Virtumonde removal problems. [Archive] - Safer-Networking Forums

View Full Version : Virtumonde removal problems.

Loken

2007-10-27, 10:42

Hey.

Firstly, I apologize for my first post.
Secondly, I think that I now have done everything I have to to make a good post.. So here it goes :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:30, on 2007-10-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\apvxdwin.exe
C:\WINDOWS\system32\dllhost.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\eitdzj.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_S78.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\LKEN~1\LOCALS~1\Temp\{56DC644C-E73D-4203-97B6-F43822666BD9}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Update Machine] eitdzj.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Documents and Settings\Löken\Local Settings\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [Microsoft Update Machine] eitdzj.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Löken\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 10221 bytes

Loken

2007-10-27, 10:44

And here is my Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 9:54:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/10/2007
Kaspersky Anti-Virus database records: 446707
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\
P:\
Q:\

Scan Statistics:
Total number of scanned objects: 538761
Number of viruses found: 16
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 07:17:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Ing-Marie\Local Settings\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Ing-Marie\Local Settings\Temporary Internet Files\Content.IE5\C6DR129M\upd32_v13[1] Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\Ing-Marie\Local Settings\Temporary Internet Files\Content.IE5\Q9OZE9U5\vasya[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Löken\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Löken\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Löken\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Löken\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Löken\Local Settings\History\History.IE5\MSHist012007102620071027\index.dat Object is locked skipped
C:\Documents and Settings\Löken\Local Settings\Temp\BearShare_1732187.exe/WISE0104.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Löken\Local Settings\Temp\BearShare_1732187.exe/WISE0104.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Löken\Local Settings\Temp\BearShare_1732187.exe/WISE0104.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.j skipped
C:\Documents and Settings\Löken\Local Settings\Temp\BearShare_1732187.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Löken\Local Settings\Temp\BearShare_1732187.exe WiseSFX Dropper: infected - 3 skipped
C:\Documents and Settings\Löken\Local Settings\Temp\mofugclq.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Löken\Local Settings\Temp\qrjatydi.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Löken\Local Settings\Temp\rhvqsuwb.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Löken\Local Settings\Temp\urclqecd.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\0163GLY7\f4d28682d186cc6beb75f106d133f489[1].zip/b128.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\0163GLY7\f4d28682d186cc6beb75f106d133f489[1].zip/b128.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\0163GLY7\f4d28682d186cc6beb75f106d133f489[1].zip/b128.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\0163GLY7\f4d28682d186cc6beb75f106d133f489[1].zip/b128.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\0163GLY7\f4d28682d186cc6beb75f106d133f489[1].zip/b128.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\0163GLY7\f4d28682d186cc6beb75f106d133f489[1].zip ZIP: infected - 5 skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\0163GLY7\tsitra[1].exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\8DQ30P2J\!update-4395[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\8DQ30P2J\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.ehg skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\8DQ30P2J\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Löken\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Löken\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Löken\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Löken\Shared\Adobe.Photoshop.CS3.v10.0.Extended.Keygen\keygen.exe Infected: Trojan-Dropper.NSIS.Agent.b skipped
C:\Documents and Settings\Löken\Shared\Photoshop CS3 Keygen+activation.rar/Adobe CS3 Master Activation/Keygen+Activation.exe Infected: Backdoor.Win32.Ciadoor.gn skipped
C:\Documents and Settings\Löken\Shared\Photoshop CS3 Keygen+activation.rar RAR: infected - 1 skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sanna\Local Settings\Temporary Internet Files\Content.IE5\YZN194HL\upd32_v13[1] Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\Sanna\Local Settings\Temporary Internet Files\Content.IE5\ZV5955LM\vasya[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\logs\starwind.2007-10-26.21-20-53.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\chandir.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\chandir.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\chn.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\chn.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\inuse.txt Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\main.log Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_die.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_die.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\storydb.dat Object is locked skipped
C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Löken\Data\storydb.idx Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\RECYCLER\S-1-5-21-3865965735-2936202337-2547828924-1010\Dc318\PhotoShop CS3 Keygen WITH Activation.rar/PhotoShop CS3 Extended Keygen + Activation/PhotoShop CS3 Extended Keygen + Activation/patcPhotoShop CS3 Extended Keygen + Activationh.exe Infected: Backdoor.Win32.Aimbot.gc skipped
C:\RECYCLER\S-1-5-21-3865965735-2936202337-2547828924-1010\Dc318\PhotoShop CS3 Keygen WITH Activation.rar RAR: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP318\A0094132.exe Infected: Backdoor.Win32.Ciadoor.gn skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP318\A0094134.exe Infected: Backdoor.Win32.Aimbot.gc skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP318\A0094183.exe Infected: Trojan-Downloader.Win32.Adload.lv skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP318\A0094186.exe Infected: Trojan.Win32.Agent.bqn skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP319\A0094242.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP319\A0094244.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP319\A0094365.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\A0094388.exe Infected: Backdoor.Win32.Ciadoor.gn skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\A0094397.exe Infected: Backdoor.Win32.Aimbot.gc skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\A0097467.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\A0097572.exe Infected: Trojan-Downloader.Win32.Adload.lv skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\A0097573.exe Infected: Trojan.Win32.Agent.bqn skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\A0097574.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\A0097575.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{AE69B033-B293-42DD-BDC3-23E87CC1F3A6}\RP320\change.log Object is locked skipped
C:\VundoFix Backups\kvyhpvzy.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.ehg skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{D118D615-DFEE-4A1D-81FE-827F95480BD1}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\eitdzj.exe Infected: Backdoor.Win32.Rbot.bll skipped
C:\WINDOWS\system32\Fun.exe Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\psjgjjsr.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\tsitra1044.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
D:\System Volume Information\catalog.wci\0001000B.ci Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
D:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

pskelley

2007-10-27, 16:46

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Note: We do not support the use of illegal Pirated/Warez/Cracked software.
I hate to be the bearer of bad news, but you have a nasty trojan onboard:
C:\WINDOWS\system32\eitdzj.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] eitdzj.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] eitdzj.exe

http://www.castlecops.com/startuplist-6193.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=39437

Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware.
I believe you should have this information:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

There may be more malware, this is the one I am most concerned with.
Please let us know what you have decided to do in your next post.

Thanks

Loken

2007-10-28, 11:00

Thank you for helping :)

Well, I've talked to my father, that owns the computer, and he decided to just remove the it and :blink:

So I guess that's what'll happen =/