings\Sherry\Application Data\AVG7
2007-12-18 03:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-16 22:20 --------- d-----w C:\Documents and Settings\Sherry\Application Data\U3
2007-12-13 17:41 --------- d-----w C:\Documents and Settings\Sherry\Application Data\Yahoo!
2007-12-13 17:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-12-13 17:40 --------- d-----w C:\Program Files\Yahoo!
2007-12-12 14:25 --------- d-----w C:\Program Files\Symantec
2007-12-12 04:05 --------- d-----w C:\Program Files\cnyhgzmb
2007-12-12 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-12 02:59 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-12 02:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-12 02:38 --------- d-----w C:\Program Files\Nikmboik
2007-12-12 02:25 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-12 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-12 02:22 44,288 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-07 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-02 16:18 --------- d-----w C:\Program Files\Support and Movement
2007-11-26 04:03 --------- d-----w C:\Program Files\Ad-Aware 2007
2007-11-20 22:43 --------- d-----w C:\Program Files\Replay Media Catcher
2007-11-16 02:35 --------- d-----w C:\Program Files\WinAce
2007-11-14 00:35 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-11-14 00:34 3,928,264 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-11-14 00:34 --------- d-----w C:\Documents and Settings\Sherry\Application Data\GetRightToGo
2007-11-14 00:33 411,248 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-11-14 00:32 --------- d-----w C:\Program Files\FLV Player
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CF46468-AC82-9EC5-5B79-008AA7762D88}]
C:\Program Files\Nikmboik\vevcpttt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4014F1AF-75BB-492E-9D19-4E6572A00805}]
C:\WINDOWS\system32\jkkig.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c933359d-b1c6-4226-a8b5-f56d6d57c05e}]
C:\WINDOWS\system32\nobrdjst.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Sonic RecordNow!"="" []
"Magentic"="C:\PROGRA~1\Magentic\bin\Magentic.exe" [2007-09-03 14:25 475180]
"Eprc"="C:\PROGRA~1\YMBOLS~1\ping.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 11:31 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 11:27 126976]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 17:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 17:26 688218]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-14 18:12 368640]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 88363 C:\WINDOWS\agrsmmsg.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 18:03 135168]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 20:57 73728]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 16:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 11:27 860160]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 03:05 122939]
"TFncKy"="TFncKy.exe" []
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 13:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 13:31 356352]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2001-03-02 21:26 7680]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 16:28 49152]
"DXDllRegExe"="dxdllreg.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-16 00:30 98304]
"b4bda793"="C:\WINDOWS\system32\dteehxkm.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 09:13 579072]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-11 21:25 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-07 18:09:51]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 04:19:24]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 13:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhifd]
mljhifd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winqao32]
winqao32.dll

S3 NRKCTL32;NRKCTL32;C:\Temp\WcpuID\NRKCTL32.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - HTTPFILTER
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 17:14:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-14 17:18:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 22:17:55
.
2008-01-09 01:17:57 --- E O F ---
Shaba
2008-01-14, 13:13
Hi coultshe and welcome to Safer Networking Forums

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Shaba
2008-01-19, 12:28
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.