Virtumonde.prx, another log for you guys

Status
Not open for further replies.
P

prenanz

New member
So, after virtumonde.prx showed up after a spybot scan of my friend's notebook, i did the Combofix and hijackthis steps, as illustrated on the other threads. I had some problems disabling teatimer, it kept starting with windows though. Anyway, these are the logs:

ComboFix 08-07-14.2 - Fra 2008-07-15 14.31.23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1040.18.681 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Fra\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Fra\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
* Creato nuovo punto di ripristino
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\fhhowitd.ini
C:\WINDOWS\system32\ljJASjJB.dll
C:\WINDOWS\system32\nnnoPFxU.dll
C:\WINDOWS\system32\OortvGgh.ini
C:\WINDOWS\system32\OortvGgh.ini2
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wvUnNhij.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Creati Da 2008-06-15 al 2008-07-15 )))))))))))))))))))))))))))))))))))
.

2008-06-25 00:57 . 2008-06-25 00:57 <DIR> d-------- C:\Programmi\Google
2008-06-25 00:45 . 2008-06-25 00:45 <DIR> d-------- C:\Documents and Settings\Fra\Dati applicazioni\Nero
2008-06-25 00:44 . 2008-06-25 00:44 <DIR> d-------- C:\Programmi\File comuni\Nero
2008-06-25 00:44 . 2008-06-25 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Nero
2008-06-25 00:44 . 2006-03-17 11:45 1,757,184 --a------ C:\WINDOWS\system32\imagX7.dll
2008-06-25 00:44 . 2006-03-17 11:45 802,816 --a------ C:\WINDOWS\system32\imagXRA7.dll
2008-06-25 00:44 . 2006-03-17 11:45 497,296 --a------ C:\WINDOWS\system32\imagXpr7.dll
2008-06-25 00:44 . 2006-03-17 14:49 368,640 --a------ C:\WINDOWS\system32\TwnLib4.dll
2008-06-25 00:44 . 2006-03-17 11:45 258,048 --a------ C:\WINDOWS\system32\imagXR7.dll
2008-06-25 00:16 . 2008-06-25 00:16 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-25 00:14 . 2008-06-14 19:32 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 00:13 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-25 00:07 . 2008-06-25 00:07 <DIR> d-------- C:\Documents and Settings\Fra\Dati applicazioni\TuneUp Software
2008-06-25 00:07 . 2008-06-25 00:07 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-06-25 00:07 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-06-25 00:06 . 2008-06-25 00:07 <DIR> d-------- C:\Programmi\TuneUp Utilities 2008
2008-06-25 00:06 . 2008-06-25 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\TuneUp Software
2008-06-25 00:05 . 2008-06-25 00:05 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-06-25 00:03 . 2008-06-25 00:04 <DIR> d-------- C:\Programmi\TagRename
2008-06-25 00:01 . 2008-04-10 12:08 71,184 -ra------ C:\WINDOWS\system32\drivers\DefragFS.sys
2008-06-24 23:56 . 2008-06-25 00:01 <DIR> d-------- C:\Programmi\PerfectDisk2008
2008-06-24 23:55 . 2008-06-24 23:56 <DIR> d-------- C:\Programmi\PerfectDisk2008Install
2008-06-24 23:52 . 2008-06-24 23:52 <DIR> d-------- C:\Documents and Settings\Fra\Dati applicazioni\ACD Systems
2008-06-24 23:49 . 2008-06-24 23:49 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\ACD Systems
2008-06-24 23:48 . 2008-06-24 23:49 <DIR> d-------- C:\Programmi\File comuni\ACD Systems
2008-06-24 23:48 . 2008-06-24 23:48 <DIR> d-------- C:\Programmi\ACD Systems
2008-06-24 23:46 . 2008-06-24 23:46 <DIR> d-------- C:\Programmi\Washer
2008-06-24 23:46 . 2008-06-24 23:46 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Webroot
2008-06-24 23:42 . 2008-06-24 23:46 <DIR> d-------- C:\Programmi\Your Uninstaller 2008
2008-06-24 23:17 . 2008-06-24 23:17 <DIR> d-------- C:\Programmi\File comuni\Skype
2008-06-24 23:17 . 2008-06-24 23:17 <DIR> d-------- C:\Documents and Settings\Fra\Dati applicazioni\skypePM
2008-06-24 23:17 . 2008-06-24 23:17 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 19:46 . 2008-06-20 19:46 247,296 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 19:46 . 2008-06-20 19:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 13:51 . 2008-06-20 13:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 13:40 . 2008-06-20 13:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 13:08 . 2008-06-20 13:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 16:00 . 2008-06-19 16:38 <DIR> d-------- C:\Programmi\VSO
2008-06-19 16:00 . 2008-06-19 19:29 <DIR> d-------- C:\Documents and Settings\Fra\Dati applicazioni\Vso
2008-06-19 16:00 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-06-19 16:00 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-06-19 16:00 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-06-19 16:00 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-06-19 16:00 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-06-19 16:00 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-06-19 16:00 . 2008-06-19 16:00 87,608 --a------ C:\Documents and Settings\Fra\Dati applicazioni\inst.exe
2008-06-19 16:00 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-06-19 16:00 . 2008-06-19 16:00 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-19 16:00 . 2008-06-19 16:00 47,360 --a------ C:\Documents and Settings\Fra\Dati applicazioni\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 11:44 --------- d-----w C:\Programmi\Thunderbird
2008-07-15 07:49 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2008-07-15 07:44 --------- d-----w C:\Documents and Settings\Fra\Dati applicazioni\uTorrent
2008-07-14 16:41 106,496 ----a-w C:\WINDOWS\DUMPab34.tmp
2008-07-13 21:08 98,304 ----a-w C:\WINDOWS\DUMPbc89.tmp
2008-07-10 23:29 98,304 ----a-w C:\WINDOWS\DUMPbf19.tmp
2008-07-09 23:16 --------- d-----w C:\Programmi\Winamp
2008-07-08 23:57 98,304 ----a-w C:\WINDOWS\DUMPaf6b.tmp
2008-07-07 21:26 --------- d-----w C:\Programmi\FreePOPs
2008-07-07 11:20 106,496 ----a-w C:\WINDOWS\DUMP9de6.tmp
2008-07-02 23:57 --------- d-----w C:\Programmi\BSplayerPro
2008-07-02 11:09 106,496 ----a-w C:\WINDOWS\DUMP9d68.tmp
2008-07-01 11:37 98,304 ----a-w C:\WINDOWS\DUMPaefc.tmp
2008-06-29 22:17 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-06-24 22:44 --------- d-----w C:\Programmi\Nero
2008-06-24 21:53 --------- d-----w C:\Programmi\VideoLAN
2008-06-24 21:46 --------- d-----w C:\Programmi\File comuni\Webroot Shared
2008-06-24 21:46 --------- d-----w C:\Documents and Settings\Fra\Dati applicazioni\Webroot
2008-06-24 21:42 --------- d-----w C:\Documents and Settings\Fra\Dati applicazioni\URSoft
2008-06-24 21:19 --------- d-----w C:\Documents and Settings\Fra\Dati applicazioni\Skype
2008-06-24 21:02 --------- d-----w C:\Programmi\RAXCO
2008-06-24 21:00 --------- d-----w C:\Programmi\File comuni\Ahead
2008-06-23 11:00 106,496 ----a-w C:\WINDOWS\DUMPb640.tmp
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 13:50 106,496 ----a-w C:\WINDOWS\DUMPaf3b.tmp
2008-06-18 21:48 106,496 ----a-w C:\WINDOWS\DUMPb630.tmp
2008-06-16 23:57 98,304 ----a-w C:\WINDOWS\DUMPae9f.tmp
2008-06-16 23:56 98,304 ----a-w C:\WINDOWS\DUMPb70b.tmp
2008-06-16 12:17 98,304 ----a-w C:\WINDOWS\DUMPa846.tmp
2008-06-16 12:16 98,304 ----a-w C:\WINDOWS\DUMPafc8.tmp
2008-06-14 17:32 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-14 03:26 106,496 ----a-w C:\WINDOWS\DUMPb083.tmp
2008-06-09 17:21 --------- d-----w C:\Documents and Settings\Fra\Dati applicazioni\Sony
2008-06-09 17:21 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Sony
2008-06-09 17:17 --------- d-----w C:\Programmi\Sony Ericsson
2008-06-09 17:15 --------- d-----w C:\Programmi\QuickTime
2008-06-09 16:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-06-09 16:49 --------- d-----w C:\Programmi\Apple Software Update
2008-06-09 16:48 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2008-06-09 16:40 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-06-09 16:40 --------- d-----w C:\Programmi\Avanquest update
2008-06-09 16:40 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\BVRP Software
2008-06-09 16:39 --------- d-----w C:\Documents and Settings\Fra\Dati applicazioni\InstallShield
2008-06-09 16:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Sony Ericsson
2008-06-09 12:20 106,496 ----a-w C:\WINDOWS\DUMPb361.tmp
2008-06-08 22:11 106,496 ----a-w C:\WINDOWS\DUMPa3e4.tmp
2008-06-08 22:10 98,304 ----a-w C:\WINDOWS\DUMPae61.tmp
2008-06-04 12:22 98,304 ----a-w C:\WINDOWS\DUMPae60.tmp
2008-05-25 23:06 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-05-25 22:23 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-05-25 22:05 --------- d-----w C:\Programmi\Unlocker
2008-05-24 18:55 23,376 ----a-w C:\Documents and Settings\Fra\plocvddw.exe
2008-05-23 17:38 --------- d-----w C:\Programmi\Mobile Partner
2008-05-23 13:27 --------- d-----w C:\Programmi\Vodafone
2008-05-23 00:56 --------- d-----w C:\Programmi\MSN Messenger
2008-05-18 21:39 --------- d-----w C:\Programmi\ESET Smart Security
2008-05-10 11:18 98,304 ----a-w C:\WINDOWS\DUMPa008.tmp
2008-05-10 11:17 98,304 ----a-w C:\WINDOWS\DUMPac4d.tmp
2008-05-09 17:11 106,496 ----a-w C:\WINDOWS\DUMPaa3a.tmp
2008-05-07 01:07 106,496 ----a-w C:\WINDOWS\DUMP9cad.tmp
2008-05-07 01:05 106,496 ----a-w C:\WINDOWS\DUMP9615.tmp
2008-05-03 23:33 98,304 ----a-w C:\WINDOWS\DUMPa3f0.tmp
2008-05-02 23:10 106,496 ----a-w C:\WINDOWS\DUMP9d0e.tmp
2008-04-30 09:35 106,496 ----a-w C:\WINDOWS\DUMPb1fc.tmp
2008-04-30 09:33 98,304 ----a-w C:\WINDOWS\DUMPb759.tmp
2008-04-28 11:43 98,304 ----a-w C:\WINDOWS\DUMP9e53.tmp
2008-04-28 11:42 98,304 ----a-w C:\WINDOWS\DUMPaeae.tmp
2008-04-27 21:01 98,304 ----a-w C:\WINDOWS\DUMPcb5e.tmp
2008-04-27 20:59 98,304 ----a-w C:\WINDOWS\DUMP9d78.tmp
2008-04-27 20:58 98,304 ----a-w C:\WINDOWS\DUMPab63.tmp
2008-04-27 10:08 106,496 ----a-w C:\WINDOWS\DUMPd234.tmp
2008-04-27 10:05 98,304 ----a-w C:\WINDOWS\DUMP9f3f.tmp
2008-04-27 10:04 98,304 ----a-w C:\WINDOWS\DUMPad19.tmp
2008-04-25 21:10 106,496 ----a-w C:\WINDOWS\DUMPa559.tmp
2008-04-25 21:08 106,496 ----a-w C:\WINDOWS\DUMPa7ba.tmp
2008-04-24 10:13 98,304 ----a-w C:\WINDOWS\DUMPb3bf.tmp
2008-04-24 10:11 98,304 ----a-w C:\WINDOWS\DUMPc033.tmp
2008-04-23 22:07 106,496 ----a-w C:\WINDOWS\DUMPb873.tmp
2008-04-22 11:41 98,304 ----a-w C:\WINDOWS\DUMPb1fb.tmp
2008-04-22 11:40 106,496 ----a-w C:\WINDOWS\DUMPb5d2.tmp
2008-04-21 16:24 106,496 ----a-w C:\WINDOWS\DUMPb381.tmp
2008-04-21 16:21 98,304 ----a-w C:\WINDOWS\DUMPb8a1.tmp
2008-04-20 19:12 98,304 ----a-w C:\WINDOWS\DUMPb882.tmp
2008-04-18 10:50 98,304 ----a-w C:\WINDOWS\DUMPac1e.tmp
2008-04-18 10:48 106,496 ----a-w C:\WINDOWS\DUMPabef.tmp
2008-04-17 17:11 106,496 ----a-w C:\WINDOWS\DUMPb46b.tmp
2008-04-16 21:29 106,496 ----a-w C:\WINDOWS\DUMPb11f.tmp
2008-04-16 21:26 106,496 ----a-w C:\WINDOWS\DUMPb0b2.tmp
2008-04-15 11:31 106,496 ----a-w C:\WINDOWS\DUMPb892.tmp
2008-04-15 11:28 98,304 ----a-w C:\WINDOWS\DUMPb7a7.tmp
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:14 15360]
"SpybotSD TeaTimer"="C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"msnmsgr"="C:\Programmi\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Index Washer"="C:\Programmi\Washer\WashIdx.exe" [2007-11-26 14:47 55624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Programmi\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 21:12 102492]
"SynTPEnh"="C:\Programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 21:11 692316]
"Cpqset"="C:\Programmi\HPQ\Default Settings\cpqset.exe" [2004-03-18 10:18 204862]
"eabconfg.cpl"="C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe" [2003-11-18 09:31 241664]
"egui"="C:\Programmi\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-02-03 11:26 3072000]
"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2008-03-27 08:35 36352]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 04:14 110592 C:\WINDOWS\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2004-02-03 11:26 753664 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\uTorrent\\utorrent.exe"=
"C:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"C:\\Programmi\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"C:\\Programmi\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 04:14]
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys [2003-08-15 17:10]
S2 PD91Agent;PD91Agent;C:\Programmi\PerfectDisk2008\PD91Agent.exe [2008-04-16 13:00]
S2 wwEngineSvc;Window Washer Engine;C:\Programmi\Washer\WasherSvc.exe [2007-11-26 14:47]
S3 DCamUSBET;Micrometrics 122CU;C:\WINDOWS\system32\DRIVERS\etDevice.sys [2005-07-01 17:14]
S3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\system32\DRIVERS\etFilter.sys [2005-07-12 17:10]
S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys [2003-02-24 09:36]
S3 PD91Engine;PD91Engine;C:\Programmi\PerfectDisk2008\PD91Engine.exe [2008-04-16 13:00]
S3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\system32\DRIVERS\etScan.sys [2005-07-01 17:14]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-06-25 00:07]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed177dd5-28d0-11dd-91dd-00904b589034}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed177dd8-28d0-11dd-91dd-00904b589034}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd2a7c38-28cb-11dd-91dc-00904b589034}]
\Shell\AutoRun\command - E:\VMC_PBStarter.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2008-07-15 12:37:44 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programmi\TuneUp Utilities 2008\OneClickStarter.exe
"2008-06-09 16:49:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{14370F76-7676-44A2-AD11-93A31C5FC9FC} - (no file)
BHO-{1ECC1816-1E36-45C4-A128-2A352637275D} - (no file)
Notify-iifdabcC - iifdabcC.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 14:38:18
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programmi\HPQ\Default Settings\cpqset.exe????????????4?5?5?4??????? ?|?B???????????????B????????

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Ora fine scansione: 2008-07-15 14:47:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 12:46:38

12 Directory 5,933,735,936 byte disponibili
16 Directory 5,825,671,168 byte disponibili

WindowsXP-KB310994-SP2-Home-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

269 --- E O F --- 2008-07-15 07:49:35
Click to expand...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.49.54, on 15/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Append to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174641814066
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Programmi\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Programmi\PerfectDisk2008\PD91Engine.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Programmi\Washer\WasherSvc.exe


--
End of file - 6880 bytes
Click to expand...

By the way, thank you guys.
 
I just did a scan with Spybot, and it doesn't find Virtumonde.prx anymore. Can i consider that computer clean?
 
Hello prenanz,

Because of the volume of posts to your own topic, it may have appeared you were already being assisted.

Apprantly you missed our sticky topics: :eek:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Do NOT run 'fixes' before helpers have analyzed the HJT log

Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days

If you still require help, please start a new topic and include a fresh HijackThis log with a link to this thread in your new topic.

Best regards.
 
Status
Not open for further replies.
Back
Top