PDA

View Full Version : virtumonde kicking my butt ,logs from combo fix any help reading this would be great



rspreston63
2010-02-06, 07:15
ComboFix 10-02-05.02 - OD 02/05/2010 19:15:46.2.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.379 [GMT -8:00]
Running from: c:\users\OD\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-02-06 03:31 . 2010-02-06 03:31 -------- d-----w- c:\users\Tesa\AppData\Local\temp
2010-02-06 03:31 . 2010-02-06 03:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-06 03:31 . 2010-02-06 03:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-01 02:15 . 2010-02-05 04:37 -------- d-----w- c:\program files\iPod(78)
2010-02-01 02:15 . 2010-02-01 02:17 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-01 02:15 . 2010-02-01 02:17 -------- d-----w- c:\program files\iTunes(79)
2010-02-01 01:43 . 2010-02-05 04:37 -------- d-----w- c:\program files\Bonjour(2)
2010-01-28 04:49 . 2010-01-28 04:49 -------- d-----w- c:\users\Tesa\AppData\Roaming\EPSON
2010-01-13 14:34 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 14:34 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-10 20:18 . 2010-01-10 20:18 -------- d-----w- c:\users\OD\AppData\Roaming\GARMIN
2010-01-10 20:02 . 2010-01-10 20:02 -------- d-----w- c:\programdata\UAB
2010-01-10 20:01 . 2010-01-10 20:01 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2010-01-10 20:01 . 2010-01-10 20:01 -------- d-----w- c:\users\OD\AppData\Local\PC_Drivers_Headquarters
2010-01-10 19:56 . 2010-01-10 19:56 -------- d-----w- c:\program files\PC Drivers HeadQuarters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 04:34 . 2008-11-23 20:12 -------- d-----w- c:\program files\Safari
2010-02-05 04:34 . 2008-11-23 20:02 -------- d-----w- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2010-02-05 04:34 . 2008-03-15 17:24 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-05 04:34 . 2008-11-23 20:00 -------- d-----w- c:\program files\QuickTime
2010-02-05 04:34 . 2008-11-23 20:02 -------- d-----w- c:\program files\iTunes
2010-02-05 04:33 . 2008-11-23 20:02 -------- d-----w- c:\program files\iPod
2010-02-05 04:33 . 2008-09-19 03:23 -------- d-----w- c:\program files\Bonjour
2010-02-05 04:33 . 2008-01-13 01:44 -------- d-----w- c:\program files\Common Files\Apple
2010-02-05 03:33 . 2007-07-08 19:49 70176 ----a-w- c:\users\OD\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-05 02:17 . 2009-01-08 03:35 1356 ----a-w- c:\users\Tesa\AppData\Local\d3d9caps.dat
2010-02-01 02:34 . 2008-01-13 18:59 -------- d-----w- c:\users\Tesa\AppData\Roaming\Apple Computer
2010-01-23 20:35 . 2007-11-27 00:25 70176 ----a-w- c:\users\Tesa\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-20 22:24 . 2008-07-11 01:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 23:22 . 2007-05-15 22:35 -------- d-----w- c:\programdata\Microsoft Help
2010-01-14 19:12 . 2009-10-21 02:22 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-14 11:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-02 06:38 . 2010-01-21 23:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 23:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 23:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 23:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 04:31 . 2009-12-31 04:31 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-12-31 04:29 . 2009-12-31 04:29 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-12-31 04:26 . 2009-12-31 04:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-12-31 04:26 . 2009-12-31 04:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-12-01 06:08 . 2007-07-24 22:58 12884 ----a-w- c:\users\OD\AppData\Roaming\nvModes.dat
2009-12-01 04:12 . 2007-11-27 22:32 12978 ----a-w- c:\users\Tesa\AppData\Roaming\nvModes.dat
2009-11-09 12:31 . 2009-12-13 02:44 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-13 02:44 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-13 02:44 411648 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\users\Tesa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\OD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"VistaSp2"=hex(b):76,ce,bd,43,b8,31,ca,01

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/4/2008 4:13 PM 1153368]
R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\System32\drivers\RTL85n86.sys [5/9/2008 6:30 AM 363008]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [9/15/2008 8:41 PM 21504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/15/2007 2:39 PM 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 2:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-03-15 23:31]

2010-02-05 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-15 23:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3421
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 19:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-05 19:40:31
ComboFix-quarantined-files.txt 2010-02-06 03:40
ComboFix2.txt 2010-02-06 02:00

Pre-Run: 58,574,061,568 bytes free
Post-Run: 58,324,770,816 bytes free

- - End Of File - - 2D7879DA0E8E98C18D675DC2E1269280

tashi
2010-02-06, 07:28
Hello rspreston63,

Please see these stickie topics:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806)
Then start a new topic providing the HJT log only with a link back to this thread.

Best regards. :)