Virtumonde and Trojans [Archive] - Safer-Networking Forums

View Full Version : Virtumonde and Trojans

villager

2008-03-03, 18:22

Have been infected over a week. Tons of "you need to clean your PC" popups and avast antivirus discovers trojans daily. Appreciate some assistance Hijack This and Kaspersky logs follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:20 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\WINNT\sabserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\kqayoscg.dll",b
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\unxtquqo.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Sabre Server.lnk = C:\WINNT\sabserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E19071CA-8BB5-4D47-8020-5B40765324EA}: NameServer = 192.168.0.1,10.255.200.89
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AmadeusProPrinter - Amadeus - C:\Amaprt\MainSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 4973 bytes

villager

2008-03-03, 18:24

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 10:57:33 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 594132
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51698
Number of viruses found: 3
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 01:10:06

Infected Object Name / Virus Name / Last Action
C:\csapi.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-3bf15962.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-3bf15962.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008030320080304\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA3FB.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7DWKW3JB\cmp638[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7DWKW3JB\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VZ1QEMB7\tr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPKB2HKP\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\abpmxhjk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\aobopgfa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\axovesks.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\bjxivhen.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\blqpfokq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\bwnygdgs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\bywxgjan.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\cbxuvtt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\ddaba.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.imh skipped
C:\WINNT\system32\ejkyoeip.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\fhtrpjfh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\gnwbhssk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\hokqktdo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\hqxoycag.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\hstqkhee.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\ipxfwjoq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\kqayoscg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\lfahfptd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\mrsbkfpe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\oiijpupr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\qcnjxgcu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\qhopmtjh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\qjidahto.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\rjwqatnc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\sptgorkq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\unxtquqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\uwjwavkp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\woxudbby.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\ywnxjgcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\yysakewo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\Temp\Cookies\index.dat Object is locked skipped
C:\WINNT\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINNT\Temp\Perflib_Perfdata_5ac.dat Object is locked skipped
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINNT\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley

2008-03-05, 13:42

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This is another Vundo infection and while it is surely not difficult to get this infection, I want to be sure you followed the advice Shaba posted for you when he cleaned you last.
http://forums.spybot.info/showthread.php?t=13810 <<< 2007-05-22

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Make sure you have the newest version of Java and that any old versions are uninstalled in Add Remove Programs.

We will try to clean this with Vundofix and see how it goes, please do not expect fast or easy. Here is some information about this junk:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn

Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the Vundofix.txt and a new HJT log

Thanks

villager

2008-03-05, 17:08

Thank you for replying.

1. I installed the latest Java Runtime Environment 6 update 5

2. I downloaded and ran VundoFix.

3. HJT log and VundoFix.txt follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:41 AM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Amaprt\MainSrv.exe
C:\WINNT\Explorer.EXE
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Automatic Update\AutoUpdateGUI.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\sabserv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\gqfxouwl.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\pxjnoqnt.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Sabre Server.lnk = C:\WINNT\sabserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E19071CA-8BB5-4D47-8020-5B40765324EA}: NameServer = 192.168.0.1,10.255.200.89
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AmadeusProPrinter - Amadeus - C:\Amaprt\MainSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 5185 bytes

VundoFix V7.0.0

Scan started at 10:34:01 AM 3/5/2008

Listing files found while scanning....

C:\WINNT\system32\cbxuvtt.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\cbxuvtt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

pskelley

2008-03-05, 19:42

I'm a little puzzled by the Vundofix report you posted. Kaspersky is showing over 30 Vundo files in the System32 folder and unless you ran the scan or another tool before to remove something, they are not showing as being removed by this tool which is pretty good at finding them. In fact, the one file it is showing says:
C:\WINNT\system32\cbxuvtt.dll Could not be deleted.
We have Vundo in the HJT log but I need to know what is going on. Did you remove files before? If not, you need to run the fix, perhaps a couple of times. Unless you removed them earlier, they need to be located by Vundofix and deleted.

Thanks

villager

2008-03-05, 20:00

I followed the instructions in Tashi's "Before you post a log" posting as follows:

1. Ran Kaspersky Online Scanner and saved the file.

2. Rebooted computer to Safe Mode, ran Spybot-S&D, checked and fixed everything found in red, rebooted back into Windows.

3. Ran HJT and saved the log

4. Posted file/log from 1 and 3 to this thread.

villager

2008-03-05, 20:04

I didn't do anything else until you told be to download and run the VundoFix program.

pskelley

2008-03-05, 20:08

OK, run it again, a couple of times if you have to. I would prefer you not have to remove 30 some files manually.

Post the report from Vundofix when you finish.

Thanks

villager

2008-03-05, 21:10

OK. I ran it twice more and it didn't find anything. Log follows:

VundoFix V7.0.0

Scan started at 10:34:01 AM 3/5/2008

Listing files found while scanning....

C:\WINNT\system32\cbxuvtt.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\cbxuvtt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V7.0.0

Scan started at 2:49:09 PM 3/5/2008

Listing files found while scanning....

No infected files were found.

VundoFix V7.0.0

Scan started at 2:53:35 PM 3/5/2008

Listing files found while scanning....

No infected files were found.

pskelley

2008-03-05, 21:55

Please read and follow the directions carefully and in the posted order.

1) C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\ <<< clean the Java cache
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.

C:\WINNT\system32\abpmxhjk.dll
C:\WINNT\system32\aobopgfa.dll
C:\WINNT\system32\axovesks.dll
C:\WINNT\system32\bjxivhen.dll
C:\WINNT\system32\blqpfokq.dll
C:\WINNT\system32\bwnygdgs.dll
C:\WINNT\system32\bywxgjan.dll
C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\ddaba.dll
C:\WINNT\system32\ejkyoeip.dll
C:\WINNT\system32\fhtrpjfh.dll
C:\WINNT\system32\gnwbhssk.dll
C:\WINNT\system32\hokqktdo.dll
C:\WINNT\system32\hqxoycag.dll
C:\WINNT\system32\hstqkhee.dll
C:\WINNT\system32\ipxfwjoq.dll
C:\WINNT\system32\kqayoscg.dll
C:\WINNT\system32\lfahfptd.dll
C:\WINNT\system32\mrsbkfpe.dll
C:\WINNT\system32\oiijpupr.dll
C:\WINNT\system32\qcnjxgcu.dll
C:\WINNT\system32\qhopmtjh.dll
C:\WINNT\system32\qjidahto.dll
C:\WINNT\system32\rjwqatnc.dll
C:\WINNT\system32\sptgorkq.dll
C:\WINNT\system32\unxtquqo.dll
C:\WINNT\system32\uwjwavkp.dll
C:\WINNT\system32\woxudbby.dll
C:\WINNT\system32\ywnxjgcy.dll
C:\WINNT\system32\yysakewo.dll

Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions
starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(if you set the Start Page like that you may leave it)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\kqayoscg.dll",b
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\unxtquqo.dll",s

(you may leave the 015 items if you are positive they are safe)

O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

(check to be sure these are gone)

C:\WINNT\system32\kqayoscg.dll
C:\WINNT\system32\unxtquqo.dll

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and some feedback.

Thanks

villager

2008-03-05, 23:07

Hi. I've accomplished items 1 through 4 above but need some advice with item 5:

(HijackThis system scan) The following line items are not present:

O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\kqayoscg.dll",b
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\unxtquqo.dll",s

Instead ... the following exists:

O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\gydrfhlh.dll",b
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\atbrsmol.dll",s

Should I delete these?

pskelley

2008-03-05, 23:09

Yes...that is one of the curses of this infection, it can morph and change names.

Thanks

villager

2008-03-05, 23:52

OK. I'm now on item 6.

There were no files named kqayoscg.dll or unxtquqo.dll in C:\WINNT\system32.

There were files named gydrfhlh.dll and atbrsmol.dll. When I tried to delete them, neither one would delete because they were both in use.

I changed the property attributes of both files to "read only" and was able to delete the gydrfhlh.dll file on reboot, but the atbrsmol.dll file keeps saying "denied" when I try to delete it, and its attribute keeps changing back ... i.e. is no longer "read only" .

(I have to go out now, and will have to pick this up again in the morning. Thanks for your help so far!)

villager

2008-03-06, 16:06

Good Morning.

As I reported yesterday, I cannot delete atbrsmol.dll and I've tried several times.

Follows new VundoFix and HJT logs:

VundoFix V7.0.0

Scan started at 10:34:01 AM 3/5/2008

Listing files found while scanning....

C:\WINNT\system32\cbxuvtt.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\cbxuvtt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V7.0.0

Scan started at 2:49:09 PM 3/5/2008

Listing files found while scanning....

No infected files were found.

VundoFix V7.0.0

Scan started at 2:53:35 PM 3/5/2008

Listing files found while scanning....

No infected files were found.

Beginning removal...

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\abpmxhjk.dll
C:\WINNT\system32\abpmxhjk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\aobopgfa.dll
C:\WINNT\system32\aobopgfa.dll Has been deleted!

Attempting to delete C:\WINNT\system32\axovesks.dll
C:\WINNT\system32\axovesks.dll Has been deleted!

Attempting to delete C:\WINNT\system32\bjxivhen.dll
C:\WINNT\system32\bjxivhen.dll Has been deleted!

Attempting to delete C:\WINNT\system32\blqpfokq.dll
C:\WINNT\system32\blqpfokq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\bwnygdgs.dll
C:\WINNT\system32\bwnygdgs.dll Has been deleted!

Attempting to delete C:\WINNT\system32\bywxgjan.dll
C:\WINNT\system32\bywxgjan.dll Has been deleted!

Attempting to delete C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\cbxuvtt.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ddaba.dll
C:\WINNT\system32\ddaba.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ejkyoeip.dll
C:\WINNT\system32\ejkyoeip.dll Has been deleted!

Attempting to delete C:\WINNT\system32\fhtrpjfh.dll
C:\WINNT\system32\fhtrpjfh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\gnwbhssk.dll
C:\WINNT\system32\gnwbhssk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\hokqktdo.dll
C:\WINNT\system32\hokqktdo.dll Has been deleted!

Attempting to delete C:\WINNT\system32\hqxoycag.dll
C:\WINNT\system32\hqxoycag.dll Has been deleted!

Attempting to delete C:\WINNT\system32\hstqkhee.dll
C:\WINNT\system32\hstqkhee.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ipxfwjoq.dll
C:\WINNT\system32\ipxfwjoq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\mrsbkfpe.dll
C:\WINNT\system32\mrsbkfpe.dll Has been deleted!

Attempting to delete C:\WINNT\system32\oiijpupr.dll
C:\WINNT\system32\oiijpupr.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qcnjxgcu.dll
C:\WINNT\system32\qcnjxgcu.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qhopmtjh.dll
C:\WINNT\system32\qhopmtjh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\qjidahto.dll
C:\WINNT\system32\qjidahto.dll Has been deleted!

Attempting to delete C:\WINNT\system32\rjwqatnc.dll
C:\WINNT\system32\rjwqatnc.dll Has been deleted!

Attempting to delete C:\WINNT\system32\sptgorkq.dll
C:\WINNT\system32\sptgorkq.dll Has been deleted!

Attempting to delete C:\WINNT\system32\unxtquqo.dll
C:\WINNT\system32\unxtquqo.dll Has been deleted!

Attempting to delete C:\WINNT\system32\uwjwavkp.dll
C:\WINNT\system32\uwjwavkp.dll Has been deleted!

Attempting to delete C:\WINNT\system32\woxudbby.dll
C:\WINNT\system32\woxudbby.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ywnxjgcy.dll
C:\WINNT\system32\ywnxjgcy.dll Has been deleted!

Attempting to delete C:\WINNT\system32\yysakewo.dll
C:\WINNT\system32\yysakewo.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:47 AM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Automatic Update\AutoUpdateGUI.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\sabserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {3bdbda5d-2bdd-db29-4904-3573e795b5d1} - {1d5b597e-3753-4094-92bd-ddb2d5adbdb3} - C:\WINNT\system32\qbqbyyta.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {644E7D74-30D4-431A-A5EB-B678E619108F} - C:\WINNT\system32\ddaba.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\atbrsmol.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Sabre Server.lnk = C:\WINNT\sabserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E19071CA-8BB5-4D47-8020-5B40765324EA}: NameServer = 192.168.0.1,10.255.200.89
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AmadeusProPrinter - Amadeus - C:\Amaprt\MainSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 5604 bytes

pskelley

2008-03-06, 16:28

Thanks for returning your information, keep in mind that when you say you can not delete a vundo file, that I can not do it for you. When you have a bad file that is running, often it is easiest to boot into safe mode (when it will not be running) and delete it there.
http://spyware-free.us/tutorials/safemode/

Let's try this, we are making some progress.

Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window.
Then click Remove Vundo.

(file/s to add)

C:\WINNT\system32\qbqbyyta.dll
C:\WINNT\system32\atbrsmol.dll

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: {3bdbda5d-2bdd-db29-4904-3573e795b5d1} - {1d5b597e-3753-4094-92bd-ddb2d5adbdb3} - C:\WINNT\system32\qbqbyyta.dll
O2 - BHO: (no name) - {644E7D74-30D4-431A-A5EB-B678E619108F} - C:\WINNT\system32\ddaba.dll (file missing)
O4 - HKLM\..\Run: Rundll32.exe "C:\WINNT\system32\atbrsmol.dll",s

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

(Check to be sure both files are gone)

C:\WINNT\system32\qbqbyyta.dll
C:\WINNT\system32\atbrsmol.dll

If you have a problem with the second one, thy this:

[B]How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\atbrsmol.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

Post a new HJT log with your feedback.

Thanks

villager

2008-03-06, 18:22

qbqbyyta.dll and atbrsmol.dll are both gone now!

Here is the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:23 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\Program Files\Automatic Update\AutoUpdateGUI.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\sabserv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Sabre Server.lnk = C:\WINNT\sabserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E19071CA-8BB5-4D47-8020-5B40765324EA}: NameServer = 192.168.0.1,10.255.200.89
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AmadeusProPrinter - Amadeus - C:\Amaprt\MainSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 5232 bytes

pskelley

2008-03-06, 18:31

Thanks for that feedback, how is the computer running now? You have items I don't know but they all appear to belong to AmadeusProPrinter. Remove vundofix and the C:\Vundofix Backups\ folder and run a last Kaspersky Online Scan using these setting to be sure nothing is hiding.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. <<< no need to post a clean scan, only if you have questions.

Thanks

villager

2008-03-06, 20:37

Hi.

Yes, all the "Amadeus" items are trusted.

The final Kaspersky scan was clean, nothing was detected. The computer appears to be behaving normally again.

Thank You!

pskelley

2008-03-06, 21:34

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.