VirtuMonde persists [Archive] - Safer-Networking Forums

Camilloi

2007-09-03, 02:34

Cannot eradicate Virtumonde with spybot
"errors occurred when this message was submitted:
The text that you have entered is too long (24863 characters). Please shorten it to 20000 characters long."

Will resend remainder of 1st log and 2nd log later
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 02, 2007 6:30:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 3/09/2007
Kaspersky Anti-Virus database records: 402634

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 67050
Number of viruses found: 14
Number of infected objects: 61
Number of suspicious objects: 0
Duration of the scan process: 00:58:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1085031214-162531612-725345543-500\64ef0449f7ed672f70816ad7aa9804d2_85963c6d-0c92-4623-a1c4-034740e94283 Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1085031214-162531612-725345543-500\adb61d95-9624-4786-b96c-f25d2ef4e824 Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1085031214-162531612-725345543-500\Preferred Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Favorites\Links\Customize Links.url Object is locked skipped
C:\Documents and Settings\Administrator\Favorites\Links\Free Hotmail.url Object is locked skipped
C:\Documents and Settings\Administrator\Favorites\Links\Windows Media.url Object is locked skipped
C:\Documents and Settings\Administrator\Favorites\Links\Windows.url Object is locked skipped
C:\Documents and Settings\Administrator\Favorites\MSN.com.url Object is locked skipped
C:\Documents and Settings\Administrator\Favorites\Radio Station Guide.url Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\datBD.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\installutilities.dll Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~3.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7ZAA7V62\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9WPV8IGB\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I13IVBFG\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\STEFW167\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Music\Sample Music.lnk Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Pictures\Sample Pictures.lnk Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.ini Object is locked skipped
C:\Documents and Settings\Administrator\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\Administrator\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Outlook Express.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\Administrator\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\Administrator\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\Administrator\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\Administrator\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\Administrator\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\Administrator\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{5B7F38C8-21C2-49F5-AB1F-32941E6B6BC5}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR6.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Camillo\Local Settings\Temp\RarSFX0\LogMeIn.msi/data.cab/LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\Camillo\Local Settings\Temp\RarSFX0\LogMeIn.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\Camillo\Local Settings\Temp\RarSFX0\LogMeIn.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\Camillo\Local Settings\Temp\RarSFX0\LogMeIn.msi Embedded: infected - 3 skipped
C:\Documents and Settings\Camillo\Local Settings\Temporary Internet Files\Content.IE5\OT9OLH5Z\idien[1] Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\KMong\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped
C:\Documents and Settings\KMong\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Temp\~DFDB5F.tmp Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Temp\~DFDB6D.tmp Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Temporary Internet Files\Content.IE5\PPWQBM6A\bind[2].htm Object is locked skipped
C:\Documents and Settings\KMong\Local Settings\Temporary Internet Files\Content.IE5\W46P5GDM\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\KMong\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\KMong\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Bin.zip/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Bin.zip/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Bin.zip/winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Bin.zip ZIP: infected - 3 skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-Viewer-102.zip/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\Downloaded Programs\UltraVNC\Downloaded Files\UltraVNC-Viewer-102.zip ZIP: infected - 1 skipped
C:\Program Files\LogMeIn\update\2-30-539.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-545.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP527\A0025514.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP527\A0025515.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP527\A0025516.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP527\A0025549.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lh skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP538\A0025766.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP538\A0025767.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP538\A0025770.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP538\A0025773.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lh skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP538\A0025774.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP541\A0026022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lp skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP552\A0027022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lq skipped
C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP560\change.log Object is locked skipped
_______
c:\Windows etc. deferred till next posting per size of message. Your help is appreciated! -Camillo

Camilloi

2007-09-03, 02:37

errors occurred when this message was submitted:
The text that you have entered is too long (24863 characters). Please shorten it to 20000 characters long.

had deferred portion of log, now copied below:

C:\System Volume Information\_restore{3531B426-DC55-4761-BECE-40CFE8FDD71D}\RP560\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\afruwldv.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\byoqwjqn.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dwtdlrdw.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\eafjnvev.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\WINDOWS\system32\eisxhvyb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\system32\esmwsktv.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\fwmfeqxg.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\gjwpplph.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\gtwunqsn.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hggdccy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\ioihaapb.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\jkklm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\WINDOWS\system32\kjiqiiev.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\lcwuxlek.dll Infected: Trojan.Win32.BHO.bw skipped
C:\WINDOWS\system32\LMIinit.dll.000.bak Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\lsgargyh.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\mdfxofhy.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\myruslrq.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\nawtwfef.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\nefcnhah.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\njchalad.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\nqcuorcs.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\odmyfiag.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\odveqach.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\pivuibyl.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\ubpynnxd.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\ubwxsamf.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\WINDOWS\system32\vfyiaqqs.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wefgkfdg.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\xaddldkk.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\system32\xggtsqgv.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\xhkxkaxf.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\WINDOWS\Temp\mcafee_VYafq5QLJJrdWFl Object is locked skipped
C:\WINDOWS\Temp\mcmsc_a4ihr5DU6m2FnRB Object is locked skipped
C:\WINDOWS\Temp\mcmsc_BO0Egy3bI9w8S63 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_zkRrw92Fw6E1CaW Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Will send HJT log as part 3

Camilloi

2007-09-03, 02:37

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:14 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\system32\ynkuafxm.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&ltmpl=yj_wsad&ltmplcache=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ixbruugc.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-21-1085031214-162531612-725345543-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Camillo')
O4 - HKUS\S-1-5-21-1085031214-162531612-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Camillo')
O4 - HKUS\S-1-5-21-1085031214-162531612-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Camillo')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-21-1085031214-162531612-725345543-1003 Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'Camillo')
O4 - S-1-5-21-1085031214-162531612-725345543-1003 User Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'Camillo')
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: DomainService - - C:\WINDOWS\system32\ynkuafxm.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 7809 bytes

-Camilloi

Mr_JAk3

2007-09-03, 20:54

Hello and welcome to the Forums :)

You're infected.

Are you using this LogMeIn application?

Please rename HijackThis.exe to skanneri.exe

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis (skanneri.exe) log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Camilloi

2007-09-03, 21:53

Thanks
I am using Logmein
HJT log: (skanneri.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:26 PM, on 9/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ynkuafxm.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&ltmpl=yj_wsad&ltmplcache=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22E563E0-1F47-4D76-8675-99FA4EE342E7} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {4E733C35-3872-4017-8AC6-35BB5BFD358F} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5A17E3CD-D4ED-4D3E-B53A-880A5684CF95} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {75DF1CDC-5689-4DA5-93DD-7CB6C61C4B52} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-21-1085031214-162531612-725345543-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Camillo')
O4 - HKUS\S-1-5-21-1085031214-162531612-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Camillo')
O4 - HKUS\S-1-5-21-1085031214-162531612-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Camillo')
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - S-1-5-21-1085031214-162531612-725345543-1003 Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'Camillo')
O4 - S-1-5-21-1085031214-162531612-725345543-1003 User Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe (User 'Camillo')
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\FRU\Remind32.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: DomainService - - C:\WINDOWS\system32\ynkuafxm.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 8554 bytes

VundoFix log:

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 2:33:11 PM 9/3/2007

Listing files found while scanning....

C:\windows\system32\byvhxsie.ini
C:\windows\system32\cguurbxi.ini
C:\windows\system32\cvusqiyn.dll
C:\windows\system32\eafjnvev.dll
C:\windows\system32\eisxhvyb.dll
C:\windows\system32\euegeghj.dll
C:\windows\system32\eupriivl.dll
C:\windows\system32\eyjqgqcf.ini
C:\windows\system32\fcqgqjye.dll
C:\windows\system32\gclotdhj.ini
C:\WINDOWS\system32\gyhqwkju.dll
C:\WINDOWS\system32\hggdccy.dll
C:\windows\system32\hpmsqygn.ini
C:\windows\system32\iowceqgy.ini
C:\windows\system32\ixbruugc.dll
C:\windows\system32\janwobwn.ini
C:\windows\system32\jhdtolcg.dll
C:\windows\system32\jhgegeue.ini
C:\WINDOWS\system32\jkklm.dll
C:\windows\system32\jomxjtal.dll
C:\windows\system32\kmninxkl.ini
C:\windows\system32\kukminqv.dll
C:\windows\system32\kxwpdidw.dll
C:\windows\system32\latjxmoj.ini
C:\WINDOWS\system32\lcwuxlek.dll
C:\windows\system32\lghsuqfq.ini
C:\windows\system32\lkxninmk.dll
C:\windows\system32\lviirpue.ini
C:\WINDOWS\system32\ngyqsmph.dll
C:\windows\system32\nwbownaj.dll
C:\windows\system32\nyiqsuvc.ini
C:\windows\system32\qfqushgl.dll
C:\windows\system32\qrjqheir.dll
C:\windows\system32\riehqjrq.ini
C:\windows\system32\vevnjfae.ini
C:\windows\system32\vqnimkuk.ini
C:\windows\system32\wdidpwxk.ini
C:\windows\system32\ygqecwoi.dll
C:\WINDOWS\system32\ymiykvig.dll

Beginning removal...

Attempting to delete C:\windows\system32\byvhxsie.ini
C:\windows\system32\byvhxsie.ini Has been deleted!

Attempting to delete C:\windows\system32\cguurbxi.ini
C:\windows\system32\cguurbxi.ini Has been deleted!

Attempting to delete C:\windows\system32\cvusqiyn.dll
C:\windows\system32\cvusqiyn.dll Has been deleted!

Attempting to delete C:\windows\system32\eafjnvev.dll
C:\windows\system32\eafjnvev.dll Has been deleted!

Attempting to delete C:\windows\system32\eisxhvyb.dll
C:\windows\system32\eisxhvyb.dll Has been deleted!

Attempting to delete C:\windows\system32\euegeghj.dll
C:\windows\system32\euegeghj.dll Has been deleted!

Attempting to delete C:\windows\system32\eupriivl.dll
C:\windows\system32\eupriivl.dll Has been deleted!

Attempting to delete C:\windows\system32\eyjqgqcf.ini
C:\windows\system32\eyjqgqcf.ini Has been deleted!

Attempting to delete C:\windows\system32\fcqgqjye.dll
C:\windows\system32\fcqgqjye.dll Has been deleted!

Attempting to delete C:\windows\system32\gclotdhj.ini
C:\windows\system32\gclotdhj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\gyhqwkju.dll
C:\WINDOWS\system32\gyhqwkju.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggdccy.dll
C:\WINDOWS\system32\hggdccy.dll Has been deleted!

Attempting to delete C:\windows\system32\hpmsqygn.ini
C:\windows\system32\hpmsqygn.ini Has been deleted!

Attempting to delete C:\windows\system32\iowceqgy.ini
C:\windows\system32\iowceqgy.ini Has been deleted!

Attempting to delete C:\windows\system32\ixbruugc.dll
C:\windows\system32\ixbruugc.dll Has been deleted!

Attempting to delete C:\windows\system32\janwobwn.ini
C:\windows\system32\janwobwn.ini Has been deleted!

Attempting to delete C:\windows\system32\jhdtolcg.dll
C:\windows\system32\jhdtolcg.dll Has been deleted!

Attempting to delete C:\windows\system32\jhgegeue.ini
C:\windows\system32\jhgegeue.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\jkklm.dll Has been deleted!

Attempting to delete C:\windows\system32\jomxjtal.dll
C:\windows\system32\jomxjtal.dll Has been deleted!

Attempting to delete C:\windows\system32\kmninxkl.ini
C:\windows\system32\kmninxkl.ini Has been deleted!

Attempting to delete C:\windows\system32\kukminqv.dll
C:\windows\system32\kukminqv.dll Has been deleted!

Attempting to delete C:\windows\system32\kxwpdidw.dll
C:\windows\system32\kxwpdidw.dll Has been deleted!

Attempting to delete C:\windows\system32\latjxmoj.ini
C:\windows\system32\latjxmoj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lcwuxlek.dll
C:\WINDOWS\system32\lcwuxlek.dll Has been deleted!

Attempting to delete C:\windows\system32\lghsuqfq.ini
C:\windows\system32\lghsuqfq.ini Has been deleted!

Attempting to delete C:\windows\system32\lkxninmk.dll
C:\windows\system32\lkxninmk.dll Has been deleted!

Attempting to delete C:\windows\system32\lviirpue.ini
C:\windows\system32\lviirpue.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ngyqsmph.dll
C:\WINDOWS\system32\ngyqsmph.dll Has been deleted!

Attempting to delete C:\windows\system32\nwbownaj.dll
C:\windows\system32\nwbownaj.dll Has been deleted!

Attempting to delete C:\windows\system32\nyiqsuvc.ini
C:\windows\system32\nyiqsuvc.ini Has been deleted!

Attempting to delete C:\windows\system32\qfqushgl.dll
C:\windows\system32\qfqushgl.dll Has been deleted!

Attempting to delete C:\windows\system32\qrjqheir.dll
C:\windows\system32\qrjqheir.dll Has been deleted!

Attempting to delete C:\windows\system32\riehqjrq.ini
C:\windows\system32\riehqjrq.ini Has been deleted!

Attempting to delete C:\windows\system32\vevnjfae.ini
C:\windows\system32\vevnjfae.ini Has been deleted!

Attempting to delete C:\windows\system32\vqnimkuk.ini
C:\windows\system32\vqnimkuk.ini Has been deleted!

Attempting to delete C:\windows\system32\wdidpwxk.ini
C:\windows\system32\wdidpwxk.ini Has been deleted!

Attempting to delete C:\windows\system32\ygqecwoi.dll
C:\windows\system32\ygqecwoi.dll Has been deleted!

Performing Repairs to the registry.
Done!

Thanks for your help -Camillo

Mr_JAk3

2007-09-04, 20:48

Hi again, we'll continue :)

You have some Norton leftovers there. I recommend that you run this uninstaller utility (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039) to clean these leftovers.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

ynkuafxm.exe

Disable the bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to DomainService
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.

Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; DomainService
Answer Yes
Close HIjackThis
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {22E563E0-1F47-4D76-8675-99FA4EE342E7} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {4E733C35-3872-4017-8AC6-35BB5BFD358F} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {5A17E3CD-D4ED-4D3E-B53A-880A5684CF95} - C:\WINDOWS\system32\jkklm.dll (file missing)
O2 - BHO: (no name) - {75DF1CDC-5689-4DA5-93DD-7CB6C61C4B52} - (no file)

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Open "My Computer" and delete the following files (if present):
C:\WINDOWS\system32\ynkuafxm.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Restart the computer to the normal mode.

Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols.shtml)

Note: This Scanner is for Internet Explorer Only!
Follow the Instruction Here (http://support.f-secure.com/enu/home/ols.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Camilloi

2007-09-06, 05:45

There is only one process in your list to end (ynkuafxm.exe), but when I select it and "End Process" in Task Manager, it remains. Should I continue with other instructions already sent or await revised instructions?
Thanks, Camillo

Mr_JAk3

2007-09-06, 20:49

Ok thanks for letting me know :)

Just continue with the instructions. :bigthumb:

tashi

2007-09-17, 18:46

This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.