!!2 front attack: Comman Service & Virtumonde.dll HELP!!

[ted1958]

Hi Blade, Here is the log.

KASPERSKY LOG


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 26, 2008 6:30:41 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/04/2008
Kaspersky Anti-Virus database records: 726109
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 77003
Number of viruses found: 16
Number of infected objects: 43
Number of suspicious objects: 2
Duration of the scan process: 02:40:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip/asmend.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rogoff Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rogoff Family\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Rogoff Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rogoff Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rogoff Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rogoff Family\Local Settings\History\History.IE5\MSHist012008042620080427\index.dat Object is locked skipped
C:\Documents and Settings\Rogoff Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rogoff Family\My Documents\My Music\Taryns Music\Justin Timberlake\justen timberlake 36.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Rogoff Family\My Documents\PACK WEST\Spearsheets\Command Conquer 3 Tiberium Wars.exe Infected: Trojan-Dropper.Win32.VB.lu skipped
C:\Documents and Settings\Rogoff Family\My Documents\PACK WEST\Spearsheets\Command And Conquer 3 - Tiberium Wars iSO.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.bsa skipped
C:\Documents and Settings\Rogoff Family\My Documents\PACK WEST\Spearsheets\Command And Conquer 3 - Tiberium Wars iSO.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Rogoff Family\My Documents\PACK WEST\Spearsheets\Medal of Honor Spearhead.zip/Medal of Honor Spearhead.exe Infected: Backdoor.Win32.VB.dap skipped
C:\Documents and Settings\Rogoff Family\My Documents\PACK WEST\Spearsheets\Medal of Honor Spearhead.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Rogoff Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rogoff Family\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080425-111624-106.dll Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\Fonts\Crack.exe.vir Infected: Trojan.Win32.Agent.cmn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bedeguol.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g73.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g73.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\g73.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xcsDd18\xcsDd182328.exe.vir Infected: Trojan-Downloader.Win32.VB.dht skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yrokrtcp.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\{fc4fa85a-e641-11bd-ff5a-8c38e144c41d}.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\QooBox\Quarantine\catchme2008-04-25_ 92408.23.zip/ssqOIXNF.dll Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-04-25_ 92408.23.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP844\A0065502.dll Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP844\A0065520.exe Infected: Backdoor.Win32.VB.dap skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP846\A0065660.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP846\A0065710.exe Infected: Trojan.Win32.Regrun.cm skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP848\A0066069.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP848\A0066071.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qgr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP848\A0066073.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP848\A0066091.dll Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP848\A0066167.dll Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP850\A0066318.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpx skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP850\A0066319.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP851\A0066327.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpb skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP851\A0066328.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP851\A0066329.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP851\A0066331.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpw skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP851\A0068313.dll Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP852\A0068329.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP852\A0068333.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP852\A0068336.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP853\A0068461.exe Infected: Trojan-Downloader.Win32.VB.dht skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP853\A0068466.dll Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP853\A0068470.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP853\A0068470.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.blr skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP853\A0068470.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{CD45504F-D983-486E-9C46-F5C3E4ADCBD7}\RP853\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C990D150-422C-4FF5-9126-B872B7AEE3C1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Blade81]

Hi

Those items in system restore will get cleaned when you follow "Let's reset system restore" -part of my instructions. QooBox folder is ComboFix quarantine folder and will get deleted when you uninstall ComboFix. That's also instructed in my earlier post. You can also delete C:\Program Files\Trend Micro\HijackThis\backups folder and clean Spybot recovery. You'll find recovery behind first aid kit icon in Spybot program.

Other findings are most likely false positives.

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.