Virtumonde and Many More

**pskelley** · 2007-11-18, 15:42

No problem, these remote repairs are not the easiest things to do.

It is also keeping me from posting on this site, it is hanging and will not submit, if you are reading then i would say it worked once.

The forum software has been having problems today, that is likely the reason, to cut down on the amount of information we have to look at, I will edit out the posts at: Today, 08:20 and Today, 08:23.

Read and follow the directions carefully:

1) http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix report, combofix log and a new HJT log

Thanks

**krtaylorjr** · 2007-11-18, 20:56

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:35 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\krtaylorjr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6061228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\jsqldfpw.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9809 bytes

**krtaylorjr** · 2007-11-18, 20:59

ComboFix 07-11-08.1 - Kenny 2007-11-18 14:45:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1136 [GMT -5:00]
Running from: C:\Documents and Settings\Kenny\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.ini2
C:\WINDOWS\system32\cccdd.tmp
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\gqaeqctl.dll
C:\WINDOWS\system32\ltcqeaqg.ini
C:\WINDOWS\system32\otmfikaq.dll
C:\WINDOWS\system32\qakifmto.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 14:47 85,056 --a------ C:\WINDOWS\system32\jsqldfpw.dll
2007-11-18 14:42 71,232 --a------ C:\WINDOWS\system32\eqrecqgh.exe
2007-11-18 14:21 <DIR> d-------- C:\VundoFix Backups
2007-11-18 14:09 71,232 --a------ C:\WINDOWS\system32\xbvinekx.exe
2007-11-18 10:52 71,232 --a------ C:\WINDOWS\system32\nnawqqhy.exe
2007-11-18 08:04 71,232 --a------ C:\WINDOWS\system32\ucjrteme.exe
2007-11-17 10:19 71,232 --a------ C:\WINDOWS\system32\jjxvftcy.exe
2007-11-16 07:41 71,232 --a------ C:\WINDOWS\system32\pgcogfmr.exe
2007-11-16 07:19 71,232 --a------ C:\WINDOWS\system32\jefugnfx.exe
2007-11-15 12:18 85,056 --a------ C:\WINDOWS\system32\fqsefqaq.dll
2007-11-15 12:15 71,232 --a------ C:\WINDOWS\system32\aprtlspg.exe
2007-11-12 10:12 71,232 --a------ C:\WINDOWS\system32\kraouahg.exe
2007-11-12 08:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 08:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-11-11 10:13 88,128 --a------ C:\WINDOWS\system32\mnnvwvym.dll
2007-11-11 10:10 71,232 --a------ C:\WINDOWS\system32\uwxprpbt.exe
2007-11-09 16:08 88,128 --a------ C:\WINDOWS\system32\dokgqdih.dll
2007-11-09 16:05 71,232 --a------ C:\WINDOWS\system32\ivfnhwig.exe
2007-11-08 16:07 71,232 --a------ C:\WINDOWS\system32\pwhqihsr.exe
2007-11-07 16:09 86,080 --a------ C:\WINDOWS\system32\cnkfearr.dll
2007-11-07 16:06 71,232 --a------ C:\WINDOWS\system32\pqyghxsh.exe
2007-11-06 16:07 87,104 --a------ C:\WINDOWS\system32\pneurcek.dll
2007-11-06 16:04 71,232 --a------ C:\WINDOWS\system32\ylfrajpa.exe
2007-11-04 14:47 86,080 --a------ C:\WINDOWS\system32\lquvecnh.dll
2007-11-01 16:33 <DIR> d-------- C:\Program Files\iPod
2007-10-25 09:09 <DIR> d-------- C:\temp_dvd
2007-10-25 09:08 <DIR> d-------- C:\Program Files\Dvd-cloner
2007-10-22 13:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-22 13:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-10-19 19:23 <DIR> d-------- C:\Program Files\Adsense Helper Object
2007-10-19 16:38 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-19 07:19 1 --a------ C:\WINDOWS\system32\rc.dat
2007-10-19 07:19 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-10-19 07:19 1 --a------ C:\WINDOWS\system32\cookie1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 13:09 --------- d-----w C:\Program Files\Java
2007-11-01 21:33 --------- d-----w C:\Program Files\iTunes
2007-11-01 21:27 --------- d-----w C:\Program Files\Apple Software Update
2007-10-29 21:13 --------- d-----w C:\Program Files\Trend Micro
2007-10-20 18:56 --------- d-----w C:\Program Files\PokerStars
2007-10-20 00:27 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-20 00:27 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-10-20 00:22 --------- d-----w C:\Program Files\WildTangent
2007-10-04 18:57 --------- d-----w C:\Documents and Settings\Kenny\Application Data\GetRightToGo
2007-10-04 18:57 --------- d-----w C:\DOCUME~1\Kenny\APPLIC~1\GetRightToGo
2007-10-04 18:43 --------- d-----w C:\Program Files\Turbine
2007-10-01 18:49 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-10-01 14:51 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-25 20:34 --------- d-----w C:\Documents and Settings\Kenny\Application Data\Sonic
2007-09-25 20:34 --------- d-----w C:\DOCUME~1\Kenny\APPLIC~1\Sonic
2007-05-08 13:01:09 56 --sh--r C:\WINDOWS\system32\3C806A7AF9.sys
2007-03-01 18:03:01 88 --sh--r C:\WINDOWS\system32\F97A6A803C.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-22_14.46.29.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-10-11 00:46:50 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-11-16 12:22:23 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-10-11 00:46:50 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-16 12:22:23 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-11 00:46:50 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-11-16 12:22:23 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-10-11 00:46:49 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-16 12:22:22 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-11 00:46:50 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-16 12:22:23 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-11 00:46:50 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-16 12:22:23 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-11 00:46:50 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-16 12:22:23 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-11 00:46:50 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-16 12:22:24 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-11 00:46:50 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-11-16 12:22:22 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-10-11 00:46:50 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-11-16 12:22:22 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-10-11 00:46:50 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-16 12:22:24 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-11 00:46:49 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-16 12:22:22 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-10-11 00:46:49 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-16 12:22:21 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-01 21:33:32 102,400 ----a-r C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe
+ 2007-11-01 21:27:52 27,136 ----a-r C:\WINDOWS\Installer\{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}\AppleSoftwareUpdateIco.exe
+ 2004-08-10 11:00:00 290,816 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\WMDRMNet.dll
+ 2004-08-10 11:00:00 146,432 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmidx.dll
+ 2004-08-10 11:00:00 1,023,488 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmnetmgr.dll
+ 2004-08-10 11:00:00 1,116,160 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmsdmoe2.dll
+ 2004-08-10 11:00:00 936,960 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmspdmoe.dll
+ 2004-08-10 11:00:00 1,508,864 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\WMVADVE.DLL
+ 2004-08-10 11:00:00 2,355,200 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmvcore.dll
+ 2004-08-10 11:00:00 999,424 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmvdmoe2.dll
+ 2004-08-10 11:00:00 230,912 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\blackbox.dll
+ 2004-08-10 11:00:00 533,504 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmv2clt.dll
+ 2005-04-20 17:32:12 106,496 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\mfplat.dll
+ 2004-08-10 11:00:00 138,240 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\msnetobj.dll
+ 2005-04-20 17:32:12 197,632 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\wmdrmsdk.dll
+ 2005-08-04 00:29:52 428,544 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
+ 2005-08-04 00:29:52 178,936 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmupgds.exe
+ 2005-08-04 00:29:52 579,584 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
+ 2005-08-04 00:29:52 106,496 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\mfplat.dll
+ 2005-08-04 00:29:52 115,200 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
+ 2005-08-04 00:29:52 180,224 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\wmdrmsdk.dll
+ 2005-08-16 10:43:16 233,472 ---ha-w C:\WINDOWS\repair\ntuser.dat
+ 2004-08-10 11:00:00 362,496 ----a-w C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll
+ 2004-08-10 11:00:00 362,496 ----a-w C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll
+ 2004-08-10 11:00:00 361,472 ----a-w C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll
+ 2004-08-10 09:38:56 372,736 ----a-w C:\WINDOWS\Resources\Themes\Royale\Shell\NormalColor\ShellStyle.dll
+ 2004-07-14 21:22:24 45,056 ----a-w C:\WINDOWS\security\templates\SECUREUP.EXE
+ 2004-08-10 11:00:00 3,166,208 ----a-w C:\WINDOWS\srchasst\msgr3en.dll
+ 2004-08-10 11:00:00 58,434 ----a-w C:\WINDOWS\srchasst\srchctls.dll
+ 2004-08-10 11:00:00 725,566 ----a-w C:\WINDOWS\srchasst\srchui.dll
+ 2004-08-10 11:00:00 69,584 ----a-w C:\WINDOWS\system\AVICAP.DLL
+ 2004-08-10 11:00:00 109,456 ----a-w C:\WINDOWS\system\AVIFILE.DLL
+ 2004-08-10 11:00:00 32,816 ----a-w C:\WINDOWS\system\COMMDLG.DLL
+ 2004-08-10 11:00:00 9,936 ----a-w C:\WINDOWS\system\LZEXPAND.DLL
+ 2004-08-10 11:00:00 68,768 ----a-w C:\WINDOWS\system\MMSYSTEM.DLL
+ 2004-08-10 11:00:00 126,912 ----a-w C:\WINDOWS\system\MSVIDEO.DLL
+ 2004-08-10 11:00:00 82,944 ----a-w C:\WINDOWS\system\OLECLI.DLL
+ 2004-08-10 11:00:00 24,064 ----a-w C:\WINDOWS\system\OLESVR.DLL
+ 2004-08-10 11:00:00 5,120 ----a-w C:\WINDOWS\system\SHELL.DLL
+ 2004-08-10 11:00:00 19,200 ----a-w C:\WINDOWS\system\TAPI.DLL
+ 2004-08-10 11:00:00 9,008 ----a-w C:\WINDOWS\system\VER.DLL
+ 2004-08-10 11:00:00 55,632 ----a-w C:\WINDOWS\system32\1033\dwintl.dll
+ 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2005-11-08 18:38:38 33,792 ----a-r C:\WINDOWS\system32\a3d.dll
+ 2004-08-10 11:00:00 25,600 ----a-w C:\WINDOWS\system32\aaaamon.dll
+ 2005-11-08 18:37:00 26,624 ----a-w C:\WINDOWS\system32\AC3API.DLL
+ 2004-08-10 11:00:00 64,512 ----a-w C:\WINDOWS\system32\acctres.dll
+ 2004-08-10 11:00:00 183,808 ----a-w C:\WINDOWS\system32\accwiz.exe
+ 2004-08-10 11:00:00 129,536 ----a-w C:\WINDOWS\system32\acledit.dll
+ 2004-08-10 11:00:00 114,688 ----a-w C:\WINDOWS\system32\aclui.dll
+ 2004-08-10 11:00:00 194,048 ----a-w C:\WINDOWS\system32\activeds.dll
+ 2004-08-10 11:00:00 4,096 ----a-w C:\WINDOWS\system32\actmovie.exe
+ 2004-08-10 11:00:00 101,888 ----a-w C:\WINDOWS\system32\actxprxy.dll
+ 2004-08-10 11:00:00 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2004-08-10 11:00:00 26,112 ----a-w C:\WINDOWS\system32\adptif.dll
+ 2004-08-10 11:00:00 175,616 ----a-w C:\WINDOWS\system32\adsldp.dll
+ 2004-08-10 11:00:00 143,360 ----a-w C:\WINDOWS\system32\adsldpc.dll
+ 2004-08-10 11:00:00 68,096 ----a-w C:\WINDOWS\system32\adsmsext.dll
+ 2004-08-10 11:00:00 161,792 ----a-w C:\WINDOWS\system32\adsnds.dll
+ 2004-08-10 11:00:00 263,680 ----a-w C:\WINDOWS\system32\adsnt.dll
+ 2004-08-10 11:00:00 109,568 ----a-w C:\WINDOWS\system32\adsnw.dll
+ 2004-08-10 11:00:00 616,960 ----a-w C:\WINDOWS\system32\advapi32.dll
+ 2004-08-10 11:00:00 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2004-10-04 21:57:10 929,792 ----a-w C:\WINDOWS\system32\AegisE5.dll
+ 2004-08-10 11:00:00 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
+ 2004-08-10 11:00:00 44,544 ----a-w C:\WINDOWS\system32\alg.exe
+ 2004-08-10 11:00:00 17,408 ----a-w C:\WINDOWS\system32\alrsvc.dll
+ 2004-08-10 11:00:00 70,656 ----a-w C:\WINDOWS\system32\amstream.dll
+ 2004-08-10 11:00:00 9,029 ----a-w C:\WINDOWS\system32\ansi.sys
+ 2004-08-10 11:00:00 102,912 ----a-w C:\WINDOWS\system32\apcups.dll
+ 2004-08-10 11:00:00 12,498 ----a-w C:\WINDOWS\system32\append.exe
+ 2004-08-10 11:00:00 126,976 ----a-w C:\WINDOWS\system32\apphelp.dll
+ 2004-08-10 11:00:00 167,936 ----a-w C:\WINDOWS\system32\appmgmts.dll
+ 2004-08-10 11:00:00 295,936 ----a-w C:\WINDOWS\system32\appmgr.dll
+ 2004-08-10 11:00:00 19,456 ----a-w C:\WINDOWS\system32\arp.exe
+ 2004-08-10 11:00:00 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2004-08-10 11:00:00 30,208 ----a-w C:\WINDOWS\system32\asr_fmt.exe
+ 2004-08-10 11:00:00 32,256 ----a-w C:\WINDOWS\system32\asr_ldm.exe
+ 2004-08-10 11:00:00 32,768 ----a-w C:\WINDOWS\system32\asr_pfu.exe
+ 2004-08-10 11:00:00 65,024 ----a-w C:\WINDOWS\system32\asycfilt.dll
+ 2004-08-10 11:00:00 25,088 ----a-w C:\WINDOWS\system32\at.exe
+ 2004-08-10 11:00:00 13,312 ----a-w C:\WINDOWS\system32\atkctrs.dll
+ 2004-08-10 11:00:00 58,880 ----a-w C:\WINDOWS\system32\atl.dll
+ 2002-01-05 08:18:20 84,992 ----a-w C:\WINDOWS\system32\atl70.dll
+ 2003-03-19 03:05:50 89,088 ----a-r C:\WINDOWS\system32\atl71.dll
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\atmadm.exe
+ 2004-08-10 11:00:00 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
+ 2004-08-10 11:00:00 30,208 ----a-w C:\WINDOWS\system32\atmlib.dll
+ 2004-08-10 11:00:00 34,816 ----a-w C:\WINDOWS\system32\atmpvcno.dll
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\atrace.dll
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\attrib.exe
+ 2004-08-10 11:00:00 480,768 ----a-w C:\WINDOWS\system32\audiodev.dll
+ 2004-08-10 11:00:00 42,496 ----a-w C:\WINDOWS\system32\audiosrv.dll
+ 2004-08-10 11:00:00 14,336 ----a-w C:\WINDOWS\system32\auditusr.exe
+ 2005-03-02 18:09:29 56,832 ----a-w C:\WINDOWS\system32\authz.dll
+ 2004-08-10 11:00:00 588,800 ----a-w C:\WINDOWS\system32\autochk.exe
+ 2004-08-10 11:00:00 602,624 ----a-w C:\WINDOWS\system32\autoconv.exe
+ 2004-08-10 11:00:00 80,384 ----a-w C:\WINDOWS\system32\autodisc.dll
+ 2004-08-10 11:00:00 580,608 ----a-w C:\WINDOWS\system32\autofmt.exe
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\autolfn.exe
+ 2004-08-10 11:00:00 69,584 ----a-w C:\WINDOWS\system32\avicap.dll
+ 2004-08-10 11:00:00 64,000 ----a-w C:\WINDOWS\system32\avicap32.dll
+ 2004-08-10 11:00:00 84,992 ----a-w C:\WINDOWS\system32\avifil32.dll
+ 2004-08-10 11:00:00 109,456 ----a-w C:\WINDOWS\system32\avifile.dll
+ 2004-08-10 11:00:00 16,384 ----a-w C:\WINDOWS\system32\avmeter.dll
+ 2004-08-10 11:00:00 227,840 ----a-w C:\WINDOWS\system32\avtapi.dll
+ 2004-08-10 11:00:00 73,216 ----a-w C:\WINDOWS\system32\avwav.dll
+ 2004-08-10 11:00:00 52,736 ----a-w C:\WINDOWS\system32\basesrv.dll
+ 2004-08-10 11:00:00 28,672 ----a-w C:\WINDOWS\system32\batmeter.dll
+ 2004-08-10 11:00:00 8,704 ----a-w C:\WINDOWS\system32\batt.dll
+ 2004-08-10 11:00:00 17,408 ----a-w C:\WINDOWS\system32\bidispl.dll
+ 2004-08-10 11:00:00 8,192 ----a-w C:\WINDOWS\system32\bitsprx2.dll
+ 2004-08-10 11:00:00 7,168 ----a-w C:\WINDOWS\system32\bitsprx3.dll
+ 2006-03-03 12:26:29 429,056 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2004-08-10 11:00:00 71,680 ----a-w C:\WINDOWS\system32\blastcln.exe
+ 2004-08-10 11:00:00 136,704 ----a-w C:\WINDOWS\system32\bootcfg.exe
+ 2004-08-10 11:00:00 4,608 ----a-w C:\WINDOWS\system32\bootok.exe
+ 2004-08-10 11:00:00 12,288 ----a-w C:\WINDOWS\system32\bootvid.dll
+ 2004-08-10 11:00:00 5,120 ----a-w C:\WINDOWS\system32\bootvrfy.exe
+ 2004-08-10 11:00:00 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
+ 2004-08-10 11:00:00 77,312 ----a-w C:\WINDOWS\system32\browser.dll
+ 2007-08-22 12:55:28 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2004-08-10 11:00:00 78,336 ----a-w C:\WINDOWS\system32\browsewm.dll
+ 2004-08-10 11:00:00 20,992 ----a-w C:\WINDOWS\system32\bthci.dll
+ 2004-08-10 11:00:00 30,208 ----a-w C:\WINDOWS\system32\bthserv.dll
+ 2004-08-10 11:00:00 50,688 ----a-w C:\WINDOWS\system32\btpanui.dll

**krtaylorjr** · 2007-11-18, 21:08

Attempting to attach the Combo fix log it is big enough to fill 8 posts.

Where would the vundo fix log be?

Found the backup files (This the only file that needed to be addressed after restarting):
- C:\windows\system32\awtqoon.dll

Other files included:
- awtqoon.dll.bad
- diwrvkhp.dll.bad
- rqrqrrp.dll.bad
- vtusrqp.dll.bad
- yayawut.dll.bad

**pskelley** · 2007-11-18, 21:58

Thanks for return your information, I have no idea why that combofix log is so large, do you know what all of that junk is in the
snapshot@2007-10-22_14.46.29.26?

Look for the file from Vundofix on your C:\ as VundoFix.txt. Post that as soon as you locate it.

This is tough because of all the information and no Vundofix report to see it it remove any of these files. These are Vundo files created at the time of the infection that have not been deleted yet.
How did you get this computer so infected? I don't want to use combofix to delete these because of that hugh log. Vundofix will delete six at a time like this:

Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.

Or you can delete them manually one at a time, just be careful. You will need all files and folders visable to see them:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

(delete the files NOT the folder)
C:\WINDOWS\system32\jsqldfpw.dll
C:\WINDOWS\system32\eqrecqgh.exe
C:\WINDOWS\system32\xbvinekx.exe
C:\WINDOWS\system32\nnawqqhy.exe
C:\WINDOWS\system32\ucjrteme.exe
C:\WINDOWS\system32\jjxvftcy.exe
C:\WINDOWS\system32\pgcogfmr.exe
C:\WINDOWS\system32\jefugnfx.exe
C:\WINDOWS\system32\fqsefqaq.dll
C:\WINDOWS\system32\aprtlspg.exe
C:\WINDOWS\system32\kraouahg.exe
C:\WINDOWS\system32\mnnvwvym.dll
C:\WINDOWS\system32\uwxprpbt.exe
C:\WINDOWS\system32\dokgqdih.dll
C:\WINDOWS\system32\ivfnhwig.exe
C:\WINDOWS\system32\pwhqihsr.exe
C:\WINDOWS\system32\cnkfearr.dll
C:\WINDOWS\system32\pqyghxsh.exe
C:\WINDOWS\system32\pneurcek.dll
C:\WINDOWS\system32\ylfrajpa.exe
C:\WINDOWS\system32\lquvecnh.dll

When you have deleted those, restart the computer and run, then post a new Kaspersky scan results to see what is left.

Thanks

**krtaylorjr** · 2007-11-19, 00:47

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:21:42 PM 11/18/2007

Listing files found while scanning....

C:\windows\system32\awtqoon.dll
C:\WINDOWS\system32\diwrvkhp.dll
C:\windows\system32\rqrqrrp.dll
C:\windows\system32\vtusrqp.dll
C:\windows\system32\yayawut.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtqoon.dll
C:\windows\system32\awtqoon.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\diwrvkhp.dll
C:\WINDOWS\system32\diwrvkhp.dll Has been deleted!

Attempting to delete C:\windows\system32\rqrqrrp.dll
C:\windows\system32\rqrqrrp.dll Has been deleted!

Attempting to delete C:\windows\system32\vtusrqp.dll
C:\windows\system32\vtusrqp.dll Has been deleted!

Attempting to delete C:\windows\system32\yayawut.dll
C:\windows\system32\yayawut.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 2:34:30 PM 11/18/2007

Listing files found while scanning....

C:\windows\system32\awtqoon.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtqoon.dll
C:\windows\system32\awtqoon.dll Has been deleted!

Performing Repairs to the registry.
Done!

**krtaylorjr** · 2007-11-19, 13:26

Below is the kaspersky file which seemed to take forever to run this time. Only two items were detected. As for the rather large combofix, my virus scan was still active and i think it deleted one of the dump files that combo fix installs. That cause more problems later on (and a larger file). I didnt touch anything and noticed after that that file was included inthe virus notifications. I did try to run combofix again and it said it was expired. Is that a one time run app?

Below is the log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 19, 2007 7:22:15 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/11/2007
Kaspersky Anti-Virus database records: 461392
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 238342
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 2
Duration of the scan process: 02:57:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-1006u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-501u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\TmPfw_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_1245184_20425 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_262144_20428 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBEB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBEC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{20F455B5-BCE9-4F17-A980-54C015C140A9}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{C62341B2-FCF9-463A-AB22-FDA113747A81}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Kenny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\MSHist012007111820071119\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kenny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\oracle\ora92\network\agent\blackout.q Object is locked skipped
C:\oracle\ora92\network\agent\ereg.q Object is locked skipped
C:\oracle\ora92\network\agent\evocc1.q Object is locked skipped
C:\oracle\ora92\network\agent\job.q Object is locked skipped
C:\oracle\ora92\network\agent\jstat1.q Object is locked skipped
C:\oracle\ora92\network\agent\reco\service.vps Object is locked skipped
C:\oracle\ora92\network\agent\user.q Object is locked skipped
C:\oracle\ora92\network\log\agntsrvc.log Object is locked skipped
C:\oracle\ora92\network\log\dbsnmp.log Object is locked skipped
C:\oracle\ora92\network\log\OracleOraHome92Agent.nohup Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(1792).trc Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL01.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL02.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL03.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CWMLITE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\DRSYS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\EXAMPLE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\INDX01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\ODM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\REDO01.LOG Object is locked skipped
C:\oracle\oradata\LOCAL\SYSTEM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TEMP01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TOOLS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\UNDOTBS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\USERS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\XDB01.DBF Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP241\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{324CB52C-D877-412F-807A-2DC48809EA1D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**pskelley** · 2007-11-19, 14:12

I did try to run combofix again and it said it was expired.

This is an issue with the software that we are waiting patiently for the creator to correct.

This has been an especially bad infection, can you assure me you were able to successfully delete the list of Vundo files I posted. They are not showing in the Kaspersky scan so they should be gone.

KASPERSKY ONLINE SCANNER REPORT Monday, November 19, 2007 7:22:15 AM

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
please empty the Recovery folder in Spybot S&D
http://ict.cas.psu.edu/training/howt...vespybot.htm#1

Post a new HJT log and let me know about any malware issues. Include any information I requested.

Thanks

**krtaylorjr** · 2007-11-19, 19:17

I was able to successfully delete all the files you mentioned.

I was able to remove all the backed up items from S&D.

I ran HijackThis and the log is included below.

I havent noticed anything yet with malware, seems to have subsided for the time being, but dont know if anything is hidden..

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:34 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\krtaylorjr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6061228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\jsqldfpw.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 9686 bytes

**pskelley** · 2007-11-19, 20:13

Thanks for returning your information and the feedback

we have more to do, please let me know if you have issues with any of these instructions.

Do you know what this is: O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
If not, we will remove it, ignore the instruction do do so if you know.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Disable the Service
Click Start > Run and type services.msc
Scroll down to MySQL and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\jsqldfpw.dll",b
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program.exe <<< delete that file

C:\WINDOWS\system32\jsqldfpw.dll <<< delete that file (it is important that we delete this one, if it gives you trouble, do this)

How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tuto...42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\jsqldfpw.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post a new HJT log and let me know if all went as instructed.

Thanks

Thread: Virtumonde and Many More

Thread Tools

Display

Hijack This Log 11.18

Combo Fix Log 11.18

Combo Fix Log 11.18 pt 2

VundoFix Log

Kaspersky Log

Hijack This Log 11.19

Posting Permissions