Trojan problem!

[cigno]

Problem

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
This file has something named Index.dat.It says it can't be deleted because someone eles is using it.
For C:\Documents and Settings\Timothy\Local Settings\Temp\
Delete every single file in it?Because there is a LOT

 

[Shaba]

Hi

"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
This file has something named Index.dat.It says it can't be deleted because someone eles is using it."

That's ok, just skip it.

"For C:\Documents and Settings\Timothy\Local Settings\Temp\
Delete every single file in it?Because there is a LOT"

Yes

 

[cigno]

Could not find:
C:\Program Files\Screensavers.com
But everything eles is deleted

 

[Shaba]

Hi

Ok, next continue with kaspersky scan, please

 

[cigno]

Another problem

I tryed to clean out the recycle bin but this message appears:
Cannot delete file: Cannot read from the source file or disk

 

[Shaba]

Hi

Can you empty it in safe mode?

 

[cigno]

Well ill try

 

[cigno]

That worked out well

 

[Shaba]

Hi

Nice to hear

Then just continue with kaspersky scan, please.

 

[cigno]

Online scan

Friday, August 31, 2007 3:16:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/08/2007
Kaspersky Anti-Virus database records: 401518
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 116333
Number of viruses found 8
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 02:11:01

Infected Object Name Virus Name Last Action
C:\binboot.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\Albert\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Albert\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Albert\Local Settings\Application Data\AOL OCP\AIM\Storage\data\da2006fong\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Albert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Albert\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Albert\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Albert\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Albert\ntuser.dat Object is locked skipped
C:\Documents and Settings\Albert\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\WinTouch\WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\LocalService\Application Data\WinTouch\WTUninstaller.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked

 

[cigno]

Scan con

C:\Documents and Settings\Matthew\Local Settings\Temp\Temporary Directory 1 for pokemon pearl rom_fastest_BitTorrent_downloader.zip\BitDownload-3.0-setup.exe/file12 Infected: Trojan.Win32.Inject.ba skipped
C:\Documents and Settings\Matthew\Local Settings\Temp\Temporary Directory 1 for pokemon pearl rom_fastest_BitTorrent_downloader.zip\BitDownload-3.0-setup.exe Inno: infected - 1 skipped
C:\Documents and Settings\Matthew\My Documents\picture006-dyedhair.jpg-www.facebook.com Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\Matthew\Shared\cute is what we aim for- curse of the curves (full).mp3 Object is locked skipped
C:\Documents and Settings\Matthew\Shared\Elliott Yamin - Wait For You.mp3 Object is locked skipped
C:\Documents and Settings\Matthew\Shared\Kelly Clarkson - Breakaway.mp3 Object is locked skipped
C:\Documents and Settings\Matthew\Shared\Neyo - Because Of You.mp3 Object is locked skipped
C:\Documents and Settings\Matthew\Shared\Plain White T's - Hey There Delilah.mp3 Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-598908736-2064602688-1726924881-1009\Dc1.exe Infected: not-a-virus:FraudTool.Win32.SpySheriff.f skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\0001000B.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005208.exe/data0006 Infected: not-a-virus:FraudTool.Win32.SpyLocked.a skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005208.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005234.exe/file12 Infected: Trojan.Win32.Inject.ba skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005234.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005730.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005731.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005734.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005735.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005736.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005737.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005738.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005739.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005740.exe Infected: Trojan.Win32.Obfuscated.gy skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005742.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\A0005743.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP19\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DD468FF9-D559-42CB-B0C7-F7A52F76A057}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

 

[Shaba]

Hi

Delete these:

C:\binboot.exe
C:\Documents and Settings\LocalService\Application Data\WinTouch\
C:\Documents and Settings\Matthew\Local Settings\Temp\Temporary Directory 1 for pokemon pearl rom_fastest_BitTorrent_downloader.zip
C:\Documents and Settings\Matthew\My Documents\picture006-dyedhair.jpg-www.facebook.com

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report

 

[cigno]

2 Problems

Can't find C:\binboot.exe
BUT spybot found a virus in there and I stopped the process of viturmode.
The second problem is
C:\Documents and Settings\Matthew\My Documents\picture006-dyedhair.jpg-www.facebook.com
This one wants make to run a program instead of opening a folder

 

[Shaba]

Hi

"BUT spybot found a virus in there and I stopped the process of viturmode."

Please post also spybot report then

Please download the Killbox.
Save it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\binboot.exe
C:\Documents and Settings\Matthew\My Documents\picture006-dyedhair.jpg-www.facebook.com

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder:

C:\!KillBox

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
- spybot report

 

[cigno]

How do I get a spybot report?
And a clipboard is also a notepad right?
Finally C:\Documents and Settings\Matthew\My Documents\picture006-dyedhair.jpg-www.facebook.com
I deleted it because the first time i copied and pasted but then i went to the documents and found it.

 

[Shaba]

Hi

"How do I get a spybot report?"

* Open SpyBot.
* Check for problems.
* When finished, right click and choose copy results (not the full report) to clipboard and post that into topic.

"And a clipboard is also a notepad right?"

No. See here

Clipboard is a place in to which you can copy information.

Like said here:

"Copy the file names below to the clipboard by highlighting them and pressing Control-C:"

 

[cigno]

Really having a problem getting the file to clipboard.
Can i just manually type it in?

 

[cigno]

spybot report

AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


CoreMetrics: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-04-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-22 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-22 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-22 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-22 Includes\KeyloggersC.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-22 Includes\MalwareC.sbi (*)
2007-08-22 Includes\PUPS.sbi (*)
2007-08-22 Includes\PUPSC.sbi (*)
2007-08-22 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-22 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-22 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-08-01 Includes\Trojans.sbi (*)
2007-08-22 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



In residents i found this:
9/1/2007 9:47:32 AM Encountered and terminated Virtumonde in C:\binboot.exe!
Plus I'll wait for your directions until I use Killbox and kaspersky scan

 

[Shaba]

Hi

Spybot report is ok, just tracking cookies.

"Really having a problem getting the file to clipboard.
Can i just manually type it in?"

You can delete it in safe mode if you like.

Please move after that to kaspersky scan.

 

[cigno]

Hi again I tried going to safemode but i still couldn't find binboot.exe:sad:
So I'm going ahead to the scan if thats not a problem