blade00007
2007-09-21, 18:03
I work for the IT deparment of a company. One of our computers got infected. The computer is in another State from where I am located so all of the work was done remotely. I ran SmithfraudFIX, ran comboFIX, Spybot wasn't being able to remove smithfraud but I finally got it. I wasn't being able to access the registry and control panel. Now I am afraid to reboot. There is this folder called UGA6P on my c:\ directory and whenever I try to delete it says access denied. Deleted some registry keys reffering to that file but still can't delete it.
Spybot keeps finding that same problem but can't remove it. Attached is my HJT LOG, and Kapersky Online LOG. When the computer got infected the antivirus definitions were out of date.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 21, 2007 6:32:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 21/09/2007
Kaspersky Anti-Virus database records: 421572
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
Scan Statistics:
Total number of scanned objects: 35953
Number of viruses found: 18
Number of infected objects: 50
Number of suspicious objects: 2
Duration of the scan process: 00:36:12
Infected Object Name / Virus Name / Last Action
C:\Backup\UltraVNC-101-Setup.exe/file130 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\Backup\UltraVNC-101-Setup.exe/file131 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\Backup\UltraVNC-101-Setup.exe Inno: infected - 2 skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioAntiVirus7.zip/Activate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioAntiVirus7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\cabazon.us\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\Desktop\IT Tools\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\cabazon.us\Desktop\IT Tools\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\cabazon.us\Desktop\IT Tools\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\cabazon.us\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Temp\JETD053.tmp Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Temp\~DFB669.tmp Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\cabazon.us\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\opt\Paymentech\logs\eCommerce.log Object is locked skipped
C:\opt\Paymentech\logs\engine.log Object is locked skipped
C:\pos\VRP.ldf Object is locked skipped
C:\pos\VRP.mdf Object is locked skipped
C:\Program Files\CA\eTrustITM\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrustITM\DB\rtmaster.ntx Object is locked skipped
C:\Program Files\Common Files\eEye Digital Security\Application Bus\REM Client\Queue\00000002.MMF Object is locked skipped
C:\Program Files\Common Files\eEye Digital Security\Application Bus\REM Client\Queue\file.lck Object is locked skipped
C:\Program Files\eEye Digital Security\Blink\Logs\evtlog.db Object is locked skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0002/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0003 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0004 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0005 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0006 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK ZIP: infected - 7 skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA38-BD332ECE-0-W32%2FWinFixer%2EAAI.BAK/files/C/Documents and Settings/cabazon%2Eus/Application Data/winantiviruspro2007freeinstall[1]%2Eexe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA38-BD332ECE-0-W32%2FWinFixer%2EAAI.BAK ZIP: infected - 1 skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\qoobox\Quarantine\C\DOCUME~1\cabazon.us\APPLIC~1\PPATCH~1\jаvaw.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000010.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000012.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000014.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000096.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000096.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\change.log Object is locked skipped
C:\UltraVNC-101-Setup.exe/file130 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\UltraVNC-101-Setup.exe/file131 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\UltraVNC-101-Setup.exe Inno: infected - 2 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070917-133047.backup Infected: Trojan.Win32.Qhost.my skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070917-133424.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070918-125830.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070919-115157.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070919-131109.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1924 Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
*******************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:41 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\EloSrvce.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\pos\rpccEngine.exe
C:\opt\Paymentech\lib\PTService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Blink.lnk = C:\Program Files\eEye Digital Security\Blink\blink.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AM.WJ.MS.LVMH
O17 - HKLM\Software\..\Telephony: DomainName = AM.WJ.MS.LVMH
O17 - HKLM\System\CCS\Services\Tcpip\..\{26461EF5-CF12-41F7-9A86-C18311564999}: NameServer = 10.188.40.2,10.88.26.76
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AM.WJ.MS.LVMH
O17 - HKLM\System\CS1\Services\Tcpip\..\{26461EF5-CF12-41F7-9A86-C18311564999}: NameServer = 10.188.40.2,10.88.26.76
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Paymentech Linehandler Service (PTService) - iTeamSolutions - C:\opt\Paymentech\lib\PTService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsyxyrtipr.html
--
End of file - 4707 bytes
Spybot keeps finding that same problem but can't remove it. Attached is my HJT LOG, and Kapersky Online LOG. When the computer got infected the antivirus definitions were out of date.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 21, 2007 6:32:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 21/09/2007
Kaspersky Anti-Virus database records: 421572
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
Scan Statistics:
Total number of scanned objects: 35953
Number of viruses found: 18
Number of infected objects: 50
Number of suspicious objects: 2
Duration of the scan process: 00:36:12
Infected Object Name / Virus Name / Last Action
C:\Backup\UltraVNC-101-Setup.exe/file130 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\Backup\UltraVNC-101-Setup.exe/file131 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\Backup\UltraVNC-101-Setup.exe Inno: infected - 2 skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe/file04 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe/file05 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe/file34 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Documents and Settings\Administrator\Desktop\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioAntiVirus7.zip/Activate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VarioAntiVirus7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\cabazon.us\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\Desktop\IT Tools\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\cabazon.us\Desktop\IT Tools\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\cabazon.us\Desktop\IT Tools\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\cabazon.us\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Temp\JETD053.tmp Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Temp\~DFB669.tmp Object is locked skipped
C:\Documents and Settings\cabazon.us\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cabazon.us\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\cabazon.us\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\opt\Paymentech\logs\eCommerce.log Object is locked skipped
C:\opt\Paymentech\logs\engine.log Object is locked skipped
C:\pos\VRP.ldf Object is locked skipped
C:\pos\VRP.mdf Object is locked skipped
C:\Program Files\CA\eTrustITM\DB\rtmaster.dbf Object is locked skipped
C:\Program Files\CA\eTrustITM\DB\rtmaster.ntx Object is locked skipped
C:\Program Files\Common Files\eEye Digital Security\Application Bus\REM Client\Queue\00000002.MMF Object is locked skipped
C:\Program Files\Common Files\eEye Digital Security\Application Bus\REM Client\Queue\file.lck Object is locked skipped
C:\Program Files\eEye Digital Security\Blink\Logs\evtlog.db Object is locked skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0002/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0003 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0004 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0005 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe/data0006 Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK/files/C/Temp/bY001%2Eexe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA37-D9614BE7-0-W32%2FDLoader%2EDACQ%2Edropper.BAK ZIP: infected - 7 skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA38-BD332ECE-0-W32%2FWinFixer%2EAAI.BAK/files/C/Documents and Settings/cabazon%2Eus/Application Data/winantiviruspro2007freeinstall[1]%2Eexe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Program Files\eEye Digital Security\Blink\Quarantine\01C7FA38-BD332ECE-0-W32%2FWinFixer%2EAAI.BAK ZIP: infected - 1 skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\qoobox\Quarantine\C\DOCUME~1\cabazon.us\APPLIC~1\PPATCH~1\jаvaw.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000008.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000009.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000010.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000012.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000014.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000096.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\A0000096.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP3\change.log Object is locked skipped
C:\UltraVNC-101-Setup.exe/file130 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\UltraVNC-101-Setup.exe/file131 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e skipped
C:\UltraVNC-101-Setup.exe Inno: infected - 2 skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070917-133047.backup Infected: Trojan.Win32.Qhost.my skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070917-133424.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070918-125830.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070919-115157.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\drivers\etc\hosts.20070919-131109.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1924 Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
*******************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:41 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\EloSrvce.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\pos\rpccEngine.exe
C:\opt\Paymentech\lib\PTService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Blink.lnk = C:\Program Files\eEye Digital Security\Blink\blink.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AM.WJ.MS.LVMH
O17 - HKLM\Software\..\Telephony: DomainName = AM.WJ.MS.LVMH
O17 - HKLM\System\CCS\Services\Tcpip\..\{26461EF5-CF12-41F7-9A86-C18311564999}: NameServer = 10.188.40.2,10.88.26.76
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AM.WJ.MS.LVMH
O17 - HKLM\System\CS1\Services\Tcpip\..\{26461EF5-CF12-41F7-9A86-C18311564999}: NameServer = 10.188.40.2,10.88.26.76
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\blinksvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Paymentech Linehandler Service (PTService) - iTeamSolutions - C:\opt\Paymentech\lib\PTService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsyxyrtipr.html
--
End of file - 4707 bytes