spyware/virtumonde and Generic Trojan

View previous topic View next topic Go down

spyware/virtumonde and Generic Trojan

Post by MarcusW on Wed Oct 21, 2009 7:46 am

I noticed today that the idle sound in my headphones was different than it normally is (i always have a low sound in my headphones and i can basically hear when program starts and stuff from alterations in that sound) so i brought up the activity manager (not sure thats what it is called but its the window popping up when you press ctrl+alt+del) and saw rundll32.exe in there which i figured as wierd. Did a scan with Panda activescan (tried trend micro online scan first but after i accidently shut down the window during a part of its process it quit working) which found spyware/virtumonde in c:\windows\system32\appsetup.exe and "Generic Trojan" in c:\documents and settings\marcus widlund\start-meny\program\autostart\lsass.exe

This is my HJT-logg:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13:15, on 2009-10-21
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\vVX1000.exe
C:\Program\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\Logitech\MouseWare\system\em_exec.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Skype\Phone\Skype.exe
C:\Program\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program\OpenOffice.org 3\program\soffice.exe
C:\Program\OpenOffice.org 3\program\soffice.bin
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\PC Connectivity Solution\ServiceLayer.exe
C:\Program\Skype\Plugin Manager\skypePM.exe
C:\Program\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Documents and Settings\Marcus Widlund\Skrivbord\Geekpolice\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: lsass.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [You must be registered and logged in to see this link.]
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O23 - Service: Tjänsten Google Update (gupdate1ca4bd364f38406) (gupdate1ca4bd364f38406) - Google Inc. - C:\Program\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6287 bytes

MarcusW
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-26
OS OS : Windows XP
Points Points : 26311
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by Dr Jay on Wed Oct 21, 2009 7:03 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14277
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302904
# Likes # Likes : 10

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by MarcusW on Thu Oct 22, 2009 5:00 am

I picked the swedish installation of mbam which also promted the logg in swedish unfortunatelly. I'll paste it anyway and if it's an issue just tell me. I still have lsass.exe and rundll32.exe running when i open the activity manager but maybe that is normal?

mbam-logg:

Malwarebytes' Anti-Malware 1.41
Databasversion: 3009
Windows 5.1.2600 Service Pack 3

2009-10-22 10:44:52
mbam-log-2009-10-22 (10-44-52).txt

Skanningstyp: Fullständig skanning (C:\|)
Antal skannade objekt: 177674
Förfluten tid: 40 minute(s), 24 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 1

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
C:\Documents and Settings\Marcus Widlund\Start-meny\Program\Autostart\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

MarcusW
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-26
OS OS : Windows XP
Points Points : 26311
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by Dr Jay on Thu Oct 22, 2009 11:13 am

Please download ComboFix from [You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14277
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302904
# Likes # Likes : 10

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by MarcusW on Mon Oct 26, 2009 5:43 am

Sry been away a while. Here goes:

ComboFix 09-10-25.02 - Marcus Widlund 2009-10-26 10:15.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1023.638 [GMT 1:00]
Körs från: c:\documents and settings\Marcus Widlund\skrivbord\commy.exe
Använda kommandoväxlar :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Marcus Widlund\Application Data\.#

.
(((((((((((((((((((((((( Filer Skapade från 2009-09-26 till 2009-10-26 ))))))))))))))))))))))))))))))
.

2009-10-22 11:44 . 2009-10-22 11:46 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\Move Networks
2009-10-22 07:56 . 2009-10-22 07:56 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\Malwarebytes
2009-10-22 07:56 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 07:56 . 2009-10-22 07:56 -------- d-----w- c:\program\Malwarebytes' Anti-Malware
2009-10-22 07:56 . 2009-10-22 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 07:56 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 05:17 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-21 05:17 . 2009-10-21 05:17 -------- d-----w- c:\program\Panda Security
2009-10-21 04:23 . 2009-10-21 04:32 -------- d-----w- c:\documents and settings\Marcus Widlund\.housecall6.6
2009-10-13 07:05 . 2009-05-13 21:56 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-10-13 07:05 . 2009-05-13 21:56 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-10-13 07:05 . 2009-05-13 21:56 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-09-29 12:36 . 2009-09-29 12:36 -------- d-----w- c:\program\Delade filer\SWF Studio
2009-09-29 05:11 . 2009-09-30 12:15 -------- d-----w- c:\program\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 09:20 . 2009-01-05 23:48 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\Skype
2009-10-26 09:15 . 2009-02-17 15:38 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\DNA
2009-10-26 08:45 . 2009-01-06 20:27 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\skypePM
2009-10-26 08:45 . 2009-02-17 15:38 -------- d-----w- c:\program\DNA
2009-10-25 23:26 . 2009-03-04 22:10 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\Spotify
2009-10-25 19:57 . 2009-09-15 13:32 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\vlc
2009-10-25 18:49 . 2002-10-01 17:35 434528 ----a-w- c:\windows\system32\perfh01D.dat
2009-10-25 18:49 . 2002-10-01 17:35 78734 ----a-w- c:\windows\system32\perfc01D.dat
2009-10-23 19:16 . 2009-01-05 22:52 -------- d-----w- c:\program\Mozilla Thunderbird
2009-10-23 07:50 . 2009-01-06 03:05 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\dvdcss
2009-10-22 17:03 . 2009-05-02 13:03 -------- d-----w- c:\program\Warcraft III
2009-10-21 08:23 . 2009-01-05 23:42 -------- d-----w- c:\program\Java
2009-10-21 08:22 . 2009-01-06 11:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-20 19:03 . 2009-01-05 23:41 -------- d-----w- c:\program\Delade filer\Adobe
2009-10-13 07:05 . 2009-10-13 07:04 -------- d-----w- c:\program\Google
2009-10-13 07:05 . 2009-10-13 07:04 -------- d-----w- c:\program\DivX
2009-10-13 07:04 . 2009-10-13 07:04 -------- d-----w- c:\program\Delade filer\DivX Shared
2009-09-30 12:11 . 2009-01-05 21:15 -------- d--h--w- c:\program\InstallShield Installation Information
2009-09-30 12:11 . 2009-01-05 22:59 -------- d-----w- c:\program\Creative
2009-09-30 12:11 . 2009-01-05 23:09 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-30 12:11 . 2009-01-05 23:09 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-29 09:01 . 2009-09-17 06:53 -------- d-----w- c:\program\League of Legends
2009-09-17 07:03 . 2009-09-17 07:03 -------- d-----w- c:\documents and settings\Marcus Widlund\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-09-17 06:58 . 2009-09-17 06:56 -------- d-----w- c:\program\Delade filer\Adobe AIR
2009-09-13 08:08 . 2009-01-27 22:31 -------- d-----w- c:\program\Switch Off
2009-09-11 14:19 . 2002-10-01 17:30 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:05 . 2002-10-01 17:28 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:00 . 2002-10-01 17:44 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 16:45 . 2009-05-02 13:06 71291 ----a-w- c:\windows\War3Unin.dat
2009-08-26 08:02 . 2002-10-01 17:40 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 17:24 . 2009-01-05 21:01 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 17:24 . 2009-01-05 21:01 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 17:24 . 2009-01-05 21:01 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 17:24 . 2008-10-16 13:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 17:24 . 2009-01-05 20:46 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 17:24 . 2002-10-01 17:16 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 17:23 . 2009-01-05 21:01 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 17:23 . 2009-01-06 16:58 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 17:23 . 2009-01-05 20:46 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 17:23 . 2008-10-16 13:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:01 . 2002-10-01 17:30 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 20:59 . 2002-10-01 17:33 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 17:29 . 2002-09-09 13:18 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* Tomma poster & legitima standardposter visas inte.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"BitTorrent DNA"="c:\program\DNA\btdna.exe" [2009-10-07 323392]
"PC Suite Tray"="c:\program\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"SoundMAXPnP"="c:\program\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"LifeCam"="c:\program\Microsoft LifeCam\LifeExp.exe" [2009-01-05 277296]
"VX1000"="c:\windows\vVX1000.exe" [2009-01-05 700416]
"QuickTime Task"="c:\program\QuickTime\qttask.exe" [2009-01-05 413696]
"MessengerPlus3"="c:\program\MessengerPlus! 3\MsgPlus.exe" [2009-02-21 190024]
"Adobe Reader Speed Launcher"="c:\program\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program\Delade filer\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program\Java\jre6\bin\jusched.exe" [2009-10-21 149280]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-06-27 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Marcus Widlund\Start-meny\Program\Autostart\
OpenOffice.org 3.0.lnk - c:\program\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program\\Vuze\\Azureus.exe"=
"c:\\Program\\DNA\\btdna.exe"=
"c:\\Program\\Spotify\\spotify.exe"=
"c:\\Program\\Java\\jre6\\bin\\java.exe"=
"c:\\Program\\Garena\\Garena.exe"=
"c:\\Program\\Ventrilo\\Ventrilo.exe"=
"c:\\Program\\League of Legends\\Air\\LolClient.exe"=
"c:\\Program\\League of Legends\\Game\\League of Legends.exe"=
"c:\\Program\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8394:TCP"= 8394:TCP:League of Legends Launcher
"8394:UDP"= 8394:UDP:League of Legends Launcher
"6942:TCP"= 6942:TCP:League of Legends Launcher
"6942:UDP"= 6942:UDP:League of Legends Launcher
"6982:TCP"= 6982:TCP:League of Legends Launcher
"6982:UDP"= 6982:UDP:League of Legends Launcher
"6936:TCP"= 6936:TCP:League of Legends Launcher
"6936:UDP"= 6936:UDP:League of Legends Launcher

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-10-21 28552]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S2 gupdate1ca4bd364f38406;Tjänsten Google Update (gupdate1ca4bd364f38406);c:\program\Google\Update\GoogleUpdate.exe [2009-10-13 133104]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-06-27 566296]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva238;XDva238;\??\c:\windows\system32\XDva238.sys --> c:\windows\system32\XDva238.sys [?]

--- Övriga tjänster/drivrutiner i minnet ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Innehållet i mappen 'Schemalagda aktiviteter':

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program\Google\Update\GoogleUpdate.exe [2009-10-13 07:04]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program\Google\Update\GoogleUpdate.exe [2009-10-13 07:04]
.
.
------- Extra genomsökning -------
.
uStart Page = [You must be registered and logged in to see this link.]
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - [You must be registered and logged in to see this link.]
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Marcus Widlund\Application Data\Mozilla\Firefox\Profiles\l6vs5rcx.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\program\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICY ----
c:\program\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

HKCU-Run-PlayNC Launcher - (no file)
AddRemove-HijackThis - c:\documents and settings\Marcus Widlund\Skrivbord\Geekpolice\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-26 10:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLer som "laddats" under processer som körs ---------------------

- - - - - - - > 'explorer.exe'(3312)
c:\program\MessengerPlus! 3\MsgPlusLoader.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Sluttid: 2009-10-26 10:22
ComboFix-quarantined-files.txt 2009-10-26 09:22

Före genomsökningen: 142 737 747 968 byte ledigt
Efter genomsökningen: 143 399 264 256 byte ledigt

WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8CF23B72F1822C50B2048D811BE7BCE4



And programs:
AAC Decoder
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2 - Svenska
Adobe Shockwave Player
Apple Software Update
AutoUpdate
Creative Audio Console
Creative Software AutoUpdate
Dell ResourceCD
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DivX Version Checker
DNA
DriverAgent by eSupport.com
Garena
Google Chrome
Google Update Helper
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB954550-v5)
Intel(R) PRO Network Connections Drivers
Java(TM) 6 Update 16
League of Legends
Logitech MouseWare 9.79.1
Malwarebytes' Anti-Malware
Messenger Plus! 3
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft LifeCam
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.14)
Mozilla Thunderbird (2.0.0.23)
MSVC80_x86
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Drivers
OpenOffice.org 3.0
Panda ActiveScan 2.0
PC Connectivity Solution
QuickTime
Security Update for Windows Internet Explorer 7 (KB958215)
Skype™ 3.8
Snabbkorrigering för Windows Media Player 11 (KB939683)
Snabbkorrigering för Windows XP (KB952287)
Snabbkorrigering för Windows XP (KB961118)
Snabbkorrigering för Windows XP (KB970653-v3)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB938127-v2)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB956390)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB960714)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB961260)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB963027)
Säkerhetsuppdatering för Windows Internet Explorer 7 (KB969897)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB969897)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB971961)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB972260)
Säkerhetsuppdatering för Windows Internet Explorer 8 (KB974455)
Säkerhetsuppdatering för Windows Media Player (KB952069)
Säkerhetsuppdatering för Windows Media Player (KB954155)
Säkerhetsuppdatering för Windows Media Player (KB968816)
Säkerhetsuppdatering för Windows Media Player (KB973540)
Säkerhetsuppdatering för Windows Media Player 11 (KB954154)
Säkerhetsuppdatering för Windows XP (KB923561)
Säkerhetsuppdatering för Windows XP (KB923789)
Säkerhetsuppdatering för Windows XP (KB938464)
Säkerhetsuppdatering för Windows XP (KB941569)
Säkerhetsuppdatering för Windows XP (KB946648)
Säkerhetsuppdatering för Windows XP (KB950762)
Säkerhetsuppdatering för Windows XP (KB950974)
Säkerhetsuppdatering för Windows XP (KB951066)
Säkerhetsuppdatering för Windows XP (KB951376-v2)
Säkerhetsuppdatering för Windows XP (KB951698)
Säkerhetsuppdatering för Windows XP (KB951748)
Säkerhetsuppdatering för Windows XP (KB952004)
Säkerhetsuppdatering för Windows XP (KB952954)
Säkerhetsuppdatering för Windows XP (KB954211)
Säkerhetsuppdatering för Windows XP (KB954459)
Säkerhetsuppdatering för Windows XP (KB954600)
Säkerhetsuppdatering för Windows XP (KB955069)
Säkerhetsuppdatering för Windows XP (KB956391)
Säkerhetsuppdatering för Windows XP (KB956572)
Säkerhetsuppdatering för Windows XP (KB956744)
Säkerhetsuppdatering för Windows XP (KB956802)
Säkerhetsuppdatering för Windows XP (KB956803)
Säkerhetsuppdatering för Windows XP (KB956841)
Säkerhetsuppdatering för Windows XP (KB956844)
Säkerhetsuppdatering för Windows XP (KB957095)
Säkerhetsuppdatering för Windows XP (KB957097)
Säkerhetsuppdatering för Windows XP (KB958644)
Säkerhetsuppdatering för Windows XP (KB958687)
Säkerhetsuppdatering för Windows XP (KB958690)
Säkerhetsuppdatering för Windows XP (KB958869)
Säkerhetsuppdatering för Windows XP (KB959426)
Säkerhetsuppdatering för Windows XP (KB960225)
Säkerhetsuppdatering för Windows XP (KB960715)
Säkerhetsuppdatering för Windows XP (KB960803)
Säkerhetsuppdatering för Windows XP (KB960859)
Säkerhetsuppdatering för Windows XP (KB961371)
Säkerhetsuppdatering för Windows XP (KB961373)
Säkerhetsuppdatering för Windows XP (KB961501)
Säkerhetsuppdatering för Windows XP (KB968537)
Säkerhetsuppdatering för Windows XP (KB969059)
Säkerhetsuppdatering för Windows XP (KB969898)
Säkerhetsuppdatering för Windows XP (KB970238)
Säkerhetsuppdatering för Windows XP (KB971486)
Säkerhetsuppdatering för Windows XP (KB971557)
Säkerhetsuppdatering för Windows XP (KB971633)
Säkerhetsuppdatering för Windows XP (KB971657)
Säkerhetsuppdatering för Windows XP (KB973346)
Säkerhetsuppdatering för Windows XP (KB973354)
Säkerhetsuppdatering för Windows XP (KB973507)
Säkerhetsuppdatering för Windows XP (KB973525)
Säkerhetsuppdatering för Windows XP (KB973869)
Säkerhetsuppdatering för Windows XP (KB974112)
Säkerhetsuppdatering för Windows XP (KB974571)
Säkerhetsuppdatering för Windows XP (KB975025)
Säkerhetsuppdatering för Windows XP (KB975467)
SoundMAX
Spotify
Switch Off
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Uppdatering för Windows Internet Explorer 8 (KB971930)
Uppdatering för Windows XP (KB898461)
Uppdatering för Windows XP (KB951978)
Uppdatering för Windows XP (KB955839)
Uppdatering för Windows XP (KB967715)
Uppdatering för Windows XP (KB968389)
Uppdatering för Windows XP (KB973815)
Warcraft III: All Products
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Ventrilo Client
VentriloMIX
Viktig uppdatering för Windows Media Player 11 (KB959772)
Windows-drivrutinspaket - Nokia Modem (06/01/2009 4.1)
Windows-drivrutinspaket - Nokia Modem (06/01/2009 7.01.0.3)
Windows-drivrutinspaket - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR
VLC media player 1.0.1
Vuze

MarcusW
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-26
OS OS : Windows XP
Points Points : 26311
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by Belahzur on Mon Oct 26, 2009 1:50 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by MarcusW on Tue Oct 27, 2009 2:37 pm

It works good but i still have rundll32.exe and lsass.exe running under processes in the activity manager. Maybe they are supposed to be there?

MarcusW
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-26
OS OS : Windows XP
Points Points : 26311
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by Belahzur on Tue Oct 27, 2009 3:58 pm

Yes, them two files are legit. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spyware/virtumonde and Generic Trojan

Post by MarcusW on Tue Oct 27, 2009 5:38 pm

Ah good. thanks for all the help guys. Much appreciated

MarcusW
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-26
OS OS : Windows XP
Points Points : 26311
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum