drozok
2008-02-20, 16:22
Hello, I have another PC on my home network that became infected with Virtumonde. Please help. Below are the HiJackThis, Karpersky, and ComboFix log files. I ran ComboFix first, then Karpersky, then HiJackThis. Thank you in advance for all your help.
ComboFix 08-02-14.1 - Daniel Rozok 2008-02-19 20:58:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -8:00]
Running from: C:\Documents and Settings\Daniel Rozok\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bcizpkiy.dllbox
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-14 21:43 . 2008-02-14 21:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-14 21:43 . 2008-02-14 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-14 21:38 . 2008-02-14 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 20:53 . 2008-02-13 20:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-13 20:53 . 2008-02-14 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 16:11 . 2008-02-02 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-02 16:07 . 2008-02-02 16:07 388,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\timntr.sys
2008-02-02 16:07 . 2008-02-02 16:07 99,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\snapman.sys
2008-02-02 16:07 . 2008-02-02 16:07 32,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys
2008-02-02 16:06 . 2008-02-02 16:07 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-02-02 16:06 . 2008-02-02 16:06 <DIR> d-------- C:\Program Files\Acronis
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 23:13 --------- d-----w C:\Program Files\McAfee
2008-02-15 15:31 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-02-08 02:45 --------- d-----w C:\Documents and Settings\Olivia Rozok\Application Data\U3
2008-02-07 00:35 --------- d-----w C:\Documents and Settings\Emily Rozok\Application Data\SiteAdvisor
2008-02-04 21:20 --------- d-----w C:\Documents and Settings\Olivia Rozok\Application Data\SiteAdvisor
2008-02-03 17:59 --------- d-----w C:\Documents and Settings\Elizabeth Rozok\Application Data\SiteAdvisor
2008-02-02 20:05 --------- d-----w C:\Documents and Settings\Daniel Rozok\Application Data\SiteAdvisor
2008-02-02 05:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-03 20:39 --------- d-----w C:\Documents and Settings\Olivia Rozok\Application Data\ArcSoft
2008-01-03 06:23 --------- d-----w C:\Documents and Settings\Daniel Rozok\Application Data\ArcSoft
2008-01-03 06:19 --------- d-----w C:\Program Files\Audible
2007-12-29 20:01 --------- d-----w C:\Documents and Settings\Elizabeth Rozok\Application Data\ArcSoft
2007-12-25 20:46 --------- d-----w C:\Documents and Settings\Emily Rozok\Application Data\ArcSoft
2007-12-25 20:27 --------- d-----w C:\Program Files\Best Buy Rhapsody
2007-12-25 20:25 --------- d-----w C:\Program Files\Real
2007-12-25 20:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 20:19 --------- d-----w C:\Program Files\Common Files\ArcSoft
2007-12-25 20:19 --------- d-----w C:\Program Files\ArcSoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-07 14:37 3,059,200 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-07 01:07 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-12-07 01:07 615,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-12-07 01:07 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-12-07 01:07 532,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-12-07 01:07 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-12-07 01:07 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-12-07 01:07 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-12-07 01:07 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-07 01:07 251,392 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-12-07 01:07 205,312 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-12-07 01:07 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-12-07 01:07 151,040 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-12-07 01:07 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-12-07 01:07 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-12-07 01:07 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-12-07 01:07 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-12-06 13:07 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 13:55 3096576]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 16:47 204800]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 07:05 53248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-21 14:00 185896]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 07:42 36904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-06-30 06:31 1106386]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-06-29 19:06 1848150]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-29 19:06 126976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bcizpkiy]
bcizpkiy.dll
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 04:47:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 09:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 21:03:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-19 21:08:54
ComboFix-quarantined-files.txt 2008-02-20 05:08:51
ComboFix2.txt 2008-02-15 05:30:50
.
2008-02-14 08:32:32 --- E O F ---
ComboFix 08-02-14.1 - Daniel Rozok 2008-02-19 20:58:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.176 [GMT -8:00]
Running from: C:\Documents and Settings\Daniel Rozok\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bcizpkiy.dllbox
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-14 21:43 . 2008-02-14 21:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-14 21:43 . 2008-02-14 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-14 21:38 . 2008-02-14 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-13 20:53 . 2008-02-13 20:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-13 20:53 . 2008-02-14 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 16:11 . 2008-02-02 16:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-02 16:07 . 2008-02-02 16:07 388,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\timntr.sys
2008-02-02 16:07 . 2008-02-02 16:07 99,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\snapman.sys
2008-02-02 16:07 . 2008-02-02 16:07 32,288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tifsfilt.sys
2008-02-02 16:06 . 2008-02-02 16:07 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-02-02 16:06 . 2008-02-02 16:06 <DIR> d-------- C:\Program Files\Acronis
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 23:13 --------- d-----w C:\Program Files\McAfee
2008-02-15 15:31 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-02-08 02:45 --------- d-----w C:\Documents and Settings\Olivia Rozok\Application Data\U3
2008-02-07 00:35 --------- d-----w C:\Documents and Settings\Emily Rozok\Application Data\SiteAdvisor
2008-02-04 21:20 --------- d-----w C:\Documents and Settings\Olivia Rozok\Application Data\SiteAdvisor
2008-02-03 17:59 --------- d-----w C:\Documents and Settings\Elizabeth Rozok\Application Data\SiteAdvisor
2008-02-02 20:05 --------- d-----w C:\Documents and Settings\Daniel Rozok\Application Data\SiteAdvisor
2008-02-02 05:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-03 20:39 --------- d-----w C:\Documents and Settings\Olivia Rozok\Application Data\ArcSoft
2008-01-03 06:23 --------- d-----w C:\Documents and Settings\Daniel Rozok\Application Data\ArcSoft
2008-01-03 06:19 --------- d-----w C:\Program Files\Audible
2007-12-29 20:01 --------- d-----w C:\Documents and Settings\Elizabeth Rozok\Application Data\ArcSoft
2007-12-25 20:46 --------- d-----w C:\Documents and Settings\Emily Rozok\Application Data\ArcSoft
2007-12-25 20:27 --------- d-----w C:\Program Files\Best Buy Rhapsody
2007-12-25 20:25 --------- d-----w C:\Program Files\Real
2007-12-25 20:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 20:19 --------- d-----w C:\Program Files\Common Files\ArcSoft
2007-12-25 20:19 --------- d-----w C:\Program Files\ArcSoft
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-07 14:37 3,059,200 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-07 01:07 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-12-07 01:07 615,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-12-07 01:07 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-12-07 01:07 532,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-12-07 01:07 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-12-07 01:07 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-12-07 01:07 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-12-07 01:07 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-07 01:07 251,392 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-12-07 01:07 205,312 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-12-07 01:07 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-12-07 01:07 151,040 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-12-07 01:07 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-12-07 01:07 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-12-07 01:07 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-12-07 01:07 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-12-06 13:07 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 13:55 3096576]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 16:47 204800]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 07:05 53248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-21 14:00 185896]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 07:42 36904]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42 267064]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-06-30 06:31 1106386]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-06-29 19:06 1848150]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-06-29 19:06 126976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bcizpkiy]
bcizpkiy.dll
.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 04:47:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-15 09:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 21:03:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-19 21:08:54
ComboFix-quarantined-files.txt 2008-02-20 05:08:51
ComboFix2.txt 2008-02-15 05:30:50
.
2008-02-14 08:32:32 --- E O F ---