PDA

View Full Version : Another Virtumonde victim



kareemq
2008-06-12, 16:38
Hi Security Gurus,

Please help. Ran spybot and found that my comp has been infected wiht the Virtuomonde trojan. As per the earlier threads I have ran the comboxfix. Please find the log below. Please HELP !!!
awaiting further instructions

--------------------------------------------
ComboFix 08-06-10.5 - Administrator 2008-06-12 22:59:31.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BM931dec51.xml
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cbXRHyXN.dll
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\iiffFxYr.dll
C:\WINDOWS\system32\khfGyvuV.dll
C:\WINDOWS\system32\KTwFLkkj.ini
C:\WINDOWS\system32\KTwFLkkj.ini2
C:\WINDOWS\system32\lkcnjget.dll
C:\WINDOWS\system32\lqgmlmtt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\vrnsrnyy.ini
C:\WINDOWS\system32\yynrsnrv.dll

----- BITS: Possible infected sites -----

hxxp://BLRKECSMSSS1.AD.INFOSYS.COM
.
((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 )))))))))))))))))))))))))))))))
.

2008-06-12 19:19 . 2008-06-12 19:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-12 19:19 . 2008-06-12 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-11 23:26 . 2008-06-11 23:27 <DIR> d-------- C:\Program Files\Acro Software
2008-06-11 23:06 . 2008-06-12 22:17 349,184 --a------ C:\WINDOWS\system32\jkkLFwTK.dll_old
2008-06-11 00:32 . 2008-06-11 00:32 <DIR> d-------- C:\Program Files\uTorrent
2008-06-11 00:32 . 2008-06-12 00:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-11 00:16 . 2008-06-11 00:16 <DIR> d-------- C:\WINDOWS\Cache
2008-05-25 11:23 . 2008-05-25 11:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\eRoom
2008-05-25 11:22 . 2008-05-25 11:22 <DIR> d-------- C:\Program Files\eRoom 7
2008-05-24 23:19 . 2008-05-24 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-05-24 23:19 . 2008-05-24 23:19 <DIR> d-------- C:\Documents and Settings\Administrator\LocalLow

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 12:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3
2008-06-11 13:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-20 10:06 94,208 ----a-w C:\WINDOWS\DLL107.TMP
2008-05-08 08:48 --------- d-----w C:\Program Files\AAPT Dial-up Configuration Wizard
2008-05-04 06:58 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-04 06:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-04 06:38 --------- d-----w C:\Program Files\CheckPoint
2008-05-04 06:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CheckPoint
2008-01-29 10:01 560 ----a-w C:\Documents and Settings\Administrator\Application Data\ViewerApp.dat
2008-01-23 11:33 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\inst.exe
2008-01-23 11:33 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
2007-08-05 08:57 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLea.DAT
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 504,080 2004-04-06 11:44:48 C:\Program Files\CA\eTrust Antivirus\bak\realmon.exe

----a-w 180,269 2006-06-19 21:09:26 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 492,032 2006-09-25 15:24:53 C:\Program Files\SlySoft\AnyDVD\bak\AnyDVD.exe
----a-w 492,032 2006-11-16 10:19:44 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

----a-w 495,616 2004-01-22 08:08:36 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 98,304 2004-01-22 08:09:00 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 81,920 2004-07-10 06:49:44 C:\Program Files\Toshiba\TME3\bak\TMERzCtl.EXE

----a-w 126,976 2004-11-11 18:43:56 C:\Program Files\Toshiba\TME3\bak\TMESRV31.EXE

----a-w 65,536 2003-09-05 11:24:46 C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe

----a-w 135,168 2004-09-15 23:03:08 C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe

----a-w 126,976 2003-01-22 02:00:06 C:\Program Files\Toshiba\TouchED\bak\TouchED.Exe

----a-w 49,152 2002-09-09 23:07:34 C:\Program Files\Toshiba\Wireless Hotkey\bak\TosHKCW.exe

----a-w 777,424 2006-04-04 00:12:24 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 777,424 2006-04-03 08:12:24 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 258,048 2004-06-29 01:24:28 C:\WINDOWS\system32\bak\00THotkey.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 126,976 2004-10-25 00:52:00 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2004-10-25 00:56:00 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 127,035 2004-09-28 09:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A31468B-A43B-483C-B785-95C6B6E35427}]
C:\WINDOWS\system32\jkkLFwTK.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-09-14 06:17 4621816]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [ ]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [ ]
"TosHKCW.exe"="C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [ ]
"TPSMain"="TPSMain.exe" [2004-11-09 14:30 270336 C:\WINDOWS\system32\TPSMain.exe]
"TPSODDCtl"="TPSODDCtl.exe" [2004-11-09 14:30 110592 C:\WINDOWS\system32\TPSODDCtl.exe]
"TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.exe" [ ]
"TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 14:38 88361 C:\WINDOWS\agrsmmsg.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"oyfef681"="w0d97381.dll" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23 75520]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-09-17 19:32 978944]
"Realtime Monitor"="C:\Program Files\CA\eTrustITM\realmon.exe" [2007-01-16 21:27 407632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-11-06 22:12 2111632]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-09-14 06:17 4621816]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-06-19 13:01 24669 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"VIDC.3iv2"= 3ivxVfWCodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-12-11 12:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-10-24 07:18 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2004-06-28 11:22 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_09\\jre\\bin\\java.exe"=
"C:\\Program Files\\Java\\jdk1.5.0_09\\bin\\java.exe"=
"C:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"C:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"C:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"C:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"=
"C:\\Program Files\\InternetCalls.com\\InternetCalls\\InternetCalls.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Bommarillu\\mirc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-01 15:49]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-14 06:24]
R1 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-06-19 13:00]
R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-17 05:08]
R2 CA_LIC_CLNT;CA License Client;"C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe" [2005-01-14 22:35]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 02:50]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2005-06-19 13:01]
R2 LogWatch;Event Log Watch;"C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe" [2004-07-23 04:30]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2005-06-19 13:00]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-06-19 13:00]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 02:50]
S2 hpdj00;hpdj00;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpdj00.exe []
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys [2004-05-17 16:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb872900-068f-11dd-9f78-000e7b516571}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb872903-068f-11dd-9f78-000e7b516571}]
\Shell\AutoRun\command - F:\AutoRun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-25 13:58:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-25 13:00:00 C:\WINDOWS\Tasks\Inoc Anti Virus.job"
- C:\Program Files\CA\eTrust Antivirus\InocIT.exe
"2008-05-31 15:32:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2006-08-31 01:25:04 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2006-11-12 01:27:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 23:19:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc226.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrustITM\Ppcl.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-06-12 23:25:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 13:25:30

Pre-Run: 3,164,626,944 bytes free
Post-Run: 3,704,950,784 bytes free

253




-------------------------------------------------------------------------
Cheers

tashi
2008-06-12, 16:45
Hello,

In order for one of our volunteer helpers to advise you, please follow the procedure in this sticky:

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806 )

Start a new topic providing the HJT log and a link back to this topic. Then I will close this one as helpers look for threads without a response.

Cheers.