Virtumonde and Smitfruad infection

**Capt.Craig** · 2007-11-24, 20:08

ok, finally got a combofix log after deleteing the qoobox/quarantine folder and redownloading:

1) combo fix log:
ComboFix 07-11-19.3 - (SomeUserName) 2007-11-24 12:51:58.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.962.1033.18.253 [GMT -5:00]
Running from: C:\Documents and Settings\(SomeUserName)\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-23 14:32 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-19 17:22 32,768 --a------ C:\WINDOWS\b148.exe.bin
2007-11-16 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-16 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 15:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 23:33 <DIR> d--hs---- C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ
2007-11-11 00:04 35,840 -ra------ C:\WINDOWS\mrofinu72.exe
2007-11-01 10:47 <DIR> d-------- C:\Program Files\EPSON
2007-11-01 10:47 <DIR> d-------- C:\epson
2007-10-25 20:35 <DIR> d-------- C:\Documents and Settings\(SomeUserName)\Application Data\Leadertech
2007-10-25 20:24 <DIR> d-------- C:\Program Files\Atari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 15:55 --------- d-----w C:\Program Files\Java
2007-11-14 11:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 04:39 10 ----a-w C:\Program Files\.autoreg
2007-10-15 18:10 --------- d-----w C:\Documents and Settings\(SomeUserName)\Application Data\Skype
2007-10-09 21:29 --------- d-----w C:\Documents and Settings\(SomeUserName)\Application Data\Talkback
2007-10-09 21:28 --------- d-----w C:\Program Files\DivX
2007-09-20 14:27 478 ----a-w C:\Documents and Settings\(SomeUserName)\Application Data\wklnhst.dat
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\kaL1uqw0kA6RtA55v3k.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 21:49]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 07:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 07:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 07:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 00:46]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 15:38]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 10:03]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 10:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 12:39:30]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2002-12-02 12:56:10]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^(SomeUserName)^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2005-08-02 14:33 159832 --a------ C:\Program Files\Common Files\AOL\1156897658\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4]
C:\Program Files\ISM\ISMModule4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule8]
C:\Program Files\ISM\ISMModule8.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 01:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
C:\Program Files\QdrPack\QdrPack9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"cmdService"=2 (0x2)
"ose"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d7329ba-6c03-11db-b200-0014a5b110e8}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abe3725e-7afc-11db-b210-0014a5b110e8}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-08-29 10:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-01 19:46:01 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1188391559.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 12:53:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????_??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 12:54:27
.
--- E O F ---

2) Ran ATF cleaner

3) New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:17 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLHostManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLServiceHost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Capt.Craig.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:80
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5595 bytes

My Computer is running well. I was getting fairly constant pop-ups from "outerinfo" and "internet service monitor" but since I fixed the 7 files in the HJT log I have not gotten any. I have noticed an internet explorer icon that has been appearing on my desktop. I am not sure if it is used by combofix, but when I delete it it comes back. It basically makes this: http://www.microsoft.com/isapi/redir...r=6&ar=msnhome my homepage. Could be nothing, but it is odd. I appriciate all the help.

**pskelley** · 2007-11-24, 20:40

Thanks for posting that combofix log, and it is helpful, shows infections are still there that were in the first Kaspersky scan.

(some of this may be gone, this is a doublecheck)

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete everything in that recovery folder
http://ict.cas.psu.edu/training/howt...vespybot.htm#1

C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\ <<< delete that folder if there

C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\ <<< delete the contents of that folder. (a few old files may not delete, they are not a problem, all infections would be recent)

C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\ <<< delete the contents of that TIF folder. (a few old files may not delete, they are not a problem, all infections would be recent)

C:\Program Files\Common Files\iiru\ <<< delete that folder and contents if there.

C:\Program Files\InstallShield Installation Information\mefenega77798.exe <<< delete that file if there.

C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\ <<< delete that folder and contents if there.

Delete combo fix, C:\qoobox\quarantine and any other tool we used. If we used ATF-Cleaner you may keep it.

Please empty the Recycle Bin on your Desktop and restart your computer.

Now let's clean the System Restore files:
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new Kaspersky scan using these setting:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. If you have no questions about the results, there is no need to post it. Let me know how the computer is running now.

Thanks

**Capt.Craig** · 2007-11-24, 23:54

OK...here are the results:

1) Spybot recovery cleaned

2)C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\ <<< Not found

3)C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\ <<< one file inside, won't delete

4)C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\ <<< All files deleted

5)C:\Program Files\Common Files\iiru\ <<< Folder not found :(

6)C:\Program Files\InstallShield Installation Information\mefenega77798.exe <<< found and deleted

7)C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\ <<< found and deleted

8)Delete combo fix, C:\qoobox\quarantine and any other tool we used <<< Done

9)empty the Recycle Bin <<< Done

10) System restore complete

11) Kaspersky Online Results....

Saturday, November 24, 2007 4:42:12 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/11/2007
Kaspersky Anti-Virus database records: 436036

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 61642
Number of viruses found 6
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 01:17:44

Infected Object Name Virus Name Last Action
C:\417C.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\417C.tmp NSIS: infected - 1 skipped

C:\4186.tmp Infected: Trojan-Downloader.Win32.Small.gll skipped

C:\63.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\63.tmp NSIS: infected - 1 skipped

C:\66.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped

C:\Documents and Settings\All Users\Application Data\AOL\browser\history.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Aim\pegajowo\RuskinRaider03\cert8.db Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Aim\pegajowo\RuskinRaider03\key3.db Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe Infected: Trojan-Downloader.Win32.Agent.fcp skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-74ed3802/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-74ed3802 ZIP: infected - 1 skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-2ba14357/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-2ba14357 ZIP: infected - 1 skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-4c7e5a39/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-4c7e5a39 ZIP: infected - 1 skipped

C:\Documents and Settings\(SomeUserName)\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\History\History.IE5\MSHist012007112420071125\index.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\~DF70D3.tmp Object is locked skipped

C:\Documents and Settings\(SomeUserName)\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\(SomeUserName)\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP257\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\mrofinu72.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{7762DA66-24C0-4CEC-B8F1-CFD560FB47B2}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

The Computer is running fine, and I have no obvious problems, but the kaspersky appears to show a few things are still hanging around. Let me know what you think.

Thanks for all your help

**pskelley** · 2007-11-25, 00:06

Thanks for returning your information and the feedback, I expected a few, combofix is close to a miracle but it can't find everything.

Kaspersky Online Scan: Saturday, November 24, 2007 4:42:12 PM
Number of infected objects 14

Delete the files in red:
C:\417C.tmp
C:\4186.tmp
C:\63.tmp
C:\66.tmp
C:\WINDOWS\mrofinu72.exe C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe

Clean out the Java cache:
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\
http://support.f-secure.com/enu/home...avacache.shtml

I think that's it, don't post a clean Kaspersky scan, just let me know. I have valuable closing information for you at that point.

Thanks...Phil

**Capt.Craig** · 2007-11-25, 02:15

All files you listed in the last post were deleted

Ran another Kaspersky scan and it shows that there are still some infected files hanging around:

Saturday, November 24, 2007 7:08:51 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 436049

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 62121
Number of viruses found 6
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 01:09:46

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\browser\history.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\History\History.IE5\MSHist012007112420071125\index.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\~DF70D3.tmp Object is locked skipped

C:\Documents and Settings\(SomeUserName)\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\(SomeUserName)\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc2.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc2.tmp NSIS: infected - 1 skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc3.tmp Infected: Trojan-Downloader.Win32.Small.gll skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc4.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc4.tmp NSIS: infected - 1 skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc5.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc6.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc7.exe Infected: Trojan-Downloader.Win32.Agent.fcp skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\22\10453ed6-74ed3802/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\22\10453ed6-74ed3802 ZIP: infected - 1 skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\47\bd7ce2f-2ba14357/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\47\bd7ce2f-2ba14357 ZIP: infected - 1 skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\52\1c9644b4-4c7e5a39/vmain.class Infected: Exploit.Java.Gimsh.b skipped

C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\52\1c9644b4-4c7e5a39 ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP257\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{7762DA66-24C0-4CEC-B8F1-CFD560FB47B2}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Let me know what you think.

Thanks,

Capt. Craig

**pskelley** · 2007-11-25, 02:25

Kaspersky Online Scanner >>> Number of infected objects 14

Please empty the Recycle Bin on your Desktop and restart your computer

C:\RECYCLER\ <<< Recycle Bin: http://www.microsoft.com/resources/d....mspx?mfr=true

http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/m...wcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Thread: Virtumonde and Smitfruad infection

Thread Tools

Display

Posting Permissions