Murlo Trojan [Archive] - Safer-Networking Forums

View Full Version : Murlo Trojan

chrissri

2007-04-17, 12:40

The program Xoftspy finds a 'Murlo Trojan' ('severe risk')on my disk as registry value, which Spybot does not identify.

I can delete it with Xoftspy, but it comes back after the next start, although I have deactivated system recovery and scanned in safe mode.

Does anybody know that trojan, what it does, and what I can do?

Thanks!

Chr.

shelf life

2007-04-18, 01:53

hi chrissri,

it could be a false positive or a harmless leftover. are you using version 4.0 of Xoftspy. the previous versions are not recommended.

if you want you can post a hjt log:

* http://www.downloads.subratam.org/hijackthis.zip
* If you are unfamiliar with zip programs get HijackThis.exe here:
* http://www.merijn.org/files/HijackThis.exe

* First put hijackthis into a permanent folder.
* Do this first - go to C: and create a new permanent folder.
Example C:\AntiSpyWare or C:\hijackthis
* This is necessary to ensure you have backups should anything go wrong.
* Then put (or download - choose "save" not "run") the hijackthis.exe file in this folder.
If you downloaded a zipped HJT file unzip it to the permanent folder so you have C:\hijackthis\hijackthis.exe.
* Example of the wrong way:
C:\DOCUME~1\Name\LOCALS~1\Temp\Temporary Directory for hijackthis.zip\HijackThis.exe
* Running hjt from the wrong folder may delay assistance as your helper will have to ask for a new log.

If in doubt use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.

* Double click HijackThis.exe.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a "Save Log" button.
* Click that, save the log somewhere, and copy/paste in next reply:
a) The HJT log

shelf life

chrissri

2007-04-18, 15:38

Thanks, shelf life, for reacting. I don't think it's an old leftover, as it showed just 4 days ago.

I did several tests:

Xoftspy v4.22 still identifies 3x 'Murlo Trojan', severe risk.

AVG Antivirus finds 2 registry values changed, but says 'no threat'.

AVG Antispy only finds some cookies, the same for Panda Activescan.

---------------------------------------------------------
AVG Anti-Spyware - Scan-Bericht
---------------------------------------------------------

+ Erstellt um: 23:50:53 17.04.2007

+ Scan-Ergebnis:

C:\Dokumente und Einstellungen\reichert\Cookies\reichert@2o7[2].txt -> TrackingCookie.2o7 : Keine Aktion durchgeführt.
C:\Dokumente und Einstellungen\reichert\Cookies\reichert@ivwbox[2].txt -> TrackingCookie.Ivwbox : Keine Aktion durchgeführt.
::Berichtende

Norton doesn't find a threat.

Spybot doesn't find.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:09:03, on 18.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programme\Gemeinsame Dateien\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\AOL 9.0\waol.exe
C:\Programme\AOL 9.0\shellmon.exe
C:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk.disabled
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.de/computercheckup/qdiagcc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39E3D6AB-D746-491C-8F7E-85DF5DB2E4FE}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D796141-72B5-4008-95C2-87027270C559}: NameServer = 217.66.226.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{6039CDCF-3DD8-4100-83C4-E698FFA5EFB8}: NameServer = 192.168.0.2,192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE6062A-CBBF-4FEC-B484-8182F44FFB3A}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{39E3D6AB-D746-491C-8F7E-85DF5DB2E4FE}: NameServer = 205.188.146.145
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: psfus - C:\Programme\IBM fingerprint software\psfus.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programme\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programme\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programme\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programme\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Programme\Gemeinsame Dateien\Virtual Token\vtserver.exe

Thanks,

chrissri

shelf life

2007-04-18, 23:51

hi chrissri,

Xoftspy v4.22 still identifies 3x 'Murlo Trojan', severe risk.

dont see anything in the log. it is possible for any antimalware app to have a occasional false positive.

you also have scanned with spybot and avg antispyware. both of those came up with nothing. something as generic as a trojan downloader wouldnt make it past those two. your computer is clean.

shelf life

chrissri

2007-04-19, 08:02

That means, I don't need to worry even if Spybot continues identifying this 'Murlo'?
chrissri

shelf life

2007-04-20, 01:00

hi chrissri,

That means, I don't need to worry even if Spybot continues identifying this 'Murlo'?

no, if spybot or avg antispyware start flagging malware then i would be concerned. it may not be listed as Murlo Trojan, they can all use different names for the same thing.

you can get another opinion by doing a online scan if you want:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
check AutoClean under Scan Options.

Kaspersky virus scanner
http://www.kaspersky.com/virusscanner

click on online scanner, accept EULA, after it loads database (may take awhile) click next
click Scan settings button
select extended
Under Scan options check both Scan Archives and Scan Mail Bases, then ok
click on My computer link and scan will begin
after scan is done there is a option to Save report as a .txt file. Click that button. Copy and paste the report into your reply

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
check Auto Clean.

shelf life

chrissri

2007-04-22, 18:53

Hi Shelf Life,

here is the Kaspersky report.

chrissri

Sunday, April 22, 2007 6:39:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/04/2007
Kaspersky Anti-Virus database records: 300433

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 54806
Number of viruses found 1
Number of infected objects 12 / 0
Number of suspicious objects 0
Duration of the scan process 02:20:00

Infected Object Name Virus Name Last Action
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\ACS\1.0\ph Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\ACS\1.0\variable Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\APP10394.LST Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\Apps.Lst Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\Diction.lst Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\main.idx Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\sap.dat Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\spool.lst Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\STYLE.LST Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\sysnews.lst Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\idb\Toolbar.lst Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\organize\CACHE\cjreiche01 Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\organize\cjreichert Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\organize\cjreichert.abi Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\organize\cjreichert.aby Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\C_AOL 9.0\ShopAssist\DataStore\users\CJReichert.adb Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\storage\cache.db Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\storage\server.lock Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\storage\stderr.txt Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL\storage\stdout.txt Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Common Client\settings.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped

C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped

C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Anwendungsdaten\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Cookies\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\ghana\LED\technical proposal lred ghana cr.doc Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\Durchführungskonzept LED Senegal.doc Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL0022.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL0203.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL0374.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL1436.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL1707.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL1735.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL2337.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL2464.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL2503.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL2712.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL2724.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL2824.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL3096.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL3552.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL3641.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Eigene Dateien\senegal\~WRL3699.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF2025.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF21DE.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF2943.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF4D15.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF544D.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF57CB.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF6B2A.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF6DB4.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF7136.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF73E4.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF7708.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DF7737.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DFB805.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DFB9E5.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DFD984.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DFEADC.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DFF0F5.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DFFE42.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~DFFEF7.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~WRF2088.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temp\~WRS4023.tmp Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\reichert\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007042220070423\index.dat Object is locked skipped

C:\Dokumente und Einstellungen\reichert\NTUSER.DAT Object is locked skipped

C:\Dokumente und Einstellungen\reichert\ntuser.dat.LOG Object is locked skipped

C:\Programme\Gemeinsame Dateien\aol\ACS\DE\forms.fdb Object is locked skipped

C:\Programme\Gemeinsame Dateien\aol\ACS\DE\static Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0030570.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0030571.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0030572.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0030573.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0030574.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0030575.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0031565.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0031566.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0031567.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0031568.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0031569.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Softwin\BitDefender8\Quarantine\A0031571.exe Infected: Email-Worm.Win32.Brontok.q skipped

C:\Programme\Symantec AntiVirus\SAVRT\0360NAV~.TMP Object is locked skipped

C:\Programme\Symantec AntiVirus\SAVRT\0970NAV~.TMP Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{83FFC650-FBCC-4ACF-864C-913C1A47ECCE}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

chrissri

2007-04-23, 17:33

BitDefender Online Scanner

Bericht erstellt am: Mon, Apr 23, 2007 - 00:26:51

Zu prüfender Pfad: C:\;D:\;

Statistik

Zeit
02:06:15

Dateien
362952

Ordner
5467

Boot-Sektoren
3

Archive
8443

Komprimierte Dateien
38352

Ergebnisse

Erkannte Viren
1

Infizierte Dateien
12

verdächtige Dateien
0

Warnungen
0

Desinfiziert
0

Gelöscht
24

Engine-Info

Virensignaturen
487332

Engine info
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Prüf-Plugins
14

Archiv-Plugins
38

Extraktions-Plugins
6

E-Mail-Plugins
6

System-Plugins
1

Prüfeinstellungen

Primäre Aktion
Desinfizieren

Sekundäre Aktion
Löschen

Heuristik
Ja

Warnungen aktivieren
Ja

Zu prüfende Erweiterungen
*;

Auszuschließende Erweiterungen

E-Mails prüfen
Ja

Archive prüfen
Ja

Komprimierte Dateien prüfen
Ja

Dateien prüfen
Ja

Boot-Sektoren prüfen
Ja

Geprüfte Dateien
Status

C:\Programme\Softwin\BitDefender8\Quarantine\A0030570.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0030570.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0030570.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0030571.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0030571.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0030571.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0030572.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0030572.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0030572.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0030573.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0030573.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0030573.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0030574.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0030574.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0030574.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0030575.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0030575.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0030575.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0031565.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0031565.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0031565.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0031566.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0031566.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0031566.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0031567.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0031567.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0031567.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0031568.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0031568.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0031568.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0031569.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0031569.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0031569.exe=>(Quarantine-2)
Gelöscht

C:\Programme\Softwin\BitDefender8\Quarantine\A0031571.exe=>(Quarantine-2)
Infiziert: Win32.Brontok.E@mm

C:\Programme\Softwin\BitDefender8\Quarantine\A0031571.exe=>(Quarantine-2)
Desinfektion fehlgeschlagen

C:\Programme\Softwin\BitDefender8\Quarantine\A0031571.exe=>(Quarantine-2)
Gelöscht

shelf life

2007-04-23, 23:47

hi chrissri,

Object is locked skipped --some files are locked by the operating system and cant be scanned. they should be fine.

looks like BitDefender found something :Email-Worm.Win32.Brontok
and then Kaspersky found it in bitdefenders Quarantine folder.
as long as its in quarantine it will be harmless.

shelf life

chrissri

2007-04-24, 11:11

Thanks a lot, shelf life, for your help.
I am convinced now that the computer is clean.
The worm in quarantine is an old problem. Didn't know it is still there, as I have removed Bitdefender from the hard disk. Will try to find an delete.

Thank you,
chrissri

shelf life

2007-04-25, 00:20

hi chrissri,

glad to help.
once last thing. those scans didnt find anything in your system restore points but its a good idea to make a new clean one. if you had sytem restore turned off, dont worry about it. if it was on:
to make a new restore point do this:

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405
------------------------------------
happy safe surfing out there.
for your reference:
Prevention-or How Can I Help Myself? (http://security-central.us/SafeHex/prevention.htm)