Virtumonde Infection

**kalasnjikov** · 2009-03-22, 18:25

Hullo,

Here's my Logfile of HijackThis v1.99.0

Scan saved at 11:22:21 AM, on 3/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
E:\DOCUMENTS\downloaded programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {95c93837-f0da-45b5-9b83-f69f0f2328ce} - C:\WINDOWS\system32\jefaduku.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [bibudohetu] Rundll32.exe "C:\WINDOWS\system32\yirumuno.dll",s
O4 - HKLM\..\Run: [d892822e] rundll32.exe "C:\WINDOWS\system32\mosasaso.dll",b
O4 - HKLM\..\Run: [CPMdba1b1b2] Rundll32.exe "c:\windows\system32\lutolazu.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WPN311 Smart Wizard.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\pogewaso.dll c:\windows\system32\lutolazu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lutolazu.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Canon Camera Access Library 8 - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor - Unknown - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

Can't get that SSODL out with either Spybot (even run during reboot), HJT or Regedit. This thing appears to be all over the registry, from HKClasses_Root on down. The more I block it with Online Armor (free version) and try and dig it out, the more it mutates. Real nasty bugger. Any help would be greatly appreciated.

Thanks

**pskelley** · 2009-03-23, 13:45

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

You have posted a HJT log from a VERY OLD HJT program. HJT is also not located safely. If you will take the time to read and follow the directions, then post a new HJT log with the correct version properly placed, I will take the time to take another look.

http://forums.spybot.info/showthread.php?t=288 <<< directions

Thanks

**kalasnjikov** · 2009-03-25, 16:19

Well,

Thank you, pskelley. I definitely read the sticky before posting. Unfortunately, I was greatly pressed for time and had to attempt a fix on my own, with ComboFix.

Here's the new HJT log (still using the old version, for reasons that will made clear.)

Logfile of HijackThis v1.99.0
Scan saved at 11:11:51 AM, on 3/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\DOCUMENTS\downloaded programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1237996736406
O23 - Service: Canon Camera Access Library 8 - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - Unknown - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor - Unknown - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

ComboFix seems to have worked fairly well, however now I have a bit of a problem. The virus created a block of sorts on my Administrator privileges, and I can't access certain web content or load certain programs now (hence the lack of an updated HJT.) Tried to create a new ADmin account, to no avail.

Perhaps you find this an interesting problem... any help would be great.

Cheers,

Brad

**pskelley** · 2009-03-25, 16:38

Until a helper responds, the HJT log has not been analyzed. Please wait to be advised and do NOT run fixes until asked.

What the creator of the tool have to say:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Try this self-installer, it usually gets around the hackers junk:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com...HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

You can download it on another computer and use removable media to bring it to the infected computer, it is only 793 KB's

I will do my best to try to help, since you say you read the "Before you Post" stickey, must I assume you did not see the instructions to disable TeaTimer? If you still want help, post the log from the combofix run and a new HJT log after you disable TeaTimer.

**kalasnjikov** · 2009-03-25, 18:45

Hmm.

Well, now that I've downloaded to desktop and installed the new version of HJT I can't open the program. Same error message as before. I also cannot save a logfile from ComboFix as that too has been compromised.

Perhaps there is a way to fix whatever registry key has been added abyt virus to limit access?

**kalasnjikov** · 2009-03-25, 18:49

Sorry, that error message is as follows: "Windows cannot access the path, device, or file. You may not have the persmissions to access the item."

Hope that helps.

**pskelley** · 2009-03-25, 19:16

I had assumed since you said this:

I was greatly pressed for time and had to attempt a fix on my own, with ComboFix

.
That you had already run combofix and that was the results I was hoping to see. If that is not the case, delete combofix and download it again from here:

http://download.bleepingcomputer.com...HJTInstall.exe

Choose "Save this file now" and before you save it to the DESKTOP change the name of the file like this:

You must rename it before saving it, save it to your Desktop.

Then double click the file and follow the prompts to run it.

Thanks

**kalasnjikov** · 2009-03-25, 19:59

Sir,

Your post was a little unclear. I already ran ComboFix, as you now know.

QUOTE "If that is not the case, delete combofix and download it again from here:

http://download.bleepingcomputer.com...HJTInstall.exe"

This URL is for HJT. I'm assuming you meant for me to download ComboFix from there, renaming it in the process, run, etc. Found a link on bleepingcomputer, downloaded it AFTER renaming it, as per your instructions. Same error message.

Perhaps another approach?

Thanks

**pskelley** · 2009-03-25, 20:10

Your post was a little unclear. I already ran ComboFix, as you now know.

I apologize for posting the wrong link

Perhaps another approach?

Have you considered a reformat? There is only so much I can do if you can not run the tools.

I already ran ComboFix, as you now know.

If you already ran combofix, then post the results of that scan, should be here: C:\combofix.txt <<< I would like to see that if possible.

Here are the directions for running combofix, you can try them again with the renaming process. If that does not work, try running combofix in safe mode.
http://spyware-free.us/tutorials/safemode/

combofix instructions:
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

**kalasnjikov** · 2009-03-25, 20:24

Unfortunately,

it seems I will not be downloading and running any new programs before this little problem with permissions is solved. And as well, neither ComboFix nor HJT will run on my computer now.

However, I do have the original COmboFix logfile:

ComboFix 09-03-19.02 - The Boss 2009-03-22 17:18:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2302.1932 [GMT -5:00]
Running from: c:\documents and settings\The Boss\Desktop\ComboFix.exe
FW: Online Armor Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\basukavu.dll
c:\windows\system32\bkoypx.dll
c:\windows\system32\boyeseti.dll
c:\windows\system32\dayarado.dll
c:\windows\system32\euoiko.dll
c:\windows\system32\fosajugu.dll
c:\windows\system32\hosezuba.dll
c:\windows\system32\jefaduku.dll
c:\windows\system32\jobavito.dll
c:\windows\system32\kdkexf.dll
c:\windows\system32\lutolazu.dll
c:\windows\system32\mosasaso.dll
c:\windows\system32\nnzfus.dll
c:\windows\system32\oiaupt.dll
c:\windows\system32\osasasom.ini
c:\windows\system32\pogewaso.dll
c:\windows\system32\sezerabo.dll
c:\windows\system32\stilpf.dll
c:\windows\system32\yavawoji.dll
c:\windows\system32\yirumuno.dll
c:\windows\system32\yudegoku.dll
c:\windows\system32\yujukaku.dll
c:\windows\system32\zebekeli.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-20 11:28 . 2009-03-20 11:28 <DIR> d-------- c:\documents and settings\The Boss\Application Data\Safer Networking
2009-03-20 10:43 . 2009-03-20 10:47 <DIR> d-------- c:\program files\Safer Networking
2009-03-19 17:40 . 2009-03-19 17:40 <DIR> d-------- c:\program files\Common Files\HP
2009-03-19 17:40 . 2009-03-19 17:40 <DIR> d-------- c:\documents and settings\The Boss\Application Data\HP
2009-03-19 17:39 . 2009-03-19 17:39 <DIR> d-------- c:\program files\Hewlett-Packard
2009-03-19 17:39 . 2009-03-19 17:39 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-03-19 17:38 . 2006-01-03 12:12 77,824 -ra------ c:\windows\system32\HPZIDS01.dll
2009-03-19 17:38 . 2006-04-12 05:04 49,664 -ra------ c:\windows\system32\drivers\HPZid412.sys
2009-03-19 17:38 . 2006-04-10 14:03 48,128 --a------ c:\windows\system32\hpzll054.dll
2009-03-19 17:38 . 2006-04-12 05:04 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2009-03-19 17:34 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-03-19 17:34 . 2006-03-03 21:03 282,680 --a------ c:\windows\system32\HPZidr12.dll
2009-03-19 17:34 . 2006-03-03 21:02 204,800 --a------ c:\windows\system32\HPZipr12.dll
2009-03-19 17:34 . 2006-03-03 21:02 94,208 --a------ c:\windows\system32\HPZipt12.dll
2009-03-19 17:34 . 2006-03-03 21:03 69,632 --a------ c:\windows\system32\HPZipm12.exe
2009-03-19 17:34 . 2006-03-03 21:03 65,536 --a------ c:\windows\system32\HPZinw12.exe
2009-03-19 17:34 . 2006-03-03 21:02 57,344 --a------ c:\windows\system32\HPZisn12.dll
2009-03-19 17:33 . 2009-03-19 17:33 <DIR> d-------- c:\program files\HP
2009-03-19 17:31 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-19 17:31 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-19 17:31 . 2008-04-13 14:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-19 17:31 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-19 17:31 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2009-03-19 17:30 . 2009-03-19 17:41 117,651 --a------ c:\windows\hpoins11.dat
2009-03-19 16:53 . 2009-03-22 17:03 598,256 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-03-18 12:55 . 2009-03-18 12:55 <DIR> d-------- c:\program files\Tall Emu
2009-03-18 12:55 . 2009-03-22 17:22 <DIR> d-------- c:\documents and settings\The Boss\Application Data\OnlineArmor
2009-03-18 12:55 . 2009-03-18 12:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\OnlineArmor
2009-03-18 12:55 . 2008-12-13 02:26 178,376 --ah----- c:\windows\system32\drivers\OADriver.sys
2009-03-18 12:55 . 2008-12-13 02:26 30,920 --ah----- c:\windows\system32\drivers\OAmon.sys
2009-03-18 12:55 . 2008-12-13 02:26 28,872 --ah----- c:\windows\system32\drivers\OAnet.sys
2009-03-18 12:13 . 2009-03-18 12:13 147 --ah----- c:\windows\wininit.ini
2009-03-17 14:02 . 2009-03-17 14:16 15,360 --ah----- c:\windows\system32\drivers\NetMotCM.sys
2009-03-05 11:30 . 2009-03-05 11:35 <DIR> d-------- C:\timeline.swf.swf
2009-03-05 11:30 . 2009-03-05 11:30 <DIR> d-------- c:\program files\DComSoft
2009-03-04 13:06 . 2009-03-04 13:06 <DIR> d-------- c:\program files\DNA
2009-03-04 13:06 . 2009-03-04 13:06 <DIR> d-------- c:\program files\BitTorrent
2009-03-04 13:06 . 2009-03-05 11:35 <DIR> d-------- c:\documents and settings\The Boss\Application Data\DNA
2009-03-04 13:06 . 2009-03-05 11:35 <DIR> d-------- c:\documents and settings\The Boss\Application Data\BitTorrent
2009-03-02 13:27 . 2009-03-03 12:32 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-02 12:58 . 2009-03-02 12:58 <DIR> d-------- c:\documents and settings\The Boss\Application Data\Movies Extractor Scout

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 23:23 --------- d-----w c:\documents and settings\The Boss\Application Data\Move Networks
2009-03-18 17:03 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-02-26 22:46 --------- d-----w c:\program files\Steam
2008-12-02 21:50 22,328 ----a-w c:\documents and settings\The Boss\Application Data\PnkBstrK.sys
2006-12-04 16:57 35,232 ---ha-w c:\windows\inf\WPN311\ME_INST.EXE
2006-12-04 16:57 26,112 ---ha-w c:\windows\inf\WPN311\install.exe
2006-07-05 10:33 472,000 ---ha-w c:\windows\inf\WPN311\WPN311.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-26 13508608]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-10-09 1036288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-26 86016]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"nwiz"="nwiz.exe" [2008-01-26 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-30 113664]
Adobe Reader Speed Launch.lnk.disabled [2008-10-02 1757]
EPSON Background Monitor.lnk - c:\program files\EPSON\ESM2\STMS.exe [1999-06-07 233984]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-04 1503232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-05 18:41 413696 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"gusvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"seclogon"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\NETGEAR\\WPN311\\wlancfg5.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\EPSON\\ESM2\\eEBSvc.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 aec6710D;aec6710D;c:\windows\system32\drivers\A6710D.sys [2008-10-03 14510]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-03-18 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-03-18 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-03-18 28872]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-03-18 1402568]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2008-09-14 31392]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-03-18 3321032]
.
- - - - ORPHANS REMOVED - - - -

BHO-{95c93837-f0da-45b5-9b83-f69f0f2328ce} - c:\windows\system32\jefaduku.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 17:22:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:67,3b,88,1c,4f,76,53,b6,90,f0,84,de,5e,7c,56,4e,06,32,73,10,f9,
ac,6a,ad,74,96,02,d9,07,ac,e9,8c,f0,e0,8f,cf,35,d4,03,34,46,10,c2,66,42,f2,\
"rkeysecu"=hex:66,15,62,db,fe,dd,98,d1,97,e4,4e,91,f6,2c,8e,c9
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\EPSON\ESM2\eEBSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-22 17:23:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-22 22:23:45

Pre-Run: 143,039,225,856 bytes free
Post-Run: 143,119,450,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

Current=4 Default=4 Failed=3 LastKnownGood=2 Sets=1,2,3,4
196

I am considering a reformat, actually, but I thought I would see if anyone knew which registry keys might control the permissions that Windows needs in order to load an .exe file. Any ideas in that area?

Thanks

Thread: Virtumonde Infection

Thread Tools

Display

Virtumonde Infection

Posting Permissions