Virtumonde, Smitfraud and others [Archive]

View Full Version : Virtumonde, Smitfraud and others

Blue Dingo

2008-04-19, 09:00

Here's hijack :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:50 PM, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\ipalupwv\ybofirsb.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\WINDOWS\system32\mjmhwnyl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\issdm_en_32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by114w.bay114.mail.live.com/mail/mail.aspx?wa=wsignin1.0&n=1684633012
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56497383-C40D-4A06-B121-6D78C9E6B794} - C:\WINDOWS\system32\vtUkkKax.dll (file missing)
O2 - BHO: (no name) - {6167F05F-7358-4038-B2E0-C9057D3F84B4} - C:\WINDOWS\system32\efcDSLEX.dll (file missing)
O2 - BHO: (no name) - {6F81E2E3-0150-48F6-BD79-6BD13F766470} - (no file)
O2 - BHO: (no name) - {799606CF-5AE3-4123-9853-91009A98CB4C} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [bca05c3c] rundll32.exe "C:\WINDOWS\system32\acvvnddf.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [ujtkldpq] C:\WINDOWS\system32\mjmhwnyl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [oscfkvjn] C:\WINDOWS\system32\jubsnync.exe
O4 - HKCU\..\Run: [yxxcnbil] C:\WINDOWS\system32\zkbgjaza.exe
O4 - HKLM\..\Policies\Explorer\Run: [yBpTtlvsrB] C:\Documents and Settings\All Users\Application Data\ipalupwv\ybofirsb.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191125924015
O17 - HKLM\System\CCS\Services\Tcpip\..\{D346D5B3-1548-49D7-BF8F-D4B6A6346DCB}: Domain = nsw.bigpond.net.au
O20 - Winlogon Notify: cusnfmha - cusnfmha.dll (file missing)
O20 - Winlogon Notify: __c0021B17 - C:\WINDOWS\SYSTEM32\__c0021B17.dat
O20 - Winlogon Notify: __c00C7E60 - C:\WINDOWS\SYSTEM32\__c00C7E60.dat
O21 - SSODL: PrxWin - {26ea985b-d2cc-48a5-9b7b-c16c4780cebc} - C:\WINDOWS\Installer\{26ea985b-d2cc-48a5-9b7b-c16c4780cebc}\PrxWin.dll
O21 - SSODL: zip - {a660e299-e513-4efa-9238-d99d1a271a53} - C:\WINDOWS\Installer\{a660e299-e513-4efa-9238-d99d1a271a53}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9371 bytes

Ill post kaspersky as soon as its finished

Blue Dingo

2008-04-19, 09:44

Here's kaspersky:

Saturday, April 19, 2008 5:43:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 715057

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\Documents and Settings\
C:\Intel\
C:\Program Files\ABBYY FineReader 5.0 Sprint\
C:\Program Files\ABBYY FineReader 6.0\
C:\Program Files\Adobe\
C:\Program Files\ASUS\
C:\Program Files\CCleaner\
C:\Program Files\Common Files\
C:\Program Files\ComPlus Applications\
C:\Program Files\CyberLink\
C:\Program Files\FaxTools\
C:\Program Files\Grisoft\
C:\Program Files\InstallShield Installation Information\
C:\Program Files\Intel\
C:\Program Files\Internet Explorer\
C:\Program Files\Lavasoft\
C:\Program Files\Lexmark X1100 Series\
C:\Program Files\Messenger\
C:\Program Files\Microsoft ActiveSync\
C:\Program Files\microsoft frontpage\
C:\Program Files\Microsoft Office\
C:\Program Files\Microsoft Silverlight\
C:\Program Files\Microsoft Windows Vista Upgrade Advisor\
C:\Program Files\Microsoft.NET\
C:\Program Files\Movie Maker\
C:\Program Files\Mozilla Firefox\
C:\Program Files\MSBuild\
C:\Program Files\MSN\
C:\Program Files\MSN Gaming Zone\
C:\Program Files\MSXML 4.0\
C:\Program Files\MSXML 6.0\
C:\Program Files\My Company Name\
C:\Program Files\Nero\
C:\Program Files\NetMeeting\
C:\Program Files\Online Services\
C:\Program Files\Outlook Express\
C:\Program Files\PC-Cleaner\
C:\Program Files\Realtek\
C:\Program Files\Reference Assemblies\
C:\Program Files\Spybot - Search & Destroy\
C:\Program Files\Telstra\
C:\Program Files\Uninstall Information\
C:\Program Files\Windows Media Connect 2\
C:\Program Files\Windows Media Player\
C:\Program Files\Windows NT\
C:\Program Files\WindowsUpdate\
C:\Program Files\xerox\
C:\RECYCLER\
C:\System Volume Information\
C:\VundoFix Backups\
C:\WINDOWS\
D:\

Scan Statistics
Total number of scanned objects 33690
Number of viruses found 23
Number of infected objects 45
Number of suspicious objects 0
Duration of the scan process 00:37:16

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\cert8.db Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\formhistory.dat Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\history.dat Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\key3.db Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\parent.lock Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\ic8lsc5z.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\fla3C3.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\nsh1E.tmp\Install.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped

C:\Documents and Settings\Owner\Local Settings\Temp\nsq22.tmp\Install.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped

C:\Documents and Settings\Owner\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\My Documents\issdm_en_32.exe Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\RECYCLER\S-1-5-21-1801674531-842925246-682003330-1003\Dc1.htm Infected: not-virus:Hoax.HTML.Secureinvites.c skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014920.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014921.dll Infected: not-a-virus:AdTool.Win32.Zango.u skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014923.exe Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014924.dll Infected: not-a-virus:AdWare.Win32.HotBar.ch skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014927.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bl skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014929.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014933.exe Infected: not-a-virus:AdWare.Win32.180Solutions.bp skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014934.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014934.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014934.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP44\A0014936.dll Infected: not-a-virus:AdTool.Win32.Zango.u skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0014998.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0014999.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017677.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017678.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017679.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017680.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017681.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017682.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017683.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017684.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017685.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017688.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mxi skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017689.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017690.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017772.dll Infected: not-a-virus:FraudTool.Win32.UltimateDefender.fi skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\A0017773.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.fb skipped

C:\System Volume Information\_restore{CD75E2E1-BC80-4A46-9F70-44570E10F7CA}\RP45\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\dwltqnmx.exe Infected: not-a-virus:AdWare.Win32.Vapsup.djd skipped

C:\WINDOWS\fkdnrwsv.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dli skipped

C:\WINDOWS\Installer\{26ea985b-d2cc-48a5-9b7b-c16c4780cebc}\PrxWin.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped

C:\WINDOWS\Installer\{a660e299-e513-4efa-9238-d99d1a271a53}\zip.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\stfngdvw.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dlh skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\svpekgonmgx.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dlg skipped

C:\WINDOWS\sxfnewqb.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dlj skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\ccxyrgbq.dll Infected: Trojan.Win32.KillAV.rf skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\iifedBur.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped

C:\WINDOWS\system32\jubsnync.exe Infected: Trojan-Downloader.Win32.Obfuscated.re skipped

C:\WINDOWS\system32\unnihlfd.dll Infected: Trojan.Win32.KillAV.rf skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\__c0021B17.dat Infected: Packed.Win32.Monder.gen skipped

C:\WINDOWS\system32\__c0056B5A.dat Infected: Packed.Win32.Monder.gen skipped

C:\WINDOWS\system32\__c00C768C.dat Infected: Packed.Win32.Monder.gen skipped

C:\WINDOWS\system32\__c00C7E60.dat Infected: Packed.Win32.Monder.gen skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

Blade81

2008-04-19, 20:31

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Blade81

2008-04-27, 00:06

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.