Virtumonde: The Evil Plague

**BoredKid** · 2009-01-06, 19:48

I have fallen victim to this as well. My CPU is far from inoperable, but it has become a nuisance. I followed the instructions on http://forums.spybot.info/showthread.php?t=42891 and here is the log from ComboFix:

ComboFix 09-01-05.05 - wstupp 2009-01-06 10:47:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1551 [GMT -6:00]
Running from: c:\documents and settings\wstupp\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\byXRkLeF.dll
c:\windows\system32\cbXPfcAp.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekajalmfynm.sys
c:\windows\system32\FeLkRXyb.ini
c:\windows\system32\FeLkRXyb.ini2
c:\windows\system32\hgGwWOfe.dll
c:\windows\system32\mdakngck.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekahgxmjdvc.dll
c:\windows\system32\senekaiyraetti.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\sinpmm.dll
c:\windows\system32\TDSSdape.dat
c:\windows\system32\TDSSgbgt.dll
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_WINDRIVER
-------\Service_WinDriver

((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-05 20:35 . 2009-01-05 20:35 95 --a------ c:\windows\wininit.ini
2009-01-05 15:40 . 2009-01-05 15:40 72,192 --a------ c:\windows\system32\hgGvtSjK.dll
2009-01-01 11:41 . 2009-01-01 11:41 <DIR> d-------- c:\program files\Common Files\Lenovo
2009-01-01 11:34 . 2009-01-01 11:34 <DIR> d-------- c:\documents and settings\wstupp\(null)
2008-12-22 08:04 . 2009-01-02 18:23 <DIR> d-------- c:\program files\CDisplay
2008-12-21 18:40 . 2008-12-21 18:43 <DIR> d-------- c:\documents and settings\wstupp\Application Data\U3
2008-12-15 16:17 . 2008-12-16 23:14 <DIR> d-------- c:\documents and settings\wstupp\Application Data\BitTorrent
2008-12-15 16:16 . 2009-01-06 07:57 <DIR> d-------- c:\program files\DNA
2008-12-15 16:16 . 2008-12-15 16:16 <DIR> d-------- c:\program files\BitTorrent
2008-12-15 16:16 . 2009-01-06 10:44 <DIR> d-------- c:\documents and settings\wstupp\Application Data\DNA
2008-12-14 20:17 . 2008-12-14 20:17 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2008-12-12 13:41 . 2008-12-12 13:41 0 --a------ C:\LHT17.tmp
2008-12-11 10:55 . 2004-08-04 00:07 59,264 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-11 10:55 . 2004-08-04 00:07 59,264 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-12-11 07:43 . 2008-12-11 07:43 <DIR> d-------- c:\program files\Sanako

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-01-06 01:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 01:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 21:11 --------- d-----w c:\program files\Warcraft III
2009-01-01 17:41 --------- d-----w c:\program files\Lenovo
2008-12-31 17:08 --------- d-----w c:\documents and settings\wstupp\Application Data\Ventrilo
2008-12-18 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\DyKnow
2008-12-17 15:48 --------- d-----w c:\program files\World of Warcraft
2008-12-01 19:16 --------- d-----w c:\documents and settings\wstupp\Application Data\acccore
2008-12-01 19:16 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-01 19:15 --------- d-----w c:\program files\Viewpoint
2008-12-01 19:15 --------- d-----w c:\program files\AIM6
2008-12-01 19:15 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-01 19:15 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-12-01 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-01 19:13 --------- d-----w c:\program files\Common Files\AOL
2008-12-01 19:03 --------- d-----w c:\program files\Ventrilo
2008-12-01 19:03 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-01 18:00 --------- d-----w c:\program files\Starcraft
2008-12-01 17:41 --------- d-----w c:\program files\Java
2008-04-16 18:49 4 --shatr c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
2008-04-21 17:34 32,768 --sha-w c:\windows\system32\config\systemprofile\Desktop\Default User\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-06-24 19:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Desktop\Default User\Local Settings\History\History.IE5\index.dat
2008-06-24 19:39 32,768 --sha-w c:\windows\system32\config\systemprofile\Desktop\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder0]
@="{AA81D830-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D830-3B41-497c-B508-E9D02F8DF421}]
2006-06-16 03:35 21504 --a------ c:\program files\iFolder\iFolderShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\iFolder1]
@="{AA81D831-3B41-497c-B508-E9D02F8DF421}"
[HKEY_CLASSES_ROOT\CLSID\{AA81D831-3B41-497c-B508-E9D02F8DF421}]
2006-06-16 03:35 21504 --a------ c:\program files\iFolder\iFolderShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-15 342848]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-25 271872]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2004-08-04 16384]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-11 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-11 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"TPFNF7"="c:\progra~1\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-03-26 59680]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"IBMTBCTL"="c:\program files\ThinkPad\Tablet Shortcut\IBMTBCTL.EXE" [2007-10-29 782336]
"TSMResident"="c:\program files\ThinkPad\Tablet Shortcut\TSMRESIDENT.EXE" [2007-10-29 45056]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"PrintManagerPlusClient"="c:\program files\Print Manager Plus - Client\CheckPages.exe" [2008-01-24 376832]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-01-24 66928]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-01-11 144728]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-01-11 124248]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-12-11 1044480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2003-03-31 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2003-03-31 455168]
"StartCounterSpyIconApp"="c:\program files\Sunbelt Software\CounterSpy\Agent\SBCSTray.exe" [2007-12-21 711152]
"iFolder"="c:\program files\iFolder\iFolderApp.exe" [2006-06-16 983040]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]
"TpShocks"="TpShocks.exe" [2007-11-22 c:\windows\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\install\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\wstupp\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 01:56 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 15:54 89600 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2007-12-14 15:36 28672 c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 03:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 08:18 32256 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-6776287-330446136-1586563796-11930\Scripts\Logon\0\0]
"Script"=numlock.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-30 14:44 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Print Manager Plus - Client\\CheckPages.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4044:TCP"= 4044:TCP:WWW

R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2008-06-27 15280]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2008-02-13 4442]
R1 TSMSMI;Lenovo System Interface Driver;c:\windows\system32\drivers\tsmsmi32.sys [2008-02-13 6656]
R3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys --> c:\windows\system32\drivers\sbapifs.sys [?]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-11-08 22568]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2008-02-11 13568]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2008-02-13 57344]
R4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
R4 ASRSVC;ASR Service;c:\program files\ThinkPad\Tablet Shortcut\ASR\ASRSVC.exe [2008-02-13 73728]
R4 CounterSpyAgent;CounterSpyAgent;c:\program files\Sunbelt Software\CounterSpy\Agent\SBCSESvc.exe [2007-12-21 829936]
R4 NetInfs;Network Interface Service;c:\windows\System32\svchost.exe -k netinfsvc [2003-03-31 14336]
R4 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [2007-08-14 10896]
R4 TabletSVC;TABLET Service;c:\program files\ThinkPad\Tablet Shortcut\TSMService.exe [2008-02-13 69632]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-01 24652]
S4 oxwobghq;oxwobghq;c:\windows\system32\svchost.exe -k netsvcs [2003-03-31 14336]
S4 uzkmno;uzkmno;c:\windows\system32\svchost.exe -k netsvcs [2003-03-31 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SBAPIFS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
netinfsvc REG_MULTI_SZ NetInfs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oxwobghq
uzkmno

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-06 c:\windows\Tasks\bmphkwto.job
- c:\windows\system32\rundll32.exe [2004-08-04 01:56]

2009-01-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-11 00:30]
.
- - - - ORPHANS REMOVED - - - -

BHO-{17E69B18-CFB4-4258-BBA2-BF1EC19B0436} - c:\windows\system32\byXRkLeF.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\cbXPfcAp.dll
BHO-{CCAC414D-2290-4061-BB38-DBE087D28E81} - (no file)
HKCU-Run-Aim6 - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\cbXPfcAp.dll
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe

.
------- Supplementary Scan -------
.
uStart Page = https://portal.micds.org
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %systemroot%\system32\MSAFDLsp.dll

c:\windows\system32\capicom.dll - c:\windows\Downloaded Program Files\acpir2.dll
O16 -: {2DAD3559-2923-4935-AD49-B673D2539944}
hxxp://www-307.ibm.com/pc/support/acpir.cab
c:\windows\Downloaded Program Files\acpir.inf

c:\windows\system32\oleaut32.dll - c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\system32\GridPlus.ocx
c:\windows\system32\acinet.dll
c:\windows\Downloaded Program Files\Acwc_ibm.ocx
O16 -: {A5B7052E-CE47-11D2-8B30-0004ACDA6405}
hxxps://wca.eclaim.com/Cabs/Acwc_ibm.cab
c:\windows\Downloaded Program Files\Acwc_ibm.INF
FF - ProfilePath - c:\documents and settings\wstupp\Application Data\Mozilla\Firefox\Profiles\u1yi1yh1.default\
FF - plugin: c:\program files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 10:53:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)
c:\windows\system32\vrlogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'lsass.exe'(1164)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\windows\system32\MSAFDLsp.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\windows\system32\IPSSVC.EXE
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\searchindexer.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\DyKnow\Client\hcp.exe
c:\program files\iFolder\web\bin\Simias.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-01-06 10:58:09 - machine was rebooted [wstupp]
ComboFix-quarantined-files.txt 2009-01-06 16:58:06

Pre-Run: 110,320,926,720 bytes free
Post-Run: 110,253,375,488 bytes free

326 --- E O F --- 2008-04-02 20:43:57

**BoredKid** · 2009-01-06, 22:57

Just thought I would add, I do not have HijackThis. Should I get it?

**tashi** · 2009-01-06, 23:58

Originally Posted by BoredKid

I followed the instructions on http://forums.spybot.info/showthread.php?t=42891 and here is the log from ComboFix:

Originally Posted by BoredKid

Just thought I would add, I do not have HijackThis. Should I get it?

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Do NOT run 'FIXES' before helpers have analyzed the HJT log

Thread: Virtumonde: The Evil Plague

Thread Tools

Display

Virtumonde: The Evil Plague

Posting Permissions