virtumonde

**Red_Earth** · 2010-03-01, 19:22

ComboFix 10-03-01.01 - Compaq_Administrator 03/01/2010 13:00:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.702.356 [GMT -5:00]
Running from: c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Saf52.tmp\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
The following files were disabled during the run:
c:\windows\IA\asappsrv.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\35573251.exe
c:\documents and settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
c:\documents and settings\Compaq_Administrator\Application Data\rhcpvoj0e57v
c:\documents and settings\Compaq_Administrator\Cookies\_install.exe
c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Compaq_Administrator\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Microsoft
c:\microsoft\svchost.exe
c:\progra~1\COMMON~1\{3C622~1
c:\progra~1\COMMON~1\{7C622~1
c:\progra~1\COMMON~1\{7C622~1\system.dll
c:\progra~1\COMMON~1\{7C622~1\Update.exe
c:\progra~1\COMMON~1\{7C622~2
c:\progra~1\COMMON~1\{7C622~2\system.dll
c:\progra~1\COMMON~1\{7C622~2\Update.exe
c:\progra~1\COMMON~1\{7C622~3
c:\progra~1\COMMON~1\{7C622~3\system.dll
c:\progra~1\COMMON~1\{7C622~3\Update.exe
c:\program files\asks~1
c:\program files\Common Files\curity~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\racle~1
c:\program files\Common Files\smante~1
c:\program files\Common Files\smbols~1
c:\program files\Common Files\sstem~1
c:\program files\Common Files\ymante~1
c:\program files\crosof~1.net
c:\program files\curity~1
c:\program files\JavaCore
c:\program files\mantec~1
c:\program files\racle~1
c:\program files\rhcpvoj0e57v
c:\program files\shcrvoj0e57v
c:\program files\Spcron
c:\program files\sstem3~1
c:\program files\Svconr
c:\program files\Svconr\Svconr.exe.lzma
c:\program files\Temporary
c:\program files\Temporary\InsiDERInst.exe
c:\program files\wnsxs~1
c:\program files\ystem~1
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\IA
c:\windows\IA\asappsrv.dll.vir
c:\windows\IA\command.exe
c:\windows\IA\KE.vbs
c:\windows\icroso~1
c:\windows\icroso~1.net
c:\windows\mcroso~1
c:\windows\racle~1
c:\windows\smante~1
c:\windows\sstem~1
c:\windows\system32\asks~1
c:\windows\system32\atmtd.dll.tmp
c:\windows\system32\COMCTL32.OCA
c:\windows\system32\curity~1
c:\windows\system32\E.tmp
c:\windows\system32\fnts~1
c:\windows\system32\lphctvoj0e57v.exe
c:\windows\system32\mantec~1
c:\windows\system32\pphctvoj0e57v.exe
c:\windows\system32\racle~1
c:\windows\system32\s.ico
c:\windows\system32\sks~1
c:\windows\system32\sstem3~1
c:\windows\system32\stem~1
c:\windows\system32\unsvchosts.lzma
c:\windows\system32\wapisu.exe
c:\windows\system32\wnsxs~1
c:\windows\system32\ymante~1
c:\windows\tsks~1
c:\windows\ymbols~1
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_COM+_MESSAGES
-------\Service_cmdService

((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-03-01 00:08 . 2010-03-01 00:08 293376 ----a-w- C:\2outg8ml.exe
2010-02-28 16:40 . 2010-02-28 16:41 -------- d-----w- c:\program files\ERUNT
2010-02-28 16:25 . 2010-02-28 16:25 -------- d-----w- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\PCHealth
2010-02-28 16:24 . 2010-02-28 16:24 60512 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-28 16:06 . 2010-02-28 16:06 -------- d-----w- c:\windows\ServicePackFiles
2010-02-28 16:05 . 2010-02-28 16:05 -------- d-----w- c:\program files\MSXML 4.0
2010-02-26 23:11 . 2010-02-26 23:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-26 23:49 . 2008-07-23 12:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C7.tmp
2010-02-26 23:45 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C6.tmp
2010-02-26 23:43 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C5.tmp
2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C4.tmp
2010-02-26 23:42 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C3.tmp
2010-02-26 23:41 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C2.tmp
2010-02-26 23:40 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C1.tmp
2010-02-26 23:39 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\C0.tmp
2010-02-26 23:37 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BF.tmp
2010-02-26 23:36 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BE.tmp
2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BD.tmp
2010-02-26 23:35 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BC.tmp
2010-02-26 23:34 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\BB.tmp
2010-02-26 23:33 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B9.tmp
2010-02-26 23:32 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B8.tmp
2010-02-26 23:28 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B7.tmp
2010-02-26 23:27 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B6.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B5.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B2.tmp
2010-02-26 23:25 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B1.tmp
2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\B0.tmp
2010-02-26 23:24 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AF.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AE.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AD.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AC.tmp
2010-02-26 23:23 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AB.tmp
2010-02-26 23:22 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\AA.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A9.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A8.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A7.tmp
2010-02-26 23:21 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A6.tmp
2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A5.tmp
2010-02-26 23:20 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A4.tmp
2010-02-26 23:18 . 2008-07-11 15:04 94208 ----a-w- c:\windows\system32\A3.tmp
2010-02-26 23:06 . 2007-08-16 18:02 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Apple Computer
2010-02-26 10:00 . 2009-03-14 15:40 -------- d-----w- c:\program files\SeekeenSrch
2010-02-26 09:26 . 2009-03-14 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SeekeenSrch
2009-12-31 16:14 . 2004-08-09 21:00 352640 ------w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:35 . 2004-08-09 21:00 668672 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:35 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2004-08-09 21:00 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-04 14:41 . 2004-08-09 21:00 453760 ------w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sxpv"="c:\windows\S?mantec\w?auboot.exe" [?]
"Uhqif"="c:\windows\?racle\r?ndll32.exe" [?]
"Atdntep"="c:\documents and settings\Compaq_Administrator\My Documents\?dobe\j?vaw.exe" [?]
"Dbbxpi"="c:\windows\system32\s?stem32\?ti2evxx.exe" [?]
"Wvrmaf"="c:\windows\?racle\m?iexec.exe" [?]
"Mdlhgl"="c:\windows\system32\?ymantec\??rvices.exe" [?]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ikzo"="c:\progra~1\COMMON~1\ikzo\ikzom.exe" [2006-07-19 9216]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-04-27 50736]
"Csvnro"="c:\program files\Csvnro\Csvnro.exe" [2008-04-29 57344]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360]
"nwiz"="nwiz.exe" [2006-01-24 1519616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-22 180269]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [2007-11-21 218496]

c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-10 1474560]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SeekeenSrch Service;SeekeenSrch Service;c:\documents and settings\All Users\Application Data\SeekeenSrch\seekeen155.exe [2/26/2010 4:26 AM 4608]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [1/10/2009 8:16 PM 517632]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{C1B4DEC2-2623-438E-9CA2-C9043AB28508} - (no file)
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-{7C622FEF-089C-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089C-1033-0413-060405060001}\Update.exe
HKLM-Run-{7C622FEF-089B-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089B-1033-0413-060405060001}\Update.exe
HKLM-Run-{7C622FEF-089D-1033-0413-060405060001} - c:\program files\Common Files\{7C622FEF-089D-1033-0413-060405060001}\Update.exe
HKLM-Run-lphctvoj0e57v - c:\windows\system32\lphctvoj0e57v.exe
HKLM-Run-SMrhcpvoj0e57v - c:\program files\rhcpvoj0e57v\rhcpvoj0e57v.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 13:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3312)
c:\program files\SeekeenSrch\seekeen.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\ARPWRMSG.EXE
c:\program files\SeekeenSrch\seekeen.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-03-01 13:18:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-01 18:18

Pre-Run: 93,198,229,504 bytes free
Post-Run: 93,758,308,352 bytes free

- - End Of File - - D98D1C79BD649ECF2050BDCED9B9203F

Thread: virtumonde

Thread Tools

Display

Threaded View

comboFix

Tags for this Thread

Posting Permissions