Jump to content


Photo

Spy.VBStat.J Trojan, popups, slow computer


  • Please log in to reply
1 reply to this topic

#1 cossakfop

cossakfop

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 21 April 2007 - 03:02 PM

NOD32 has recently been giving alerts saying Spy.VBStat.J Trojan is running on my PC, I have also been getting popups in IE and my PC is running extremely slowly lately. The slowdown seemed to occur after I recently installed a new graphics card and psu but I have checked connections and drivers for these which appear to be fine.

I have run scans with Ad-Aware, Spybot and Kaspersky Online scanner, and have also ran VundoFix.exe (as recommended to someone else who was receiving Spy.VBStat.J Trojan messages on the Safer Networking Forum)


HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 6:57:19 PM, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Eset\nod32kui.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Xfire\xfire.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Luke Lane\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\rufmkrop.dll",setvm
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WindowBlinds] C:\Program Files\Stardock\Object Desktop\WindowBlinds\WBInstall32.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Xfire.lnk = D:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146598376187
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4F69A91-BC04-4EB1-AC00-D94F7F290B71}: NameServer = 212.74.112.66,212.74.112.67
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

___________________________________________________________________________

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 21, 2007 8:59:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/04/2007
Kaspersky Anti-Virus database records: 300226
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 191434
Number of viruses found: 7
Number of infected objects: 20 / 0
Number of suspicious objects: 0
Duration of the scan process: 07:30:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12222006-165855.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Luke Lane\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Application Data\Opera\Opera\mail\indexer\indexer_1024.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{264DBE43-5831-41D9-80A1-23621E8AD9C6} Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\aiolfxug.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\fsaxgswe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\hsperfdata_Luke Lane\3464 Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\IH197.tmp Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\IHA4.tmp Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\nexvcjbn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\nsctsxvc.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\nuxcuups.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\smwoioay.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\udtbmlmo.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\uhgacitx.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temp\xrnckums.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temporary Internet Files\Content.IE5\1IW8ERVM\sliderphotogallery[1].htm Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Luke Lane\Local Settings\Temporary Internet Files\Content.IE5\OAIG7GYX\new058f_main[1].swf Object is locked skipped
C:\Documents and Settings\Luke Lane\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Luke Lane\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Downloads\mirc617.exe mIRC: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BB3FB798-D13F-44A5-9EB1-AE541DABEDB4}\RP543\A0076712.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\System Volume Information\_restore{BB3FB798-D13F-44A5-9EB1-AE541DABEDB4}\RP550\A0077874.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\System Volume Information\_restore{BB3FB798-D13F-44A5-9EB1-AE541DABEDB4}\RP553\change.log Object is locked skipped
C:\VundoFix Backups\rufmkrop.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\PC2.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{16014258-E804-46A7-B7F7-AAAC92025823}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aistrpns.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\awtrsst.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ig skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\ssqqqon.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ig skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT02648.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT02662.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
D:\Program Files\ESET\logs\virlog.dat Object is locked skipped
D:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
D:\RECYCLER\S-1-5-21-821378520-1462477513-1706000471-1007\Dd1.NQF Infected: Trojan-Spy.Win32.VBStat.h skipped
D:\RECYCLER\S-1-5-21-821378520-1462477513-1706000471-1007\Dd3.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{BB3FB798-D13F-44A5-9EB1-AE541DABEDB4}\RP553\change.log Object is locked skipped

Scan process completed.

___________________________________________________________________________

Vundofix log:

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 9:58:00 PM 19/04/2007

Listing files found while scanning....

C:\WINDOWS\system32\porkmfur.ini
C:\WINDOWS\system32\rufmkrop.dll
C:\WINDOWS\system32\vtstr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\porkmfur.ini
C:\WINDOWS\system32\porkmfur.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rufmkrop.dll
C:\WINDOWS\system32\rufmkrop.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\vtstr.dll Has been deleted!

Performing Repairs to the registry.
Done!

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 24 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button