Malwarebytes' Anti-Malware 1.36
Database version: 2001
Windows 5.1.2600 Service Pack 3
19/04/2009 09:26:05
mbam-log-2009-04-19 (09-25-47).txt
Scan type: Full Scan (C:\|)
Objects scanned: 244321
Time elapsed: 39 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-----------------------------------------------------------------------------
Avira AntiVir Personal
Report file date: 18 April 2009 18:17
Scanning for 1284893 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Save mode
Username : Ben
Computer name : DBKQ562J
Version information:
BUILD.DAT : 9.0.0.386 17962 Bytes 3/11/2009 15:55:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 11:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 09:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 11:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 19:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 06:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 13:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 16:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/26/2009 19:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 10:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 17:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 12:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 19:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 14:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 19:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 12:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 13:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 13:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 13:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 09:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 13:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 09:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 06:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 09:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 10:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 14:55:12
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+JOKE,+PCK,+SPR,
Start of the scan: 18 April 2009 18:17
Initiating scan of system files:
Signed -> 'C:\WINDOWS\system32\svchost.exe'
Signed -> 'C:\WINDOWS\system32\winlogon.exe'
Signed -> 'C:\WINDOWS\explorer.exe'
Signed -> 'C:\WINDOWS\system32\smss.exe'
Signed -> 'C:\WINDOWS\system32\wininet.DLL'
Signed -> 'C:\WINDOWS\system32\wsock32.DLL'
Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'
Signed -> 'C:\WINDOWS\system32\services.exe'
Signed -> 'C:\WINDOWS\system32\lsass.exe'
Signed -> 'C:\WINDOWS\system32\csrss.exe'
Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'
Signed -> 'C:\WINDOWS\system32\spoolsv.exe'
Signed -> 'C:\WINDOWS\system32\alg.exe'
Signed -> 'C:\WINDOWS\system32\wuauclt.exe'
Signed -> 'C:\WINDOWS\system32\advapi32.DLL'
Signed -> 'C:\WINDOWS\system32\user32.DLL'
Signed -> 'C:\WINDOWS\system32\gdi32.DLL'
Signed -> 'C:\WINDOWS\system32\kernel32.DLL'
Signed -> 'C:\WINDOWS\system32\ntdll.DLL'
Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'
Signed -> 'C:\WINDOWS\system32\ctfmon.exe'
The system files were scanned ('21' files)
Starting search for hidden objects.
The driver could not be initialized.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
12 processes with 12 modules were scanned
Starting master boot sector scan:
Start scanning boot sectors:
Starting to scan executable files (registry).
The registry was scanned ( '87' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeatr.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr10.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr11.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr12.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr15.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr20.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr26.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr33.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr4.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr5.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr6.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr7.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr8.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr9.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenosik.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
C:\Documents and Settings\Ben\Desktop\VirtumundoBeGone.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
C:\Documents and Settings\Ben\Desktop\My Stuff\Emulators\oldgames\tie\CRACK.COM
[DETECTION] Contains recognition pattern of the VGEN/1773.0 virus
C:\Documents and Settings\Ben\Desktop\My Stuff\Stuff\patches and upgrades\flv-to-video-converter.exe
[DETECTION] Contains recognition pattern of the PHISH/FraudTool.SpyNoMore.G.79 phishing file/email
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Beginning disinfection:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a531ac5.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a5c1ac1.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeatr.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4bdc5cda.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr10.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4a581ac1.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr11.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4bd95722.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr12.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4bda4f6a.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr15.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4bdb47b2.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr20.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e92359a.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr26.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e94242a.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr3.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e955c72.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr33.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e96540a.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr4.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e974d92.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr5.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e88451a.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr6.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e8972a2.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr7.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e8a6a2a.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr8.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e8b63b2.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgpr9.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e8c9bfa.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenosik.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4e8d93c2.qua'!
C:\Documents and Settings\Ben\Desktop\VirtumundoBeGone.exe
[DETECTION] Contains recognition pattern of the APPL/Processor application
[NOTE] The file was moved to '4a5c1ac2.qua'!
C:\Documents and Settings\Ben\Desktop\My Stuff\Emulators\oldgames\tie\CRACK.COM
[DETECTION] Contains recognition pattern of the VGEN/1773.0 virus
[NOTE] The file was moved to '4a2b1aab.qua'!
C:\Documents and Settings\Ben\Desktop\My Stuff\Stuff\patches and upgrades\flv-to-video-converter.exe
[DETECTION] Contains recognition pattern of the PHISH/FraudTool.SpyNoMore.G.79 phishing file/email
[NOTE] The file was moved to '4a601ac5.qua'!
End of the scan: 18 April 2009 19:22
Used time: 1:03:15 Hour(s)
The scan has been done completely.
11698 Scanned directories
515569 Files were scanned
3 Viruses and/or unwanted programs were found
18 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
21 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
515546 Files not concerned
5215 Archives were scanned
2 Warnings
22 Notes
(I am not sure if everything that was found should of been moved, like the stuff from Spybot. Was that a good idea?)
----------------------------------------------------------------------------------------------------------------
Rooter
Microsoft Windows XP Professional (5.1.2600) Service Pack 3
C:\ [Fixed] - NTFS - (Total:300355 Mo/Free:2801 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
G:\ [Removable] (Total:0 Mo/Free:0 Mo)
H:\ [Removable] (Total:0 Mo/Free:0 Mo)
I:\ [Removable] (Total:0 Mo/Free:0 Mo)
J:\ [Removable] (Total:0 Mo/Free:0 Mo)
18/04/2009|19:23
----------------------\\ Processes..
--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe
Any help would be greatly appreciated. Thanks.