Results 1 to 10 of 102

Thread: Please Help! Virtumonde, MalwareAlarm (SecCenter), etc.

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2007-12-27, 21:52 #11
    psywzrd
    psywzrd is offline
    Member
    Join Date
    Dec 2007
    Posts
    62

    Default

    Ok. Combofix took almost exactly 20 minutes from the time I started it to the time it rebooted and finally showed the report (because it took about 19 minutes total, I didn't stop any of the processes you mentioned even though several of them randomly popped up in the task manager).

    ComboFix 07-12-21.4 - **** 2007-12-27 15:28:57.5 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.222 [GMT -5:00]
    Running from: C:\Documents and Settings\****\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\****\Desktop\CFScript.txt
    * Created a new restore point

    FILE
    C:\WINDOWS\MXOALDR .EXE
    C:\WINDOWS\SM1BG .EXE
    C:\WINDOWS\system32\cmd .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\hkcmd .exe
    C:\WINDOWS\system32\hphmon04 .exe
    C:\WINDOWS\system32\igfxtray .exe
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\rqrpp.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\MXOALDR .EXE
    C:\WINDOWS\SM1BG .EXE
    C:\WINDOWS\system32\cmd .exe
    C:\WINDOWS\system32\ctfmon .exe
    C:\WINDOWS\system32\hkcmd .exe
    C:\WINDOWS\system32\hphmon04 .exe
    C:\WINDOWS\system32\igfxtray .exe
    C:\WINDOWS\system32\njprckha
    C:\WINDOWS\system32\njprckha\bg1.gif
    C:\WINDOWS\system32\njprckha\bgtop.gif
    C:\WINDOWS\system32\njprckha\bottom1.gif
    C:\WINDOWS\system32\njprckha\essentials.gif
    C:\WINDOWS\system32\njprckha\icon1.ico
    C:\WINDOWS\system32\njprckha\install1.gif
    C:\WINDOWS\system32\njprckha\left1.gif
    C:\WINDOWS\system32\njprckha\li.gif
    C:\WINDOWS\system32\njprckha\logo.gif
    C:\WINDOWS\system32\njprckha\main.htm
    C:\WINDOWS\system32\njprckha\mainframe.htm
    C:\WINDOWS\system32\njprckha\reinstall1.gif
    C:\WINDOWS\system32\njprckha\right1.gif
    C:\WINDOWS\system32\njprckha\s1.htm
    C:\WINDOWS\system32\njprckha\s2.htm
    C:\WINDOWS\system32\njprckha\s3.htm
    C:\WINDOWS\system32\njprckha\SMTop1.gif
    C:\WINDOWS\system32\njprckha\SMTop2.gif
    C:\WINDOWS\system32\njprckha\SMTop3.gif
    C:\WINDOWS\system32\njprckha\SMTop4.gif
    C:\WINDOWS\system32\njprckha\soft1_off.gif
    C:\WINDOWS\system32\njprckha\soft1_off_ext.gif
    C:\WINDOWS\system32\njprckha\soft1_on.gif
    C:\WINDOWS\system32\njprckha\soft1_on_ext.gif
    C:\WINDOWS\system32\njprckha\soft2_off.gif
    C:\WINDOWS\system32\njprckha\soft2_off_ext.gif
    C:\WINDOWS\system32\njprckha\soft2_on.gif
    C:\WINDOWS\system32\njprckha\soft2_on_ext.gif
    C:\WINDOWS\system32\njprckha\soft3_off.gif
    C:\WINDOWS\system32\njprckha\soft3_off_ext.gif
    C:\WINDOWS\system32\njprckha\soft3_on.gif
    C:\WINDOWS\system32\njprckha\soft3_on_ext.gif
    C:\WINDOWS\system32\njprckha\softbottom_off.gif
    C:\WINDOWS\system32\njprckha\softbottom_on.gif
    C:\WINDOWS\system32\njprckha\softleft_off.gif
    C:\WINDOWS\system32\njprckha\softleft_on.gif
    C:\WINDOWS\system32\njprckha\top1.gif
    C:\WINDOWS\system32\njprckha\top2.gif
    C:\WINDOWS\system32\njprckha\turnoff1.gif
    C:\WINDOWS\system32\njprckha\turnon1.gif
    C:\WINDOWS\system32\pprqr.ini
    C:\WINDOWS\system32\pprqr.ini2
    C:\WINDOWS\system32\rqrpp.dll
    C:\WINDOWS\system32\rqrpp.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
    .

    2007-12-27 14:27 . 2007-12-27 14:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2007-12-27 14:27 . 2007-12-27 14:27 1,409 --a------ C:\WINDOWS\QTFont.for
    2007-12-27 12:29 . 2007-12-27 12:34 143 --a------ C:\WINDOWS\system32\mcrh.tmp
    2007-12-26 11:35 . 2007-12-26 13:37 <DIR> d-------- C:\VundoFix Backups
    2007-12-22 23:11 . 2007-12-22 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-12-21 23:45 . 2007-12-21 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-12-21 23:44 . 2007-12-21 23:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-12-20 21:53 . 2007-12-20 21:54 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-12-20 18:40 . 2007-12-20 21:46 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2007-12-20 18:24 . 2007-12-20 18:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
    2007-12-20 18:19 . 2007-12-20 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-20 18:16 . 2007-12-20 18:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
    2007-12-20 18:14 . 2007-12-27 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intel
    2007-12-20 18:13 . 2004-11-15 22:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
    2007-12-20 18:13 . 2004-11-16 00:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2007-12-20 18:13 . 2001-04-04 04:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
    2007-12-20 18:13 . 2004-11-16 00:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
    2007-12-20 18:13 . 2004-11-15 23:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
    2007-12-20 18:13 . 2004-11-16 01:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
    2007-12-20 18:13 . 2004-11-16 00:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
    2007-12-20 18:13 . 2005-04-23 19:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
    2007-12-12 21:23 . 2007-12-12 21:23 <DIR> d-------- C:\Program Files\Retrospect
    2007-12-06 17:28 . 2007-12-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
    2007-12-06 17:24 . 2007-12-06 17:24 <DIR> d-------- C:\Program Files\Maxtor
    2007-12-05 22:06 . 2007-12-05 22:06 <DIR> d-------- C:\Program Files\2BrightSparks
    2007-12-02 16:53 . 2007-12-09 13:42 <DIR> d-------- C:\Program Files\F2atv_Forums

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-12-27 20:30 --------- d-----w C:\Program Files\QuickTime
    2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\SM1BG.EXE
    2007-12-27 20:29 430,592 ----a-w C:\WINDOWS\MXOALDR.EXE
    2007-12-27 20:29 --------- d-----w C:\Program Files\ltmoh
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\****\Application Data\ScanSoft
    2007-12-27 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
    2007-12-27 20:11 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
    2007-12-27 20:01 --------- d-----w C:\Program Files\ScanSoft
    2007-12-27 19:23 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2007-12-27 19:20 --------- d-----w C:\Program Files\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Intel
    2007-12-27 19:19 --------- d-----w C:\Documents and Settings\****\Application Data\Intel
    2007-12-27 19:14 --------- d-----w C:\Program Files\Notebook Maximizer
    2007-12-27 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-12-27 17:34 --------- d-----w C:\Program Files\BitTorrent_DNA
    2007-12-23 04:50 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent DNA
    2007-12-22 19:15 --------- d-----w C:\Program Files\Trend Micro
    2007-12-19 13:53 --------- d-----w C:\Program Files\eMule
    2007-12-19 03:47 --------- d-----w C:\Documents and Settings\****\Application Data\BitTorrent
    2007-12-06 22:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-23 04:32 --------- d-----w C:\Program Files\VideoLAN
    2007-11-18 20:14 --------- d-----w C:\Program Files\iNav
    2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
    2007-11-12 19:21 --------- d-----w C:\Program Files\PdaNet for Windows Mobile
    2007-11-07 22:15 --------- d-----w C:\Program Files\DAEMON Tools
    2007-11-07 22:07 --------- d-----w C:\Program Files\PeerGuardian2
    2007-11-07 22:05 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2007-11-07 14:02 --------- d-----w C:\Program Files\BitTorrent
    2007-11-07 13:47 --------- d-----w C:\Program Files\eDonkey2000
    2007-07-02 20:41 630,784 ----a-w C:\Documents and Settings\****\GoToAssist_chat2way__317_en.exe
    2006-07-26 23:53 557,056 ----a-w C:\Documents and Settings\****\chatlnk.exe
    2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2007-12-24_20.40.45.99 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
    + 2007-12-27 20:42:41 352,256 ----a-w C:\WINDOWS\system32\ctfmon.exe
    - 2007-04-10 00:33:01 200,936 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    + 2007-12-27 20:22:14 200,144 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{045F79C1-1726-4671-92AC-68CABF8963F3}]
    2007-12-27 15:42 331776 --a------ C:\WINDOWS\system32\rqrpp.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
    "OfotoNow USB Detection"="C:\WINDOWS\system32\RunDLL32.exe" [2004-08-04 07:00]
    "SpriteService"="" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" []
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-27 15:29]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-27 15:29]
    "NDSTray.exe"="NDSTray.exe" []
    "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 17:37 C:\WINDOWS\agrsmmsg.exe]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
    "TFncKy"="TFncKy.exe" []
    "TPSMain"="TPSMain.exe" [2004-08-27 12:34 C:\WINDOWS\system32\TPSMain.exe]
    "PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
    "Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2007-12-27 15:42]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" []
    "HPHmon04"="C:\WINDOWS\system32\hphmon04.exe" []
    "SM1BG"="C:\WINDOWS\SM1BG.EXE" [2007-12-27 15:29]

    C:\Documents and Settings\******\Start Menu\Programs\Startup\
    Anapod Manager.lnk - C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe [2006-12-05 01:15:34]
    PdaNet Desktop.lnk - C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe [2007-11-12 14:21:09]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-12-07 22:02:24]

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=C:\WINDOWS\system32\rqrpp.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\rqrpp

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
    2002-05-24 07:47 49152 --a------ C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2005-10-18 11:58 278528 --a------ C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
    2005-03-09 19:10 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware14]
    C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    2005-03-08 21:13 1695744 --a------ C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpriteService]
    2007-08-23 07:24 8793064 --a------ C:\Program Files\Sprite Software\Sprite Backup\SpriteService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlowTray]
    C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe

    R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
    R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2005-03-08 21:05]
    R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
    R2 OneTouch 4.0 Monitor;OneTouch 4.0 Monitor;"C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe" [2006-08-28 00:58]
    R3 pnetmdm;PdaNet Modem;C:\WINDOWS\system32\DRIVERS\pnetmdm.sys [2006-09-28 15:32]
    S3 pgfilter;pgfilter;C:\Program Files\PeerGuardian2\pgfilter.sys [2005-09-18 18:02]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de021171-b460-11d9-bb13-000e35f2ff28}]
    \Shell\AutoRun\command - E:\setupSNK.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e7a2970d-d3f7-11da-bba5-000e35f2ff28}]
    \Shell\AutoRun\command - setupSNK.exe

    .
    **************************************************************************

    catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-12-27 15:42:02
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\TEMP
    C:\WINDOWS\system32\rqrpp.exe 335360 bytes executable
    C:\WINDOWS\system32\ctfmon .exe 15360 bytes executable
    C:\WINDOWS\system32\pprqr.ini 391 bytes
    C:\WINDOWS\system32\pprqr.ini2 319 bytes

    scan completed successfully
    hidden files: 5

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
    -> C:\WINDOWS\system32\rqrpp.dll
    .
    Completion time: 2007-12-27 15:46:15 - machine was rebooted
    C:\ComboFix2.txt ... 2007-12-27 13:08
    C:\ComboFix3.txt ... 2007-12-26 11:33
    .
    2007-12-21 14:19:06 --- E O F ---
    Last edited by Shaba; 2009-11-01 at 17:32.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules