View Full Version : Virtumundo Win32Qhost Win32Agent
piratenews
2008-03-23, 02:53
I ran Kasperkey scans and logs:
1. Memory
2. Critical Ares
3. Harddrives
Then Spybot S&D scans and logs (not included), Win32Qhost Win32Agent not removed.
Then HijackThis2.0.2 and log.
I've wasted 60 hours on this spyrus cyberwar, lost internet, audio, control panel and all programs using various antivirusware, then regained all functions. It was easier when I used to worked on nuke bombs and weapons delivery computers on supersonic aircraft, or building ham radios.
Now I know why the pros backup all files and just wipe the harddrives clean after a virus attack (it's infinitely faster than fighting a hidden spyrus attack).
If you can tell me who to sue or prosecute, I'll do it.
==============================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:02 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\183aa.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/September911surprise%20CTV/PirateNews-org/Homepage/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
F2 - REG:system.ini: Shell=Explorer.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
N2 - Netscape 6: user_pref("browser.startup.homepage", "file:///E:/September911surprise%20CTV/PirateNews-org/Homepage/index.html"); (C:\Documents and Settings\JOHN LEE\Application Data\Mozilla\Profiles\default\f5sn9q7e.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOHN LEE\Application Data\Mozilla\Profiles\default\f5sn9q7e.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo Toolbar - {54C7D1DD-4296-451e-B756-1E94F665B4FF} - C:\WINDOWS\system32\yatool.dll (disabled by BHODemon)
O2 - BHO: FGCatchUrl - {B3A00219-19D4-4966-AECD-8ED34AB9EF7A} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKLM\..\Run: [klmngtet] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\klmngtet.dll"
O4 - HKLM\..\Run: [CheckWinPerf] C:\WINDOWS\system32\183aa.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [ttbhhhrb] rundll32.exe "C:\WINDOWS\TEMP\nnrfnnbbnrj.sys" WLEntryPoint
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKLM\..\Policies\Explorer\Run: [lfnbphln] rundll32.exe "C:\WINDOWS\system32\nbrnrrjrrbr.dll" WLEntryPoint
O4 - HKUS\S-1-5-21-1420582129-1497244195-3520757181-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1420582129-1497244195-3520757181-1006\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\torapcfm.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: http://www.archive.org
O15 - Trusted Zone: http://tvplanner.comcast.net
O15 - Trusted Zone: http://www.disabilityforms.com
O15 - Trusted Zone: http://www.fireflyfans.net
O15 - Trusted Zone: http://*.infowars.net
O15 - Trusted Zone: http://*.myspace.com
O15 - Trusted Zone: http://ww2.nero.com
O15 - Trusted Zone: http://vhost.oddcast.com
O15 - Trusted Zone: http://flash.picturetail.com
O15 - Trusted Zone: http://www.picturetrail.com
O15 - Trusted Zone: *.picturetrail.com
O15 - Trusted Zone: www.piratenews.org
O15 - Trusted Zone: *.piratenews.org
O15 - Trusted Zone: http://*.piratenews.org
O15 - Trusted Zone: *.piratenews_supremecenter38.com
O15 - Trusted Zone: http://forums.spybot.info
O15 - Trusted Zone: *.supremecenter38.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\
O20 - Winlogon Notify: hgnid - C:\WINDOWS\
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
O21 - SSODL: DrvAvp - {e82124db-dadc-4f41-977a-12c725dd7cc0} - C:\WINDOWS\Installer\{e82124db-dadc-4f41-977a-12c725dd7cc0}\DrvAvp.dll
O21 - SSODL: KbdSetup - {ac633de7-14d4-4297-8e5f-613b933fb5ab} - C:\WINDOWS\Installer\{ac633de7-14d4-4297-8e5f-613b933fb5ab}\KbdSetup.dll
O21 - SSODL: zip - {d5922084-f076-4b91-abc8-9390f0f76e02} - C:\WINDOWS\Installer\{d5922084-f076-4b91-abc8-9390f0f76e02}\zip.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 8297 bytes
piratenews
2008-03-23, 02:54
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 6:07:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654514
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Memory:
Scan Statistics:
Total number of scanned objects: 1361
Number of viruses found: 6
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:00:36
Infected Object Name / Virus Name / Last Action
[0] [System Process] => C:\Program Files\IE Extensions\cj.v2.dll Infected: Trojan-Clicker.Win32.Agent.xs skipped
[720] winlogon.exe => C:\WINDOWS\system32\WLCtrl32.dll Infected: Trojan-Downloader.Win32.Agent.luo skipped
[1948] explorer.exe => C:\WINDOWS\Installer\{e82124db-dadc-4f41-977a-12c725dd7cc0}\DrvAvp.dll Infected: Trojan-Downloader.Win32.Small.iuq skipped
[1948] explorer.exe => C:\WINDOWS\Installer\{ac633de7-14d4-4297-8e5f-613b933fb5ab}\KbdSetup.dll Infected: Trojan-Downloader.Win32.Small.iuq skipped
[160] csrss.exe => C:\WINDOWS\system32\wbem\csrss.exe Infected: Trojan.Win32.Agent.gci skipped
[112] 183aa.exe => C:\WINDOWS\system32\183aa.exe Infected: Trojan-Downloader.Win32.Agent.gbj skipped
[428] iexplore.exe => C:\Program Files\IE Extensions\cj.v2.dll Infected: Trojan-Clicker.Win32.Agent.xs skipped
[4080] iexplore.exe => C:\Program Files\IE Extensions\cj.v2.dll Infected: Trojan-Clicker.Win32.Agent.xs skipped
[3612] tmp2109390.exe => C:\Program Files\tmp2109390.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
[3696] tmp2109484.exe => C:\Program Files\tmp2109484.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
[3748] explorer.exe => C:\Program Files\IE Extensions\cj.v2.dll Infected: Trojan-Clicker.Win32.Agent.xs skipped
Scan process completed.
piratenews
2008-03-23, 03:02
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 6:37:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654514
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 36079
Number of viruses found: 38
Number of infected objects: 68
Number of suspicious objects: 0
Duration of the scan process: 00:28:41
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Installer\{0bfb355f-1157-4832-81f7-b2da5b3957c7}\zip.dll Infected: Trojan-Dropper.Win32.Agent.fwj skipped
C:\WINDOWS\Installer\{334ff6d0-523d-4f68-828b-09d34d3a6b9a}\zip.dll Infected: Trojan-Dropper.Win32.Agent.fwj skipped
C:\WINDOWS\Installer\{8dceb2ba-45a6-4b83-8580-51cb2b532546}\zip.dll Infected: Trojan-Dropper.Win32.Agent.fwj skipped
C:\WINDOWS\Installer\{9d00dc2b-b071-4706-876d-4bac586f2ab7}\zip.dll Infected: Trojan-Dropper.Win32.Agent.fwj skipped
C:\WINDOWS\Installer\{ac234da1-fa9d-4cff-850c-b9d5e6659f1b}\zip.dll Infected: Trojan-Dropper.Win32.Agent.fwj skipped
C:\WINDOWS\Installer\{ac633de7-14d4-4297-8e5f-613b933fb5ab}\KbdSetup.dll Infected: Trojan-Downloader.Win32.Small.iuq skipped
C:\WINDOWS\Installer\{e82124db-dadc-4f41-977a-12c725dd7cc0}\DrvAvp.dll Infected: Trojan-Downloader.Win32.Small.iuq skipped
C:\WINDOWS\system32\183aa.exe Infected: Trojan-Downloader.Win32.Agent.gbj skipped
C:\WINDOWS\system32\alrsvco.exe Infected: Backdoor.Win32.IRCBot.bye skipped
C:\WINDOWS\system32\ALSNDMGRd.exe Infected: Backdoor.Win32.IRCBot.bye skipped
C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe Infected: Backdoor.Win32.Agent.egy skipped
C:\WINDOWS\system32\bnnjbtbbfrf.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\credigui.dll Infected: Trojan-Downloader.Win32.Small.iqt skipped
C:\WINDOWS\system32\drivers\Gms31.sys Object is locked skipped
C:\WINDOWS\system32\drivers\spools.exe Infected: Worm.Win32.Socks.c skipped
C:\WINDOWS\system32\ftpdll.dll Infected: Trojan-Dropper.Win32.Small.bgx skipped
C:\WINDOWS\system32\gdid32.dll Infected: Trojan-Downloader.Win32.Small.iqu skipped
C:\WINDOWS\system32\Hfdj84g.dll Infected: Trojan-Downloader.Win32.Small.sxn skipped
C:\WINDOWS\system32\hhbnhlltdtr.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\iphelp.dll Infected: Trojan.Win32.Pakes.cku skipped
C:\WINDOWS\system32\Kf94lfg.dll Infected: Trojan-Downloader.Win32.Small.sxo skipped
C:\WINDOWS\system32\kfmtonetcrm.drv Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\msgk275FIXVIRUS.exe Infected: Worm.Win32.Socks.c skipped
C:\WINDOWS\system32\msgk374FIXVIRUS.exe Infected: Trojan-Proxy.Win32.Xorpix.dh skipped
C:\WINDOWS\system32\msgk387FIXVIRUS.exe Infected: Trojan-Downloader.Win32.Small.svf skipped
C:\WINDOWS\system32\msgk421FIXVIRUS.exe Infected: Trojan.Win32.Pakes.cif skipped
C:\WINDOWS\system32\msgk427FIXVIRUS.exe Infected: Trojan.Win32.Agent.gau skipped
C:\WINDOWS\system32\msgk449FIXVIRUS.exe Infected: Trojan-Clicker.Win32.Agent.tp skipped
C:\WINDOWS\system32\nbrnrrjrrbr.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\netd.dll Infected: Trojan.Win32.Pakes.ckv skipped
C:\WINDOWS\system32\npdl.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.j skipped
C:\WINDOWS\system32\protect.dll Infected: Trojan.Win32.Pakes.ckw skipped
C:\WINDOWS\system32\psx.dll Infected: Trojan-Downloader.Win32.Small.iqv skipped
C:\WINDOWS\system32\ptldtl.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\ptpdrfhlhbt.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\pxcrt.dll Infected: Trojan-Downloader.Win32.Small.iqw skipped
C:\WINDOWS\system32\rcdll.dll Infected: Trojan.Win32.Pakes.ckt skipped
C:\WINDOWS\system32\sjapcrahsjq.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\system32\torapcfm.dll Infected: Email-Worm.Win32.Locksky.da skipped
C:\WINDOWS\system32\wbem\csrss.exe Infected: Trojan.Win32.Agent.gci skipped
C:\WINDOWS\system32\winlugan.exe Infected: Trojan-Downloader.Win32.Winlagons.al skipped
C:\WINDOWS\system32\winmed.exe Infected: Trojan-Downloader.Win32.Agent.laq skipped
C:\WINDOWS\system32\WLCtrl32.dll Infected: Trojan-Downloader.Win32.Agent.luo skipped
C:\WINDOWS\system32\WLCtrl32.dl_ Infected: Trojan-Downloader.Win32.Agent.luo skipped
C:\WINDOWS\system32\wowfx.dll Infected: Trojan.Win32.Qhost.abh skipped
C:\WINDOWS\system32\wsock32d.dll Infected: Trojan.Win32.Pakes.ckx skipped
C:\WINDOWS\system32\yatool.dll Infected: Trojan-Downloader.Win32.Small.iqx skipped
C:\WINDOWS\TEMP\bbfjbrnjjn.drv Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\TEMP\BN1.tmp Infected: Backdoor.Win32.Agobot.pbq skipped
C:\WINDOWS\TEMP\BN2.tmp Infected: Backdoor.Win32.Agobot.pbq skipped
C:\WINDOWS\TEMP\BN6A.tmp Infected: Backdoor.Win32.Agobot.pbq skipped
C:\WINDOWS\TEMP\BND.tmp Infected: Backdoor.Win32.Agobot.pbq skipped
C:\WINDOWS\TEMP\nnrfnnbbnrj.sys Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\TEMP\ptpdrfhlhbt.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\WINDOWS\TEMP\sjapcrahsjq.dll Infected: Email-Worm.Win32.Locksky.cm skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\.tt20D5.tmp/stream/data0010 Infected: not-a-virus:FraudTool.Win32.InfeStopRemover.b skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\.tt20D5.tmp/stream Infected: not-a-virus:FraudTool.Win32.InfeStopRemover.b skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\.tt20D5.tmp NSIS: infected - 2 skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\syswcc32.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\syswcc32.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\syswcc32.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\syswcc32.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\syswcc32.exe RarSFX: infected - 4 skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\9S89PU65\SystemDefender_Installer[1].exe Infected: Trojan-Downloader.Win32.Adload.ma skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CXE5MTFP\1205876550[1].exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CXE5MTFP\1205876550[2].exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CXE5MTFP\SysCleaner_Installer[1].exe Infected: not-a-virus:Downloader.Win32.UltimateFix.h skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\N8BQZKXT\xloader30029[1].exe Infected: Trojan.Win32.Qhost.abh skipped
C:\DOCUME~1\JOHNLE~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\O5EJSLQ3\1205876552[1].exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
Scan process completed.
piratenews
2008-03-23, 03:10
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 6:04:37 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654514
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 180543
Number of viruses found: 78
Number of infected objects: 342
Number of suspicious objects: 0
Duration of the scan process: 02:06:36
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE5.zip/partnership.dll Infected: Trojan-Proxy.Win32.Xorpix.dg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/vedxga1me4t1.exe Infected: Trojan-Downloader.Win32.Tibs.wh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/vedxg4am1et2.exe Infected: Trojan-Downloader.Win32.Tibs.wh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip/dllgh8jkd1q2.exe Infected: Trojan-Downloader.Win32.Tibs.wh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip/dllgh8jkd1q6.exe Infected: Trojan-Downloader.Win32.Tibs.wh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC15.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip/dllgh8jkd1q7.exe Infected: Trojan-Downloader.Win32.Tibs.wh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/vedxga3me2.exe Infected: Trojan-Downloader.Win32.VB.ded skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/vedxga4me1.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip/vedxg6ame4.exe Infected: Trojan-Downloader.Win32.Tibs.wh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/wind32.exe Infected: Trojan-Downloader.Win32.Tibs.vz skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip/desktop.html Infected: not-virus:Hoax.Win32.Renos.cy skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip/BraveSentry0.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.f skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/autorun.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/svchost.exe Infected: Trojan-Downloader.Win32.Small.svi skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/autorun.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip/SpySheriff.exe Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff6.zip/heur000.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff6.zip/heur001.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff6.zip/heur002.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff6.zip/heur003.dll Infected: not-a-virus:FraudTool.Win32.SpySheriff.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff6.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde10.zip/syslook.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip/sys16.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde12.zip/synsv.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde13.zip/powersys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde13.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde14.zip/poweragent.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde14.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde15.zip/hostwin.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde15.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde17.zip/shift.exe.exe Infected: Email-Worm.Win32.Zhelatin.vg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde17.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip/mljgh.dll Infected: Trojan-Spy.Win32.Agent.hn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip/syssys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde55.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde55.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip/monpower.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde64.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde64.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde8.zip/avp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde82.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde82.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde85.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde85.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde99.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde99.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack10.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack11.zip/findfast.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack12.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack15.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack15.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack16.zip/findfast.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack16.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack17.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack17.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack18.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack19.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack19.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack2.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack20.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack20.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack21.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack21.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack22.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack22.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack23.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack23.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack24.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack24.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack26.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack26.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack27.zip/findfast.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack27.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack28.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack28.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack29.zip/xloader30029.exe Infected: Trojan.Win32.Qhost.abh skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack29.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack30.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack30.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack5.zip/spoolvs.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip/findfast.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip/printer.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack9.zip/shell.exe Infected: Trojan.Win32.Qhost.aes skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeCrack9.zip ZIP: infected - 1 skipped
EDITED FROM 50,689 CHARACTERS
Hi piratenews
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
piratenews
2008-03-30, 11:58
Thanks for the help. Let's try to clean it, if you're up to the challenge.
My credit is so far gone it won't do any good to steal my ID. Which is how I like it.
What's the next step?
Hi
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Don't use it yet.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Post:
- a fresh HijackThis log
- combofix report
- sdfix report
piratenews
2008-03-31, 04:00
ComboFix recommends having an XP Boot Disk with Recovery Console, in case something goes wrong.
The only CD that came with my computer was to erase the harddrive and reinstall XP.
Microsoft only has downloads for Floppy Boot, not CD Boot.
My floppy drive has never worked, and my external floppy drive never worked.
Question: Do I need the XP Boot Recovery Console, and can I put the Floppy Boot on a CD and boot that way?
How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
For now, do not start ComboFix as there are a few more steps that need to be done first. We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. If you use Windows XP and have a Windows CD, then you can follow the instructions found in the tutorial listed below.
Windows XP Home Edition SP2 Setup Disks for Floppy Boot Install
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en
Windows XP Setup Boot Disks - 6x 1.4mb floppy
http://support.microsoft.com/kb/310994
Windows XP SP2 Setup Boot Disks
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en
Hi
In that case you can skip that step :)
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.