Help removing Virtumonde and Smitfraud

**shelf life** · 2009-01-04, 15:55

hi,

ok good.sometimes this malware can come with other goodies or go out and get more, so lets get one more look for malware. We will use combofix. there is a guide you should read through first. lots of pictures, read through the guide and follow the combofix prompts as you use it;Post the combofix log

the guide;
http://www.bleepingcomputer.com/comb...o-use-combofix

**anotherperson** · 2009-01-05, 00:46

Wait...

I just installed the wrong version of the console... How do I go about uninstalling it?

If it's not an issue for now (though it probably is), here's the ComboFix log as it is.

ComboFix 09-01-02.01 - Administrator 2009-01-04 18:34:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1253 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\emYUV.dll
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
c:\windows\system32\mdm.exe

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-04 18:38 . 2004-05-11 13:53 626,960 -ra------ c:\windows\system32\hpvaut32.dll
2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system32\drivers\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-03 21:44 . 2009-01-03 21:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 21:44 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 21:43 . 2009-01-03 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 21:43 . 2009-01-03 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 21:43 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 12:54 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\McAfee
2008-12-29 00:36 . 2008-12-29 00:36 <DIR> d-------- C:\VundoFix Backups
2008-12-28 19:22 . 2008-12-28 19:22 95 --a------ c:\windows\wininit.ini
2008-12-28 19:05 . 2008-12-28 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-28 19:05 . 2008-12-28 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 19:38 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-20 19:38 . 2009-01-04 18:36 10,621 --a------ c:\windows\system32\Config.MPF
2008-12-20 19:35 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-20 19:35 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-20 19:35 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-20 19:35 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-20 19:35 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-20 19:35 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-20 19:34 . 2008-12-20 19:34 <DIR> d-------- c:\program files\McAfee.com
2008-12-20 19:34 . 2008-12-28 11:21 <DIR> d-------- c:\program files\McAfee
2008-12-20 19:34 . 2008-12-20 19:35 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-20 19:02 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-19 10:16 . 2008-12-19 10:16 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-18 16:56 . 2008-12-18 16:56 <DIR> d-------- c:\program files\Common Files\Pinnacle
2008-12-18 16:56 . 2005-09-24 02:18 171,520 --a------ c:\windows\system32\drivers\MarvinBus.sys
2008-12-18 16:55 . 2008-12-18 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Pinnacle
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Yahoo!
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Pegasus Imaging
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Studio 12
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio Plus
2008-12-18 16:44 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-18 01:41 . 2008-12-18 01:41 <DIR> d-------- c:\program files\Common Files\HP
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-18 01:38 . 2004-05-11 13:53 82,432 -ra------ c:\windows\system32\MSXML4r.dll
2008-12-18 01:38 . 2004-05-11 13:53 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-12-18 01:37 . 2008-12-18 01:37 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-18 01:33 . 2004-03-18 19:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-18 01:33 . 2004-03-18 19:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-18 01:33 . 2004-03-18 19:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-18 01:33 . 2004-03-18 19:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-12-18 01:33 . 2004-03-18 19:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-18 01:33 . 2004-03-18 19:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-18 01:32 . 1998-10-29 19:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-18 01:31 . 2008-12-18 01:43 <DIR> d-------- c:\program files\HP
2008-12-18 01:28 . 2008-12-18 01:44 104,294 --a------ c:\windows\hpoins04.dat
2008-12-18 01:28 . 2004-06-21 05:14 17,176 --------- c:\windows\hpomdl04.dat
2008-12-18 01:26 . 2004-04-12 06:10 581,632 -ra------ c:\windows\system32\hpotscl.dll
2008-12-18 01:26 . 2004-03-13 06:32 278,528 -ra------ c:\windows\system32\hpgwiamd.dll
2008-12-18 01:26 . 2004-03-13 06:34 270,336 -ra------ c:\windows\system32\HPZc3212.dll
2008-12-18 01:26 . 2004-04-12 06:10 90,112 -ra------ c:\windows\system32\hpovst08.dll
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-09 10:56 . 2008-12-09 10:56 <DIR> d--h----- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 05:51 --------- d-----w c:\program files\Jasc Software Inc
2008-12-21 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 23:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-20 23:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-20 23:55 --------- d-----w c:\program files\Symantec
2008-12-16 17:43 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-15 03:16 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-12-02 07:56 --------- d-----w c:\documents and settings\Administrator\Application Data\Jasc
2008-12-02 01:22 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 01:22 --------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2008-12-02 00:32 --------- d-----w c:\program files\iTunes
2008-12-02 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 00:31 --------- d-----w c:\program files\iPod
2008-12-02 00:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 00:30 --------- d-----w c:\program files\QuickTime
2008-11-28 05:46 --------- d-----w c:\program files\GIMP-2.0
2008-11-22 03:04 --------- d-----w c:\program files\Web Publish
2008-11-14 06:10 --------- d-----w c:\program files\Bonjour
2008-11-14 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-14 06:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-14 06:09 --------- d-----w c:\program files\Apple Software Update
2008-11-14 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-13 19:01 --------- d-----w c:\program files\StillSecure
2008-07-21 23:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072120080722\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-13 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-13 271872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 794713]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2006-07-12 90112]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-20 61440]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-19 220160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2007-03-13 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2006-06-10 1966080]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2006-07-21 303104]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NACSysTray"="c:\program files\StillSecure\NAC Agent\SAService.exe" [2008-04-23 1052672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-13 19:11 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-06-10 19:02 49152 c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 05:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-13 19:12 32256 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1500:TCP"= 1500:TCP:NAC Agent Port

R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-04-19 8960]
R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2007-04-19 10496]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2007-04-19 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-03 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-10-12 33152]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2007-04-19 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-04-19 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2007-04-19 30976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-04-19 36608]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-03-08 92550]
R4 NACAgent;NAC Agent;c:\program files\StillSecure\NAC Agent\SAService.exe [2008-04-23 1052672]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2007-04-18 14208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dfe502f-b846-11dd-9177-00215c0a490d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994bdc00-b1b7-11dd-af72-00215c0a490d}]
\Shell\AutoRun\command - E:\CA_EDGEmobile.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2008-12-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-04 c:\windows\Tasks\tnvrlbwf.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-04 c:\windows\Tasks\WebReg 20081226224515.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224534.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224541.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]
.
- - - - ORPHANS REMOVED - - - -

Notify-fcccYSmk - fcccYSmk.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hermits.com/flash.asp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {0D6BB8B8-0257-420C-B9EB-CFA90DB1026C} - hxxps://safeaccess.hermits.com:89/setup.cab
c:\windows\Downloaded Program Files\Setup.inf
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dgttzt1l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hermits.com/flash.asp
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 18:38:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

c:\windows\system32\hpvaut32.dll 626960 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,20,ae,80,46,95,\
ae,21,2e,e2,63,26,f1,3f,c8,ff,68,61,16,ec,66,13,33,8d,ab,e2,63,26,f1,3f,c8,\
ff,68,df,40,41,c1,06,97,9e,85,e2,63,26,f1,3f,c8,ff,68,8c,56,1b,29,08,92,84,\
fb,14,91,0f,0d

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,19,31,c7,f4,e6,\
66,32,99,6a,9c,d6,61,af,45,84,18,45,d5,48,6d,7f,47,5d,e9,6a,9c,d6,61,af,45,\
84,18,43,0f,be,8b,54,12,c5,50,46,47,15,b0,92,4b,c7,ef,1a,1f,9d,68,32,92,50,\
69,c8,ef,bd,53

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,50,51,3f,43,a4,\
de,10,b2,ff,7c,85,e0,43,d4,0e,fe,66,f3,fd,47,d0,09,cd,d3,ff,7c,85,e0,43,d4,\
0e,fe,8c,2a,fa,45,44,df,e2,cd,ff,7c,85,e0,43,d4,0e,fe,fe,85,1d,9a,77,08,35,\
6b,92,b8,00,fd

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,68,ec,56,9c,27,\
5f,55,09,86,8c,21,01,be,91,eb,e7,41,9b,02,ff,09,f4,28,db,86,8c,21,01,be,91,\
eb,e7,d4,e6,63,dd,e6,35,9b,15,3e,1e,9e,e0,57,5a,93,61,7c,3d,eb,f5,33,a9,2d,\
9f,91,aa,0e,62

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,9d,ce,70,4e,14,\
6f,ac,fd,f5,1d,4d,73,a8,13,5c,05,62,0a,74,a2,8b,2e,96,2b,f5,1d,4d,73,a8,13,\
5c,05,b7,e2,e6,8d,3f,8e,24,09,e9,02,6c,fa,fb,1d,47,57,3a,47,a1,bc,4b,10,6d,\
1b,91,fc,fa,ba

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,03,54,e3,85,d5,\
72,47,d0,df,20,58,62,78,6b,cf,c8,e9,65,cb,ad,ee,4c,f0,02,df,20,58,62,78,6b,\
cf,c8,96,b9,92,eb,7d,20,e2,16,b0,18,ed,a7,3f,8d,37,a4,48,dc,45,94,91,1d,41,\
bf,03,1c,51,d2

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,b3,8b,36,6c,bb,\
ee,23,a5,fb,a7,78,e6,12,2f,9a,ea,4a,3a,f1,b3,ba,d7,17,1f,fb,a7,78,e6,12,2f,\
9a,ea,42,48,79,82,0b,5c,00,44,fb,a7,78,e6,12,2f,9a,ea,cd,28,a5,35,8b,bf,9f,\
25,38,a9,09,c8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,62,6d,87,d3,08,\
b1,97,9f,01,3a,48,fc,e8,04,4a,f1,53,58,4f,44,cc,a7,74,f9,01,3a,48,fc,e8,04,\
4a,f1,3f,b7,91,b9,6d,6c,c2,70,01,3a,48,fc,e8,04,4a,f1,e3,7e,ac,7a,89,66,2f,\
d2,3b,f7,b1,26

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0d,1a,5b,36,1b,\
e6,79,f2,f6,0f,4e,58,98,5b,89,c9,0b,00,6d,a1,ad,f1,d5,6f,f6,0f,4e,58,98,5b,\
89,c9,f2,02,23,2e,39,64,f3,f3,b2,46,9a,e2,1b,fe,1b,94,af,f0,9b,f1,02,9e,7e,\
a5,3d,a5,b0,be

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,7b,cc,93,96,cb,\
39,cb,74,3d,ce,ea,26,2d,45,aa,78,af,24,57,95,f3,04,09,dc,3d,ce,ea,26,2d,45,\
aa,78,d9,be,01,57,86,fc,29,50,b1,cd,45,5a,a8,c4,f8,b9,63,f4,11,38,ee,50,8f,\
d4,c4,a2,71,19

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,08,d7,60,93,63,\
fb,cd,b1,2a,b7,cc,b5,b9,7f,41,e7,01,0c,62,ad,4c,0b,92,de,2a,b7,cc,b5,b9,7f,\
41,e7,9e,b3,0c,db,23,b5,fb,14,f8,31,0f,a9,5f,a0,ec,fb,da,ee,01,35,d7,58,74,\
93,6f,75,17,b6

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,76,be,2a,44,ea,\
7a,bd,ed,6c,43,2d,1e,aa,22,2f,9c,9c,5a,37,a8,52,c7,0d,5a,6c,43,2d,1e,aa,22,\
2f,9c,32,0b,c4,b7,01,d9,d9,f9,05,73,21,dd,54,d8,4a,c5,44,8b,ed,e2,ac,f2,b2,\
45,f6,8e,8f,16
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\program files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\digtizer.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\o2flash.exe
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wisptis.exe
c:\windows\system32\tabbtnu.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Ink\tcserver.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Fujitsu\Utils\FjDspMon.exe
c:\program files\Fujitsu\Utils\FjEvents.exe
c:\program files\Fujitsu\Utils\FjMenu.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\igfxext.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-01-04 18:42:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 23:42:24

Pre-Run: 79,633,453,056 bytes free
Post-Run: 79,499,034,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

392 --- E O F --- 2008-12-19 15:16:44

**shelf life** · 2009-01-05, 02:26

hi,

combofix removed some items. rest look ok. Iam surprised you didn't get some kind of warning or something before the install of the recovery console. Its really only installed as a precaution. most computers do not have it installed and you most likely would never have to use it. there is directions for removing it but i dont know its worth the trouble or risk to do so-- links:

near bottom of page:
http://support.microsoft.com/kb/307654

and here:
http://www.bleepingcomputer.com/tuto...17.html#delete

**anotherperson** · 2009-01-05, 02:39

Alright, well I'll just keep it there for now and delete it later if it gives me trouble.

Anything else I should do?

**shelf life** · 2009-01-05, 02:55

hi,

we will use combofix to remove a file;

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
c:\windows\Tasks\tnvrlbwf.job

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

**anotherperson** · 2009-01-05, 03:08

Here you go. Though I noticed that it re-deleted hpvaut32.dll. That's odd...

ComboFix 09-01-02.01 - Administrator 2009-01-04 21:04:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1364 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\tnvrlbwf.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hpvaut32.dll
c:\windows\Tasks\tnvrlbwf.job

.
((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system32\drivers\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-04 01:33 . 2009-01-04 01:33 0 --a------ c:\windows\system\FUJITSU_A1B2H3E616B30001_WXPTPC.MKR
2009-01-03 21:44 . 2009-01-03 21:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 21:44 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-03 21:43 . 2009-01-03 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 21:43 . 2009-01-03 21:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 21:43 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-29 12:54 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\McAfee
2008-12-29 00:36 . 2008-12-29 00:36 <DIR> d-------- C:\VundoFix Backups
2008-12-28 19:22 . 2008-12-28 19:22 95 --a------ c:\windows\wininit.ini
2008-12-28 19:05 . 2008-12-28 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-28 19:05 . 2008-12-28 22:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 19:38 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-20 19:38 . 2009-01-04 21:01 10,621 --a------ c:\windows\system32\Config.MPF
2008-12-20 19:35 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-20 19:35 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-20 19:35 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-20 19:35 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-20 19:35 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-20 19:35 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-20 19:34 . 2008-12-20 19:34 <DIR> d-------- c:\program files\McAfee.com
2008-12-20 19:34 . 2008-12-28 11:21 <DIR> d-------- c:\program files\McAfee
2008-12-20 19:34 . 2008-12-20 19:35 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-20 19:02 . 2008-12-29 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-19 10:16 . 2008-12-19 10:16 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-18 16:56 . 2008-12-18 16:56 <DIR> d-------- c:\program files\Common Files\Pinnacle
2008-12-18 16:56 . 2005-09-24 02:18 171,520 --a------ c:\windows\system32\drivers\MarvinBus.sys
2008-12-18 16:55 . 2008-12-18 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Pinnacle
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Yahoo!
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\program files\Common Files\Pegasus Imaging
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Studio 12
2008-12-18 16:49 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle Studio Plus
2008-12-18 16:44 . 2008-12-18 16:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pinnacle
2008-12-18 01:41 . 2008-12-18 01:41 <DIR> d-------- c:\program files\Common Files\HP
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-18 01:39 . 2008-12-18 01:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-18 01:38 . 2004-05-11 13:53 82,432 -ra------ c:\windows\system32\MSXML4r.dll
2008-12-18 01:38 . 2004-05-11 13:53 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-12-18 01:37 . 2008-12-18 01:37 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-18 01:33 . 2004-03-18 19:53 278,584 --a------ c:\windows\system32\HPZidr12.dll
2008-12-18 01:33 . 2004-03-18 19:56 204,800 --a------ c:\windows\system32\HPZipr12.dll
2008-12-18 01:33 . 2004-03-18 19:39 94,208 --a------ c:\windows\system32\HPZipt12.dll
2008-12-18 01:33 . 2004-03-18 19:55 65,536 --a------ c:\windows\system32\HPZipm12.exe
2008-12-18 01:33 . 2004-03-18 19:38 61,440 --a------ c:\windows\system32\HPZinw12.exe
2008-12-18 01:33 . 2004-03-18 19:39 57,344 --a------ c:\windows\system32\HPZisn12.dll
2008-12-18 01:32 . 1998-10-29 19:45 306,688 --a------ c:\windows\IsUninst.exe
2008-12-18 01:31 . 2008-12-18 01:43 <DIR> d-------- c:\program files\HP
2008-12-18 01:28 . 2008-12-18 01:44 104,294 --a------ c:\windows\hpoins04.dat
2008-12-18 01:28 . 2004-06-21 05:14 17,176 --------- c:\windows\hpomdl04.dat
2008-12-18 01:26 . 2004-04-12 06:10 581,632 -ra------ c:\windows\system32\hpotscl.dll
2008-12-18 01:26 . 2004-03-13 06:32 278,528 -ra------ c:\windows\system32\hpgwiamd.dll
2008-12-18 01:26 . 2004-03-13 06:34 270,336 -ra------ c:\windows\system32\HPZc3212.dll
2008-12-18 01:26 . 2004-04-12 06:10 90,112 -ra------ c:\windows\system32\hpovst08.dll
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-18 01:26 . 2008-04-13 14:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-18 01:14 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-09 10:56 . 2008-12-09 10:56 <DIR> d--h----- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 05:51 --------- d-----w c:\program files\Jasc Software Inc
2008-12-21 00:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 23:57 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-20 23:57 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-20 23:55 --------- d-----w c:\program files\Symantec
2008-12-16 17:43 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2008-12-15 03:16 --------- d-----w c:\documents and settings\Administrator\Application Data\gtk-2.0
2008-12-02 07:56 --------- d-----w c:\documents and settings\Administrator\Application Data\Jasc
2008-12-02 01:22 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 01:22 --------- d-----w c:\documents and settings\Administrator\Application Data\CyberLink
2008-12-02 00:32 --------- d-----w c:\program files\iTunes
2008-12-02 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-02 00:31 --------- d-----w c:\program files\iPod
2008-12-02 00:31 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 00:30 --------- d-----w c:\program files\QuickTime
2008-11-28 05:46 --------- d-----w c:\program files\GIMP-2.0
2008-11-22 03:04 --------- d-----w c:\program files\Web Publish
2008-11-14 06:10 --------- d-----w c:\program files\Bonjour
2008-11-14 06:10 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-14 06:10 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-14 06:09 --------- d-----w c:\program files\Apple Software Update
2008-11-14 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-11-13 19:01 --------- d-----w c:\program files\StillSecure
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-07-21 23:14 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072120080722\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-13 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-13 271872]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 794713]
"IndicatorUtility"="c:\program files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2006-07-12 90112]
"LoadFUJ02E3"="c:\program files\Fujitsu\FUJ02E3\FUJ02E3.exe" [2006-11-17 80688]
"LoadBtnHnd"="c:\program files\Fujitsu\BtnHnd\BtnHnd.exe" [2003-08-20 61440]
"SSUtility"="c:\program files\Fujitsu\SSUtility\FJSSDMN.exe" [2006-07-22 233472]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-02-20 366400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-04-19 220160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"FjStrtAp"="c:\program files\Fujitsu\Utils\FjStrtAp.exe" [2007-03-13 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2006-06-10 1966080]
"FJUPDNV_Chitose"="c:\program files\Fujitsu\fjdvrupd\fjdvrupd.exe" [2006-07-21 303104]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NACSysTray"="c:\program files\StillSecure\NAC Agent\SAService.exe" [2008-04-23 1052672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-12 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 c:\windows\AGRSMMSG.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-13 19:11 47104 c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-06-10 19:02 49152 c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 05:41 11776 c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-13 19:12 32256 c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1500:TCP"= 1500:TCP:NAC Agent Port

R0 FBIOSDRV;FBIOSDRV;c:\windows\system32\drivers\FBIOSDRV.SYS [2007-04-19 8960]
R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.SYS [2007-04-19 10496]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2007-04-19 7168]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2006-10-03 36640]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2006-10-12 33152]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2007-04-19 17920]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2007-04-19 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [2007-04-19 30976]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-04-19 36608]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-03-08 92550]
R4 NACAgent;NAC Agent;c:\program files\StillSecure\NAC Agent\SAService.exe [2008-04-23 1052672]
S3 ADVNTDRV;ADVNTDRV;c:\windows\system32\drivers\ADVNTDRV.SYS [1999-11-18 3872]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2007-04-18 14208]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3dfe502f-b846-11dd-9177-00215c0a490d}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{994bdc00-b1b7-11dd-af72-00215c0a490d}]
\Shell\AutoRun\command - E:\CA_EDGEmobile.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2008-12-21 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-04 c:\windows\Tasks\WebReg 20081226224515.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224534.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]

2009-01-04 c:\windows\Tasks\WebReg 20090103224541.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2004-05-29 01:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hermits.com/flash.asp
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {0D6BB8B8-0257-420C-B9EB-CFA90DB1026C} - hxxps://safeaccess.hermits.com:89/setup.cab
c:\windows\Downloaded Program Files\Setup.inf
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dgttzt1l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.hermits.com/flash.asp
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 21:06:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\program files\Softex\OmniPass\opxpgina.dll
.
Completion time: 2009-01-04 21:07:12
ComboFix-quarantined-files.txt 2009-01-05 02:07:09
ComboFix2.txt 2009-01-04 23:42:29

Pre-Run: 79,469,232,128 bytes free
Post-Run: 79,453,270,016 bytes free

263 --- E O F --- 2008-12-19 15:16:44

**shelf life** · 2009-01-05, 22:46

hi,

thanks for the info. Looks ok to me. you can remove combofix like this;

start>run and type in;
combofix /u
click ok or enter
Note; there is a space after the x and before the /

Keep MBAM and always check for updates before scanning with it. The paid version offers auto updates and real time protection.

MBAM does a good job of removing malware from the restore archive but you can manually make a new clean restore point like this;

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

if all is good--- some tips for you;

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS,(Windows) browser (IE, FireFox) and other Software up to date to "patch" vulnerabilities. Always install Service Packs.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.You may be installing more than you think.

3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install a third party software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

**anotherperson** · 2009-01-05, 23:37

Thank you very much for the help; everything looks to be in order now.

I'll post again if I have more problems, but again, I can't thank you enough.

Thread: Help removing Virtumonde and Smitfraud

Thread Tools

Display

Posting Permissions