PDA

View Full Version : Virtumonde



Peroxidzors
2008-01-31, 07:50
Hi, I noticed my computer running slowly and did a scan using Spybot and it showed up with Virtumonde. I used vundo but it couldn't get rid of it all.

Included is the Kasperky Log and Hijack This Log. [too long to fit on one post]Thanks

Peroxidzors
2008-01-31, 07:51
Here's the Kasperky log.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 30, 2008 8:17:41 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/01/2008
Kaspersky Anti-Virus database records: 538921
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 160902
Number of viruses found: 26
Number of infected objects: 90
Number of suspicious objects: 2
Duration of the scan process: 03:21:44

Infected Object Name / Virus Name / Last Action
C:\alex\VNC\vnc-4_1_1-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
C:\alex\VNC\vnc-4_1_1-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\alex\VNC\vnc-4_1_1-x86_win32.exe Inno: infected - 2 skipped
C:\d.exe Infected: Backdoor.Win32.Agent.alm skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080130_Time-163838750_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080130_Time-163838750_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_MASTER.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_MASTER.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip/lsass.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MalwareAlarm.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/winyrp32.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip/winyrp32.dll_tobedeleted_old Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip/wingga32.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/gos11.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip/gos419.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip/gos3FD.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/ablupggs.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentbid.zip/DefLib.sys Infected: Trojan.Win32.Agent.asu skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentbid.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAlphabetap.zip/Helper9.dll Infected: Trojan-Downloader.Win32.BHO.cf skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAlphabetap.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip/windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip/windows Infected: Trojan.Win32.Zapchast.dt skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinInjectbw1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Microsoft\Word\AutoRecovery save of night essay rd.asd Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-6302bf39-3f53ec43.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-6302bf39-3f53ec43.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-6302bf39-3f53ec43.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-6302bf39-3f53ec43.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-12ac277f.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-12ac277f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-3ed086ab.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-3ed086ab.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-35c26815.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-35c26815.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-5f4b17c8.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Ken.MASTER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-5f4b17c8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ken.MASTER\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Desktop\night essay rd.doc Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\History\History.IE5\MSHist012008013020080131\index.dat Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temp\clean_13c5df4b.dll Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temp\clean_1e828.dll Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temp\clean_6e34e.dll Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temp\~DF2847.tmp Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temp\~DF8F9F.tmp Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temp\~DFB01D.tmp Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\0MG3S1UD\cprdshtvt[1].htm Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\0MG3S1UD\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\0MG3S1UD\gamadril20071203[1] Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\0MG3S1UD\niushkmpx[1].htm Infected: Trojan-Downloader.Win32.Searcher.i skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\0MG3S1UD\rvljyazbq[1].htm Infected: Trojan-Dropper.Win32.Mudrop.gi skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\I83PY3YI\apst377[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ez skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\I83PY3YI\lsegihwln[1].txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\I83PY3YI\lsegihwln[2].txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\I83PY3YI\niushkmpx[1].htm Infected: Trojan-Downloader.Win32.Searcher.i skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\I83PY3YI\niushkmpx[2].htm Infected: Trojan-Downloader.Win32.Searcher.i skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\I83PY3YI\rvljyazbq[1].htm Infected: Trojan-Dropper.Win32.Mudrop.gi skipped

Peroxidzors
2008-01-31, 07:52
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\N9JTZRP4\cprdshtvt[1].htm Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\N9JTZRP4\cprdshtvt[2].htm Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\N9JTZRP4\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.esx skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\N9JTZRP4\lsegihwln[1].txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\N9JTZRP4\niushkmpx[1].htm Infected: Trojan-Downloader.Win32.Searcher.i skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\N9JTZRP4\tr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\TANQYI1U\cprdshtvt[1].htm Infected: Trojan-PSW.Win32.Sinowal.gj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\TANQYI1U\css4[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\TANQYI1U\ddos[1].txt Infected: Backdoor.Win32.Agent.alm skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\TANQYI1U\lsegihwln[1].txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\TANQYI1U\rvljyazbq[1].htm Infected: Trojan-Dropper.Win32.Mudrop.gi skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\TANQYI1U\rvljyazbq[2].htm Infected: Trojan-Dropper.Win32.Mudrop.gi skipped
C:\Documents and Settings\Ken.MASTER\Local Settings\Temporary Internet Files\Content.IE5\TANQYI1U\tr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\Documents and Settings\Ken.MASTER\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ken.MASTER\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WO9I0ZBQ\sdfsdf[1].htm Infected: Trojan.Win32.Agent.eeu skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\GameSpot\logs\GameSpot_Download_Service.log Object is locked skipped
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v skipped
C:\Program Files\Outerinfo\OinFP.exe~ Infected: Trojan-Downloader.Win32.Agent.hjs skipped
C:\Program Files\Outerinfo\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.gn skipped
C:\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 1 skipped
C:\quarantine\javainstaller.jar-31f00108-79fd758b.zip.Vir/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\quarantine\javainstaller.jar-31f00108-79fd758b.zip.Vir ZIP: infected - 1 skipped
C:\quarantine\javainstaller.jar-31f07c88-1128db4d.zip.Vir/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\quarantine\javainstaller.jar-31f07c88-1128db4d.zip.Vir ZIP: infected - 1 skipped
C:\quarantine\javainstaller.jar-4514e5ea-59db9f83.zip.Vir/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\quarantine\javainstaller.jar-4514e5ea-59db9f83.zip.Vir ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-2471099463-2743946000-580996415-1007\Dc18.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-2471099463-2743946000-580996415-1007\Dc19.lnk Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\btjjkmpv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\fccccax.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dux skipped
C:\VundoFix Backups\fccdcca.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dux skipped
C:\VundoFix Backups\fubuhody.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\geedd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped
C:\VundoFix Backups\gofblnat.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\jkhfg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.etj skipped
C:\VundoFix Backups\kdydgdgy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\opnlmmm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dux skipped
C:\VundoFix Backups\smqwdvxu.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DC1291B6-F8BA-4573-8EDA-E6673105965A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\retx2.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\drvguz.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\SYSTEM32\fccdcca.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dux skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\winyrp32.dll_tobedeleted_old_tobedeleted_old Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xugals.exe Infected: Trojan-Downloader.Win32.Searcher.i skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Peroxidzors
2008-01-31, 07:53
Here is the Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:16 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
C:\Program Files\Last.fm\LastFMHelper.exe
D:\Hijack This\HijackThis.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvguz.dll,startup
O4 - HKLM\..\Run: [64d6673a] rundll32.exe "C:\WINDOWS\system32\tcyntgxc.dll",b
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\Games\Flashget\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\Games\Flashget\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Games\Flashget\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Games\Flashget\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{43615236-87AF-4D75-AEE2-B9F89ED1A35B}: NameServer = 192.168.0.1,68.94.156.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\prime95.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 8733 bytes

pskelley
2008-02-01, 16:59
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You have a bit of a mess here, leftover Vundo, OIN but it can be cleaned. This is the major problem:
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
http://www.symantec.com/security_response/writeup.jsp?docid=2003-051918-1128-99

Backdoor.IRC.Ratsou.B is a Backdoor Trojan Horse that gives its creator full control over your computer
Because of this trojon I suggest you pull the plug until you decide how to proceed.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks

Peroxidzors
2008-02-02, 01:56
I think i'll try to reformat my computer.
thanks so much for your help.

pskelley
2008-02-02, 02:32
I understand that decision and would have to do the same were it me. Here is information to help:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

To help prevent problems like this in the future:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Peroxidzors
2008-02-04, 03:59
k i just reformated the hardrive two days ago and everything seems to be great. thanks for the help and the links/information.