Jump to content


A variant of Win32/Kryptik.JX trojan

Started by Spysnake, Mar 09 2009 02:49 PM

  • This topic is locked This topic is locked
1 reply to this topic

#1 OFFLINE   Spysnake

    Advanced Member

  • Members
  • PipPipPip
  • 97 posts
  • Gender:Male
  • Location:Finland
  • Interests:Airsoft, Parkour, Pekiti-Tirsia Kali and computers in general.

Posted 09 March 2009 - 02:49 PM

Hi!

This one definitely came by a surprise. It's been five years since the last time I got a virus. I just basically booted the computer up and NOD32 showed detection of "A variant of Win32/Kryptik.JX trojan". It was found in two files in the system memory, the processes itself were in the Windows\system32 -directory. I ran a manual scan and found more of same trojan in the same folder and also in the \ServicePackFiles\i386 -directory. After that, I booted and ran SFC /purgecache and SFC /scanonce, since SFC window popped up after cleaning. After that, I ran CCleaner, deleted the system restore files (the trojan was there too) and ran a couple of scans:

- Manual NOD32 scan again
- BitDefender Online scan
- SUPERAntispyware
- Malwarebytes' Anti-Malware
- Rooter
- Comedian
- And finally, HijackThis.

Logs included, BitDefender as an attachment.

I just wonder, could this be a false alarm? I'm behind a firewall and all seemed to be ok before the alarm. I have experience in safe computing, but this really came behind a tree.

I apologize for the "useless" entries in the BitDefender log, but I clicked the "show all" box in the process of the scan and it now shows part of the clean files. MBAM is in finnish, but it basically tells that there is no infections.

==============================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:52, on 9.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Liven kirjautumisapuohjelma - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1185556642875
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8142 bytes

==============================================

Scan performed at: 9.3.2009 13:37:39
Scanning Log
NOD32 version 3920 (20090309) NT
Operating memory - is OK

Date: 9.3.2009  Time: 13:37:45
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Mika\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\Mika\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\00\200-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v200-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\01\10-{73289631-4DF4-FF6A-3093-956EB3486986}-v1-{A0BCBC - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\15\215-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v215-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\16\216-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v216-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\17\217-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v217-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\18\218-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v218-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\19\219-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v219-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\20\220-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v220-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\21\221-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v221-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\22\222-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v222-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\23\223-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v223-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\24\224-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v224-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\25\225-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v225-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\26\226-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v226-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\27\227-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v227-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\87\187-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v187-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\88\188-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v188-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\89\189-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v189-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\90\190-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v190-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\91\191-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v191-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\92\192-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v192-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\93\193-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v193-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\94\194-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v194-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\95\195-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v195-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\96\196-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v196-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\97\197-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v197-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\98\198-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v198-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\mammari_poika@hotmail.com\DFSR\Staging\CS{73289631-4DF4-FF6A-3093-956EB3486986}\99\199-{60ED85B2-8F84-4F34-91B3-3696F48CA4F6}-v199-{60E - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\nen_ascar@hotmail.com\DFSR\Staging\CS{F2365005-4154-13FD-1A06-F1DDB7A9AE4F}\01\5929-{F2365005-4154-13FD-1A06-F1DDB7A9AE4F}-v1-{A0BCBC88 - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Messenger\spysnakez@hotmail.com\SharingMetadata\paavilainen5@hotmail.com\DFSR\Staging\CS{78F365ED-C3A3-3BE5-6432-291D5A48A3C3}\01\4681-{78F365ED-C3A3-3BE5-6432-291D5A48A3C3}-v1-{A0BCB - error opening [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Mika\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Mika\Omat tiedostot\Wanha kone\backups.zip »ZIP »backups/ajurit/94.24_forceware_winxp_international_whql.exe - incorrect CRC checksum, the file may be damaged
C:\Documents and Settings\Mika\Omat tiedostot\Wanha kone\backups.zip »ZIP »backups/ajurit/directx_apr2007_redist.exe - incorrect CRC checksum, the file may be damaged
C:\Documents and Settings\Mika\Omat tiedostot\Wanha kone\backups.zip »ZIP »backups/ajurit/PowerChutePersonalEdition.exe - incorrect CRC checksum, the file may be damaged
C:\Documents and Settings\Mika\Omat tiedostot\Wanha kone\backups\ajurit\amdcpusetup.exe »WISE »DPInst.exe - incorrect CRC checksum, the file may be damaged
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Pelit\EA GAMES\Battlefield 2\pylib-2.3.4.zip »ZIP »test/testtar.tar »TAR - archive damaged
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_AR.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_BUL.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_CAT.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_Chs.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_Cht.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_CZ.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_DA.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_ES.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_FI.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_GE.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_GR.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_HR.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_IT.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_JPN.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_KR.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_MK.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_NL.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_NO.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_PL.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_PT_BR.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_SK.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_SLV.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_SR.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_SV.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_TR.dll »UPX v12_m2_dll - unpack error
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_UA.dll »ASPack v2.12 »UPX v12_m2_dll - unpack error
C:\Program Files\Common Files\SupportSoft\bin\ssrc.dll »ZIP »META-INF/ - archive damaged
C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe »ZIP »META-INF/ - archive damaged
C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp_ImageTool\root.img »GZ - archive damaged
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\sptd.sys - error opening (File locked) [4]
Number of scanned files: 447989
Number of threats found: 0
Time of completion: 14:17:56 Total scanning time: 2411 sec (00:40:11)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

==============================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2009 at 03:45 PM

Application Version : 4.25.1012

Core Rules Database Version : 3788
Trace Rules Database Version: 1745

Scan type	   : Complete Scan
Total Scan Time : 00:38:20

Memory items scanned	  : 459
Memory threats detected   : 0
Registry items scanned	: 5909
Registry threats detected : 0
File items scanned		: 74370
File threats detected	 : 0

==============================================

Malwarebytes' Anti-Malware 1.34
Tietokantaversio: 1828
Windows 5.1.2600 Service Pack 3

9.3.2009 16:11:04
mbam-log-2009-03-09 (16-11-04).txt

Tarkistustyyppi: Täysi tarkistus (C:\|)
Tarkistetut kohteet: 145013
Kulunut aika: 24 minute(s), 3 second(s)

Saastuneita muistiprosesseja: 0
Saastuneita muistimoduuleja: 0
Saastuneita rekisteriavaimia: 0
Saastuneita rekisteriarvoja: 0
Saastuneita rekisterikohteita: 0
Saastuneita hakemistoja: 0
Saastuneita tiedostoja: 0

Saastuneita muistiprosesseja:
(Haitallisia kohteita ei löydetty)

Saastuneita muistimoduuleja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriavaimia:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisteriarvoja:
(Haitallisia kohteita ei löydetty)

Saastuneita rekisterikohteita:
(Haitallisia kohteita ei löydetty)

Saastuneita hakemistoja:
(Haitallisia kohteita ei löydetty)

Saastuneita tiedostoja:
(Haitallisia kohteita ei löydetty)

==============================================

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:476929 Mo/Free:535 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

ma 09.03.2009|16:22

----------------------\\  Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\Program Files\Eset\nod32kui.exe
---------- C:\WINDOWS\RTHDCPL.EXE
---------- C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\WINDOWS\system32\RUNDLL32.EXE
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Rainlendar2\Rainlendar2.exe
---------- C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
---------- C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
---------- C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
---------- C:\Program Files\Logitech\SetPoint\SetPoint.exe
---------- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
---------- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
---------- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
---------- C:\Program Files\Eset\nod32krn.exe
---------- C:\WINDOWS\system32\nvsvc32.exe
---------- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
---------- C:\WINDOWS\system32\IoctlSvc.exe
---------- C:\WINDOWS\system32\PnkBstrA.exe
---------- C:\Program Files\Sandboxie\SbieSvc.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\WINDOWS\system32\wbem\wmiapsrv.exe
---------- C:\WINDOWS\system32\wbem\wmiprvse.exe
---------- C:\Documents and Settings\Mika\Työpöytä\Rooter.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\  Search..

----------------------\\  ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - ma 09.03.2009|16:22

----------------------\\  Scan completed at 16:22

==============================================

Sincerely,
Spysnake

Attached Files


#2 OFFLINE   Spysnake

    Advanced Member

  • Members
  • PipPipPip
  • 97 posts
  • Gender:Male
  • Location:Finland
  • Interests:Airsoft, Parkour, Pekiti-Tirsia Kali and computers in general.

Posted 09 March 2009 - 06:33 PM

Ah, problem solved. Eset states that this is a false positive and advanced heuristics have been updated to solve the issue.

You can lock the topic now.
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell