Can't get Virtumonde.prx trojan off my computer

**freder1ck** · 2010-10-28, 06:12

Here is the ComboFix log:

ComboFix 10-10-26.04 - Compaq_Owner 10/27/2010 20:59:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.466 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Owner\Application Data\avdrn.dat
c:\documents and settings\Compaq_Owner\g2mdlhlpx.exe
c:\documents and settings\Compaq_Owner\Recent\Thumbs.db
D:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-23 22:42 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6733BC39-B0C4-4068-B54C-D9854869D80D}\mpengine.dll
2010-10-19 01:24 . 2010-10-20 01:38 0 ----a-w- c:\windows\Qworof.bin
2010-10-19 01:24 . 2010-10-19 01:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{D65B0306-13C7-4295-A32B-C2C9310980C2}
2010-10-18 19:10 . 2010-10-18 19:10 -------- d-----w- c:\program files\iPod
2010-10-18 19:10 . 2010-10-18 19:11 -------- d-----w- c:\program files\iTunes
2010-10-18 19:04 . 2010-10-18 19:04 -------- d-----w- c:\program files\Bonjour
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-PT
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-BR
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\nl-NL
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\it-IT
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\fr-FR
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\es-ES
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\de-DE
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-BR
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-PT
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\nl-NL
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\it-IT
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\de-DE
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\fr-FR
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\es-ES
2010-10-15 15:53 . 2010-10-15 15:53 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
2010-10-14 16:30 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 16:30 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 16:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2009-12-02 00:16 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-12-02 06:54 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2010-09-24 18:19 . 2010-09-24 18:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 18:19 . 2010-09-24 18:19 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-09-24 17:14 . 2010-09-24 17:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
2010-09-24 17:11 . 2010-09-24 17:11 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-09-24 17:11 . 2010-09-24 17:11 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-09-24 17:11 . 2010-09-24 17:11 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-09-24 17:11 . 2010-09-24 17:11 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-09-24 17:11 . 2010-09-24 17:11 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-09-24 17:11 . 2010-09-24 17:11 796672 ----a-w- c:\windows\system32\drivers\UMDF\ZuneDriver.dll
2010-09-24 17:11 . 2010-09-24 17:11 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
2010-09-24 17:11 . 2010-09-24 17:11 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-09-24 17:06 . 2010-09-24 17:06 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
2010-09-24 16:31 . 2009-08-17 17:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-09-18 17:23 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-01-28 14:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2008-01-28 14:16 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2008-01-28 14:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-01-28 14:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2008-01-28 14:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-01-28 16:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-01-28 14:20 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-01-28 14:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-01-28 14:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-01-28 14:18 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 00:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-01-28 16:34 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-01-28 14:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-01-28 14:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-29 02:40 . 2008-03-29 02:40 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-03-29 02:40 . 2008-03-29 02:40 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-03-29 02:40 . 2008-03-29 02:40 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-27 198160]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-06 1015808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\Program Files\\iWin Games\\iWinGames.exe"=
"f:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 iWinTrusted;iWinTrusted;f:\program files\iWin Games\iWinTrusted.exe [7/9/2009 3:21 PM 78104]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [11/21/2009 5:22 PM 109168]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2010 11:35 PM 136176]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\DRIVERS\BLKWGD.sys --> c:\windows\system32\DRIVERS\BLKWGD.sys [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 1:19 PM 268528]

--- Other Services/Drivers In Memory ---

*Deregistered* - pglyqpow

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]

2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-Bladegifop - c:\windows\ekilimel.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-__KITTY_LUV___is1 - c:\program files\Kitty Luv\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 21:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-27 21:34:50
ComboFix-quarantined-files.txt 2010-10-28 02:34

Pre-Run: 103,471,718,400 bytes free
Post-Run: 104,223,494,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0F9E3BDFD9E6F337CC32BA9F8728F9F1

Thread: Can't get Virtumonde.prx trojan off my computer

Thread Tools

Display

Threaded View

Tags for this Thread

Posting Permissions