Virtumonde and Many More

**krtaylorjr** · 2007-10-29, 22:55

I have been trying to follow the site, and each response seems to be custom, so i figured i would try to submit my own issue. Same thing as most people, Virtue monde seems to have infected my machine. I have tried a few things already, and installed the recommended Search and Destroy apps, and even some of the other app fixes suggested.

Below is my Hijackthis log, followed by the Kapersky log.

Thanks

-------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:58 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6061228
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\xaufrdts.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8854 bytes

--------------------------------------------------

**krtaylorjr** · 2007-10-29, 22:57

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 29, 2007 3:50:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/10/2007
Kaspersky Anti-Virus database records: 448273
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 242277
Number of viruses found: 6
Number of infected objects: 29
Number of suspicious objects: 2
Duration of the scan process: 03:39:19

Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-1006u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-501u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\TmPfw_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_1221853184_18629 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_1231355904_18771 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{2AEBCBBA-DB93-4089-8BDA-F1E7D6B15778}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{F406C537-0155-4BC4-B4FE-9EC8A68A9906}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Kenny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\MSHist012007102920071030\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED/GET-RX-MEDS-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED/GET-RX-MEDS-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds-Phrmacy@blackthorntelecom.com>][Date Wed, 26 Jul 2006 15:21:29 -0800]/UNNAMED/Krtaylor_jr_MEDLINEWEBSITE.HTML Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds-Phrmacy@blackthorntelecom.com>][Date Wed, 26 Jul 2006 15:21:29 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds@everythinggreatallthetime.com>][Date Thu, 27 Jul 2006 19:28:24 -0800]/UNNAMED/Low_Cost_Generic_Meds_Go_Here.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds@everythinggreatallthetime.com>][Date Thu, 27 Jul 2006 19:28:24 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From "

Pharmacy Here" <ter@eritgetalcal.com>][Date Wed, 26 Jul 2006 11:23:47 -0600]/UNNAMED/GET-YOUR-MEDS-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From "

Pharmacy Here" <ter@eritgetalcal.com>][Date Wed, 26 Jul 2006 11:23:47 -0600]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From M:e:d Source <usmail@expeediamail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/UNNAMED/UNNAMED/[From "Lauren" <krtalab@hotmail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/PLEASE_VISIT_OUR_MEDSITE_HERE.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From M:e:d Source <usmail@expeediamail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/UNNAMED/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From M:e:d Source <usmail@expeediamail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From DiscreteMEDS@secureshopper.ie.com][Date Thu, 27 Jul 2006 12:04:23 -0800]/UNNAMED/Discounted-Meds-CLICK-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From DiscreteMEDS@secureshopper.ie.com][Date Thu, 27 Jul 2006 12:04:23 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip ZIP: infected - 25 skipped
C:\Documents and Settings\Kenny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kenny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\oracle\ora92\network\agent\blackout.q Object is locked skipped
C:\oracle\ora92\network\agent\ereg.q Object is locked skipped
C:\oracle\ora92\network\agent\evocc1.q Object is locked skipped
C:\oracle\ora92\network\agent\job.q Object is locked skipped
C:\oracle\ora92\network\agent\jstat1.q Object is locked skipped
C:\oracle\ora92\network\agent\reco\service.vps Object is locked skipped
C:\oracle\ora92\network\agent\user.q Object is locked skipped
C:\oracle\ora92\network\log\agntsrvc.log Object is locked skipped
C:\oracle\ora92\network\log\dbsnmp.log Object is locked skipped
C:\oracle\ora92\network\log\OracleOraHome92Agent.nohup Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(536).trc Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL01.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL02.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL03.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CWMLITE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\DRSYS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\EXAMPLE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\INDX01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\ODM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\REDO03.LOG Object is locked skipped
C:\oracle\oradata\LOCAL\SYSTEM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TEMP01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TOOLS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\UNDOTBS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\USERS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\XDB01.DBF Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drvhag.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\simcard1.dll.vir Infected: Trojan-Spy.Win32.Banker.fke skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP221\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ABA8082A-7445-45EF-89CB-FAF44313EF1F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1BE3F6D6-1591-44F6-8BD5-86A28B8AB859}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**pskelley** · 2007-11-01, 19:02

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Thanks for following the instructions and posting the correct information. It looks like a hidden Vundo infection and more as you said, if you still want help I will do what I can but it will not be easy, this infection can be hard to remove.

See this: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< out of date and likely the reason you are infected, at least with Vundo. Dowload the newest version and uninstall all old versions in Add Remove programs.

C:\WINDOWS\system32\xaufrdts.dll <<< that 04 item is a clue Vundo is hidden, return here:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it krtaylorjr.exe or whatever you wish. The next log should show the infection after a restart.

You have problems with how your email is being handled in Outlook Express and infected email is being accepted and stored.

Start here in the Kaspersky scan:
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Fraud.l skipped

and look for a long way down, you can see nothing but infected email. You need to navigate to those folders and delete all of that stuff.
I have not used OE email for many years so I am guessing you need to delete all email in the folder in red:
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\ <<< and that is just a guess. My suggestion is you delete all email you are storing in OE anywhere.

Please work on that so when you run a new Kaspersky scan we wil not have to look at infected email again.

Follow the above instructions, keep the computer offline except when you are troubleshooting until we have it clean, and post a new HJT log.

Thanks

**pskelley** · 2007-11-11, 15:51

No response in over a week, this topic is closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks

**krtaylorjr** · 2007-11-13, 03:25

I was able to remove my old JRE, and install the latest JRE to version 6 release 3.

I then renamed the HijackThis.exe to krtaylorjr.exe and restarted teh computer.

I deleted the old emails out of the folder as suggested.

I then ran the Kaspersky scan and the results are listed below.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 12, 2007 12:59:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/11/2007
Kaspersky Anti-Virus database records: 456891
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 246672
Number of viruses found: 10
Number of infected objects: 28
Number of suspicious objects: 2
Duration of the scan process: 03:41:54

Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-1006u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-501u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\TmPfw_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_196608_20649 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_262144_20652 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{8B117EB9-88CF-442A-9E4B-AEF31700D2D5}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{A864603E-A4B1-41B8-987F-2868DAFB270F}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Kenny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\MSHist012007111220071113\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\B9ZNI49O\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kenny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\oracle\ora92\network\agent\blackout.q Object is locked skipped
C:\oracle\ora92\network\agent\ereg.q Object is locked skipped
C:\oracle\ora92\network\agent\evocc1.q Object is locked skipped
C:\oracle\ora92\network\agent\job.q Object is locked skipped
C:\oracle\ora92\network\agent\jstat1.q Object is locked skipped
C:\oracle\ora92\network\agent\reco\service.vps Object is locked skipped
C:\oracle\ora92\network\agent\user.q Object is locked skipped
C:\oracle\ora92\network\log\agntsrvc.log Object is locked skipped
C:\oracle\ora92\network\log\dbsnmp.log Object is locked skipped
C:\oracle\ora92\network\log\OracleOraHome92Agent.nohup Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(512).trc Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL01.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL02.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL03.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CWMLITE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\DRSYS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\EXAMPLE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\INDX01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\ODM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\REDO01.LOG Object is locked skipped
C:\oracle\oradata\LOCAL\SYSTEM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TEMP01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TOOLS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\UNDOTBS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\USERS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\XDB01.DBF Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\11.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\12.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1C.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1D.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1F.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\46.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\57.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\6C7.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\7.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0BC.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C6.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C9.tmp/xpdx.sys Infected: Trojan-Clicker.Win32.Costrat.bu skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C9.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C9.tmp CryptFF.b: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drvhag.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP225\A0042399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP235\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2C3B487D-594B-45F7-A0DC-2E3B1854F029}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{966DB568-0DD1-4D52-AECA-E863FF698C53}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ivfnhwig.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\kraouahg.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\lquvecnh.dll Infected: Trojan.Win32.BHO.rf skipped
C:\WINDOWS\system32\pqyghxsh.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\pwhqihsr.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\rqrqrrp.dll Infected: Trojan-Downloader.Win32.Small.gnc skipped
C:\WINDOWS\system32\uwxprpbt.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ylfrajpa.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**pskelley** · 2007-11-18, 13:50

I apologize, I am not sure what happened here, I am helping a bunch of folks. It looks like you did not respond for around ten days and I closed the topic, then reopened it. I am supposed to be notified when you post and this did not happen. I always respond within 24 hours of a post, so if it happens again, please PM me and make me aware.
http://forums.spybot.info/member.php...poster&t=20118

Please read the instructions in my post #3, let me know about anything there you could not complete and why.
I will not need another Kaspersky scan until I request it. What I need now is a new HJT log with the executable renamed as in the instructions. Include any malware symptoms you are experiencing and any error messages you receive "word for word".

Thanks...Phil

**krtaylorjr** · 2007-11-18, 14:20

duplicate posts

**krtaylorjr** · 2007-11-18, 14:23

duplicate posts

**krtaylorjr** · 2007-11-18, 14:26

Sorry that i mis-read your response.. below is a piece by piece...

- Read the BEFORE YOU POST successfully
- Removed old JRE versions successfully
- Updated the JRE successfully
- Renamed HijackThis.exe to krtaylorjr.exe
- Executed this morning and the log will be posted below
- Deleted email in question
- Ran the Kaspersky scan again posted the log above.
- Computer is offline except to post and read this forum

- In addition, the current errors i am recieving including everytime i open a browser a secondary browser opens with a random site, the location rotates the latest is

http://www.cyber-defender.com/EDC/la...833&int_page=1

It is also keeping me from posting on this site, it is hanging and will not submit, if you are reading then i would say it worked once.

below is the log from the renamed hijackthis.exe run:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:33 AM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\pgcogfmr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\krtaylorjr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=6061228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINDOWS\system32\awtqoon.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\diwrvkhp.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D5A908DF-A0D4-42E1-B076-3ACDF223855E} - C:\WINDOWS\system32\ddccc.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\hvfgdefy.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: awtqoon - C:\WINDOWS\SYSTEM32\awtqoon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\pgcogfmr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10212 bytes

**krtaylorjr** · 2007-11-18, 14:58

I was trying to submit, and the computer is having a hard time with IE. As I stated above, additional windows to random sites are openning, and when I was pressing the submission button it would hold for a few minutes, and give me a page not found error. Sorry. I am on another computer now reading the post.

Thread: Virtumonde and Many More

Thread Tools

Display

Virtumonde and Many More

Kapersky Log

Update

Update

Update

Sorry for the Duplicates

Posting Permissions