-
Virtumonde.dll, Win32.Monder
Spybot identified Virtumonde.dll and when it tried to remove it (in safe mode) I got he message below and spyb froze.
Here are the kaspersky and hijackthis logs.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 04, 2008 1:15:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/05/2008
Kaspersky Anti-Virus database records: 738491
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 85161
Number of viruses found: 2
Number of infected objects: 42
Number of suspicious objects: 0
Duration of the scan process: 01:35:28
Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
E:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
E:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\cnjfesby.dll_old.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\gbimebeg.dll.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\iwblrkmy.dll.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\jdypusjo.dll.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\pfepugmb.dll.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\ppmpnnta.dll_old.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\tsrewrpy.dll.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\wcmnchhv.dll.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\.housecall6.6\Quarantine\wkmcnams.dll.bac_a00776 Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
E:\Documents and Settings\KJohn\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
E:\Documents and Settings\KJohn\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
E:\Documents and Settings\KJohn\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\History\History.IE5\MSHist012008050420080505\index.dat Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\Temp\eatcdwyu.dll Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\Temp\qgkhrced.dll Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\Temporary Internet Files\Content.IE5\G6VVGWUU\idkfa[1] Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\Local Settings\Temporary Internet Files\Content.IE5\G6VVGWUU\rld[1] Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\KJohn\Local Settings\Temporary Internet Files\Content.IE5\IPTT5DYE\glas[1] Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\Local Settings\Temporary Internet Files\Content.IE5\W0KQZQ0B\kriv[1] Infected: Packed.Win32.Monder.gen skipped
E:\Documents and Settings\KJohn\My Documents\Downloads\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
E:\Documents and Settings\KJohn\My Documents\Downloads\mirc616.exe mIRC: infected - 1 skipped
E:\Documents and Settings\KJohn\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\KJohn\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
E:\Program Files\Sygate\SPF\debug.log Object is locked skipped
E:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
E:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
E:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
E:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{7272C0A1-E49A-48B2-956A-89E689638B15}\RP1\A0000008.exe Infected: Packed.Win32.Monder.gen skipped
E:\System Volume Information\_restore{7272C0A1-E49A-48B2-956A-89E689638B15}\RP2\A0001029.dll Infected: Packed.Win32.Monder.gen skipped
E:\System Volume Information\_restore{7272C0A1-E49A-48B2-956A-89E689638B15}\RP2\A0001030.dll Infected: Packed.Win32.Monder.gen skipped
E:\System Volume Information\_restore{7272C0A1-E49A-48B2-956A-89E689638B15}\RP2\change.log Object is locked skipped
E:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
E:\WINDOWS\SchedLgU.Txt Object is locked skipped
E:\WINDOWS\Sti_Trace.log Object is locked skipped
E:\WINDOWS\system32\acycwius.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\boorfnfh.dll_old Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\default Object is locked skipped
E:\WINDOWS\system32\config\default.LOG Object is locked skipped
E:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
E:\WINDOWS\system32\config\OSession.evt Object is locked skipped
E:\WINDOWS\system32\config\SAM Object is locked skipped
E:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
E:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\SECURITY Object is locked skipped
E:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
E:\WINDOWS\system32\config\software Object is locked skipped
E:\WINDOWS\system32\config\software.LOG Object is locked skipped
E:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\system Object is locked skipped
E:\WINDOWS\system32\config\system.LOG Object is locked skipped
E:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
E:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
E:\WINDOWS\system32\drivers\sptd2333.sys Object is locked skipped
E:\WINDOWS\system32\fuhlwbib.dll_old Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\fxuwtema.dll_old Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\gbimebeg.dll_old Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\hgGyvwtt.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\iepvguox.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\ijxuhvfm.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\iorabtmw.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\kkiirrhl.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\ljlxlcqi.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\mwgevkmv.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\ocnawvpw.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\opnnlKbc.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\puypvbau.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\qnpprwrg.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\qpcktecd.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\rogcnxyg.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\sxxycxlr.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\syxteoyc.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\WINDOWS\system32\wfkpijat.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\xbcmldis.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\xxyyxvur.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\yjxlpsrt.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\system32\yobhqdps.dll Infected: Packed.Win32.Monder.gen skipped
E:\WINDOWS\wiadebug.log Object is locked skipped
E:\WINDOWS\wiaservc.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:07, on 04/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Opera\Opera.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\rundll32.exe
E:\Documents and Settings\KJohn\My Documents\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - E:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [egui] "E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [c48f3b91] rundll32.exe "E:\WINDOWS\system32\iepvguox.dll",b
O4 - HKLM\..\Run: [BMe34491f0] Rundll32.exe "E:\WINDOWS\system32\itdrgyhy.dll",s
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://E:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC...EpsonSetup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://H:\setup\RiffLick.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/C...ngineQuery.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191943238734
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Regi...18/flashax.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
--
End of file - 5409 bytes
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
