Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

[split] Virtumonde.sci

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

[split] Virtumonde.sci

Unread postby Vasilias » February 4th, 2009, 1:21 pm

I ran Combofix, here are the results. Hope they help

ComboFix 09-02-03.01 - Vasilias 2009-02-04 11:57:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -5:00]
Running from: f:\documents and settings\Vasilias\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\documents and settings\Vasilias\Application Data\inst.exe
f:\windows\system32\dpejghkc.dll
f:\windows\system32\FhghPqru.ini
f:\windows\system32\FhghPqru.ini2
f:\windows\system32\girmyitr.dll
f:\windows\system32\iihutbpn.dll
f:\windows\system32\ksopreqv.dll
f:\windows\system32\lapfwu.dll
f:\windows\system32\qfagtalq.dll
f:\windows\system32\qmldwpla.dll
f:\windows\system32\qtyrhj.dll
f:\windows\system32\tuqbmkqw.ini
f:\windows\system32\urqPhghF.dll
f:\windows\system32\xxywUKeB.dll
f:\windows\system32\zqkzib.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 11:44 . 2009-02-04 11:44 <DIR> d-------- f:\program files\Trend Micro
2009-02-03 12:24 . 2009-02-04 10:58 153 --a------ f:\windows\wininit.ini
2009-01-17 13:53 . 2009-01-17 13:53 410,984 --a------ f:\windows\system32\deploytk.dll
2009-01-16 12:43 . 2009-01-16 12:43 <DIR> d-------- f:\program files\Microsoft Office Outlook Connector
2009-01-12 17:44 . 2009-01-12 17:44 <DIR> d-------- f:\program files\iPod
2009-01-12 17:44 . 2009-01-12 17:44 <DIR> d-------- f:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-12 17:42 . 2009-01-12 17:42 <DIR> d-------- f:\program files\QuickTime
2009-01-12 17:40 . 2009-01-12 17:40 <DIR> d-------- f:\program files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 17:25 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-03 16:54 --------- d-----w f:\program files\Spybot - Search & Destroy
2009-02-01 02:58 --------- d-----w f:\documents and settings\Vasilias\Application Data\Azureus
2009-02-01 01:28 --------- d-----w f:\program files\Azureus
2009-01-28 06:47 --------- d-----w f:\program files\World of Warcraft
2009-01-17 18:53 --------- d-----w f:\program files\Java
2009-01-12 22:44 --------- d-----w f:\program files\iTunes
2009-01-12 22:43 --------- d-----w f:\program files\Bonjour
2008-12-17 22:36 --------- d-----w f:\program files\MobMapUpdater
2008-12-17 22:36 --------- d-----w f:\documents and settings\Vasilias\Application Data\MobMapUpdater
2008-12-10 05:05 --------- d-----w f:\program files\Ventrilo
2008-12-10 05:05 --------- d-----w f:\program files\Common Files\Wise Installation Wizard
2008-12-10 05:05 --------- d-----w f:\documents and settings\Vasilias\Application Data\Ventrilo
2008-01-17 04:34 47,360 -c--a-w f:\documents and settings\Vasilias\Application Data\pcouffin.sys
2007-12-07 23:28 32 -c--a-w f:\documents and settings\All Users\Application Data\ezsid.dat
2006-12-29 19:15 626,688 -c--a-w f:\program files\Common Files\sapconsaccess.dll
2006-12-29 19:15 40,960 -c--a-w f:\program files\Common Files\DigitalSignature.ocx
2006-12-29 19:15 3,100,672 -c--a-w f:\program files\Common Files\sapxlhelper.dll
2006-12-29 19:15 192,512 -c--a-w f:\program files\Common Files\sapconsr3.dll
2006-12-07 14:26 1,129,984 -c--a-w f:\program files\Common Files\SAPActiveXL.xlt
2006-12-07 14:26 1,124,864 -c--a-w f:\program files\Common Files\SAPActiveXL_nosig.xlt
1995-07-17 20:04 60,388 -c--a-w f:\documents and settings\Vasilias\PATCH.EXE
2008-05-23 01:10 32,768 -csha-w f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052220080523\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="f:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="f:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"CTSysVol"="f:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="f:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"UpdReg"="f:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="f:\program files\Java\jre6\bin\jusched.exe" [2009-01-17 136600]
"Launch LCDMon"="f:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="f:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"GrooveMonitor"="f:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"AppleSyncNotifier"="f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2008-10-07 f:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2007-04-09 f:\windows\system32\CtHelper.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 f:\windows\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 f:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="f:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 f:\windows\system32\narrator.exe]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - f:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-21 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 f:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=zqkzib.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= f:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"f:\\Program Files\\Minilyrics\\MLSetup.exe"=
"f:\\Program Files\\Minilyrics\\MLStart.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\Azureus\\Azureus.exe"=
"f:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"f:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.EXE"=
"f:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=
"f:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"f:\\Program Files\\AIM6\\aim6.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"f:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"f:\\WINDOWS\\system32\\LEXPPS.EXE"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"<NO NAME>"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-03 24652]
S4 PRISMSVC;PRISMSVC;f:\windows\system32\PRISMSVC.exe [2007-09-13 57344]
.
- - - - ORPHANS REMOVED - - - -

BHO-{ba31978a-1517-42c3-b95f-2c256bc498c7} - f:\windows\system32\zqkzib.dll
BHO-{eebadb64-03e5-40d4-99f9-dccd67de337b} - f:\windows\system32\iihutbpn.dll
BHO-{F1C02436-7C80-4FC6-A2EA-86018558BD9A} - f:\windows\system32\urqPhghF.dll
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bus.ucf.edu/video/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - f:\documents and settings\Vasilias\Application Data\Mozilla\Firefox\Profiles\ruwhns3j.default\
FF - component: f:\documents and settings\Vasilias\Application Data\Mozilla\Firefox\Profiles\ruwhns3j.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: f:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 12:00:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1336601894-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:79,f4,00,ce,e9,50,ea,04,a9,fd,31,c2,98,0e,3b,a9,06,56,04,3b,f5,84,ce,
69,75,ba,41,fa,e1,57,d0,06,30,3f,35,2c,99,44,1f,2a,01,55,a2,b4,7a,0f,21,eb,\
"??"=hex:98,92,76,c1,aa,88,4f,41,49,86,ff,73,28,c6,e6,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
f:\program files\common files\logitech\bluetooth\LBTWlgn.dll
f:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
f:\windows\system32\LEXBCES.EXE
f:\windows\system32\LEXPPS.EXE
f:\windows\system32\PRISMSVR.exe
f:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\windows\system32\CTSVCCDA.EXE
f:\program files\Java\jre6\bin\jqs.exe
f:\windows\system32\nvsvc32.exe
f:\program files\Windows Media Player\wmpnetwk.exe
f:\windows\system32\rundll32.exe
f:\windows\system32\rundll32.exe
f:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
f:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
f:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
f:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-04 12:11:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 17:10:58

Pre-Run: 85,652,926,464 bytes free
Post-Run: 85,927,727,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
f:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

206 --- E O F --- 2007-09-14 04:41:55
Vasilias
Active Member
 
Posts: 9
Joined: February 4th, 2009, 12:46 pm
Advertisement
Register to Remove

Re: [split] Virtumonde.sci

Unread postby NonSuch » February 4th, 2009, 7:11 pm

The information in the above post has been added to the first post in the poster's original topic, allowing the above post to be split off from the topic and archived.

This topic is now closed.

Poster's original topic is located here:

viewtopic.php?f=11&t=39573
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 496 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware