Virtumonde and Trojans

**villager** · 2008-03-03, 18:22

Have been infected over a week. Tons of "you need to clean your PC" popups and avast antivirus discovers trojans daily. Appreciate some assistance Hijack This and Kaspersky logs follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:20 PM, on 3/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\Rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\WINNT\sabserv.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\kqayoscg.dll",b
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\unxtquqo.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Sabre Server.lnk = C:\WINNT\sabserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpd...oUpdateATL.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E19071CA-8BB5-4D47-8020-5B40765324EA}: NameServer = 192.168.0.1,10.255.200.89
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AmadeusProPrinter - Amadeus - C:\Amaprt\MainSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 4973 bytes

**villager** · 2008-03-03, 18:24

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 10:57:33 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 594132
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51698
Number of viruses found: 3
Number of infected objects: 36
Number of suspicious objects: 0
Duration of the scan process: 01:10:06

Infected Object Name / Virus Name / Last Action
C:\csapi.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-3bf15962.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-550b5a0-3bf15962.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008030320080304\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA3FB.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7DWKW3JB\cmp638[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7DWKW3JB\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VZ1QEMB7\tr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPKB2HKP\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\abpmxhjk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\aobopgfa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\axovesks.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\bjxivhen.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\blqpfokq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\bwnygdgs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\bywxgjan.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\cbxuvtt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\ddaba.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.imh skipped
C:\WINNT\system32\ejkyoeip.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\fhtrpjfh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\gnwbhssk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\hokqktdo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\hqxoycag.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\hstqkhee.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\ipxfwjoq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\kqayoscg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\lfahfptd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\mrsbkfpe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\oiijpupr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\qcnjxgcu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\qhopmtjh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\qjidahto.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\rjwqatnc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\sptgorkq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\unxtquqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\uwjwavkp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\woxudbby.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\ywnxjgcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\yysakewo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\Temp\Cookies\index.dat Object is locked skipped
C:\WINNT\Temp\History\History.IE5\index.dat Object is locked skipped
C:\WINNT\Temp\Perflib_Perfdata_5ac.dat Object is locked skipped
C:\WINNT\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINNT\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

**pskelley** · 2008-03-05, 13:42

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This is another Vundo infection and while it is surely not difficult to get this infection, I want to be sure you followed the advice Shaba posted for you when he cleaned you last.
http://forums.spybot.info/showthread.php?t=13810 <<< 2007-05-22

See this: http://forums.spybot.info/showpost.p...80&postcount=2
Make sure you have the newest version of Java and that any old versions are uninstalled in Add Remove Programs.

We will try to clean this with Vundofix and see how it goes, please do not expect fast or easy. Here is some information about this junk:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks...q=winfixer+msn

Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the Vundofix.txt and a new HJT log

Thanks

**villager** · 2008-03-05, 17:08

Thank you for replying.

1. I installed the latest Java Runtime Environment 6 update 5

2. I downloaded and ran VundoFix.

3. HJT log and VundoFix.txt follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:41 AM, on 3/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\Amaprt\MainSrv.exe
C:\WINNT\Explorer.EXE
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Automatic Update\AutoUpdateGUI.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\sabserv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\gqfxouwl.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\pxjnoqnt.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Sabre Server.lnk = C:\WINNT\sabserv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://amadeusvista.com/AutomaticUpd...oUpdateATL.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E19071CA-8BB5-4D47-8020-5B40765324EA}: NameServer = 192.168.0.1,10.255.200.89
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Amadeus Automatic Update - Amadeus - C:\Program Files\Automatic Update\AutoUpdate.exe
O23 - Service: AmadeusProPrinter - Amadeus - C:\Amaprt\MainSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--
End of file - 5185 bytes

VundoFix V7.0.0

Scan started at 10:34:01 AM 3/5/2008

Listing files found while scanning....

C:\WINNT\system32\cbxuvtt.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\cbxuvtt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

**pskelley** · 2008-03-05, 19:42

I'm a little puzzled by the Vundofix report you posted. Kaspersky is showing over 30 Vundo files in the System32 folder and unless you ran the scan or another tool before to remove something, they are not showing as being removed by this tool which is pretty good at finding them. In fact, the one file it is showing says:
C:\WINNT\system32\cbxuvtt.dll Could not be deleted.
We have Vundo in the HJT log but I need to know what is going on. Did you remove files before? If not, you need to run the fix, perhaps a couple of times. Unless you removed them earlier, they need to be located by Vundofix and deleted.

Thanks

**villager** · 2008-03-05, 20:00

I followed the instructions in Tashi's "Before you post a log" posting as follows:

1. Ran Kaspersky Online Scanner and saved the file.

2. Rebooted computer to Safe Mode, ran Spybot-S&D, checked and fixed everything found in red, rebooted back into Windows.

3. Ran HJT and saved the log

4. Posted file/log from 1 and 3 to this thread.

**villager** · 2008-03-05, 20:04

I didn't do anything else until you told be to download and run the VundoFix program.

**pskelley** · 2008-03-05, 20:08

OK, run it again, a couple of times if you have to. I would prefer you not have to remove 30 some files manually.

Post the report from Vundofix when you finish.

Thanks

**villager** · 2008-03-05, 21:10

OK. I ran it twice more and it didn't find anything. Log follows:

VundoFix V7.0.0

Scan started at 10:34:01 AM 3/5/2008

Listing files found while scanning....

C:\WINNT\system32\cbxuvtt.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\cbxuvtt.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V7.0.0

Scan started at 2:49:09 PM 3/5/2008

Listing files found while scanning....

No infected files were found.

VundoFix V7.0.0

Scan started at 2:53:35 PM 3/5/2008

Listing files found while scanning....

No infected files were found.

**pskelley** · 2008-03-05, 21:55

Please read and follow the directions carefully and in the posted order.

1) C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\ <<< clean the Java cache
http://support.f-secure.com/enu/home...avacache.shtml

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.

C:\WINNT\system32\abpmxhjk.dll
C:\WINNT\system32\aobopgfa.dll
C:\WINNT\system32\axovesks.dll
C:\WINNT\system32\bjxivhen.dll
C:\WINNT\system32\blqpfokq.dll
C:\WINNT\system32\bwnygdgs.dll
C:\WINNT\system32\bywxgjan.dll
C:\WINNT\system32\cbxuvtt.dll
C:\WINNT\system32\ddaba.dll
C:\WINNT\system32\ejkyoeip.dll
C:\WINNT\system32\fhtrpjfh.dll
C:\WINNT\system32\gnwbhssk.dll
C:\WINNT\system32\hokqktdo.dll
C:\WINNT\system32\hqxoycag.dll
C:\WINNT\system32\hstqkhee.dll
C:\WINNT\system32\ipxfwjoq.dll
C:\WINNT\system32\kqayoscg.dll
C:\WINNT\system32\lfahfptd.dll
C:\WINNT\system32\mrsbkfpe.dll
C:\WINNT\system32\oiijpupr.dll
C:\WINNT\system32\qcnjxgcu.dll
C:\WINNT\system32\qhopmtjh.dll
C:\WINNT\system32\qjidahto.dll
C:\WINNT\system32\rjwqatnc.dll
C:\WINNT\system32\sptgorkq.dll
C:\WINNT\system32\unxtquqo.dll
C:\WINNT\system32\uwjwavkp.dll
C:\WINNT\system32\woxudbby.dll
C:\WINNT\system32\ywnxjgcy.dll
C:\WINNT\system32\yysakewo.dll

Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions
starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(if you set the Start Page like that you may leave it)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [9cade31a] rundll32.exe "C:\WINNT\system32\kqayoscg.dll",b
O4 - HKLM\..\Run: [BM9f9ed086] Rundll32.exe "C:\WINNT\system32\unxtquqo.dll",s

(you may leave the 015 items if you are positive they are safe)

O15 - Trusted Zone: http://*.agentnet.com
O15 - Trusted Zone: http://webconfig.amadeus.com
O15 - Trusted Zone: http://*.amadeuscruise.com
O15 - Trusted Zone: http://*.amadeusproweb.com
O15 - Trusted Zone: http://*.amadeusvista.com
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O15 - Trusted Zone: http://*.amadeusproweb.com (HKLM)
O15 - Trusted Zone: http://*.amadeusvista.com (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

(check to be sure these are gone)

C:\WINNT\system32\kqayoscg.dll
C:\WINNT\system32\unxtquqo.dll

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and some feedback.

Thanks

Thread: Virtumonde and Trojans

Thread Tools

Display

Virtumonde and Trojans

Posting Permissions