Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware threats detected on my pc

Started by agua-marinha , Nov 09 2006 02:33 PM

  • This topic is locked This topic is locked

#1
agua-marinha
Posted 09 November 2006 - 02:33 PM

agua-marinha

    Member

  • Member
  • PipPip
  • 22 posts
I think my pc is infected with a back door torjan that allows the remote attacker to perform various malicious acctions.
Help me to clean my pc.

Thanks for your atantion

agua-marinha
  • 0

Advertisements

#2
agua-marinha
Posted 09 November 2006 - 02:36 PM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
There is my fresh hijackthis log taht i forget to post in my last post.


Logfile of HijackThis v1.99.1
Scan saved at 15:57:54, on 09-11-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\Programas\iVideoCodec\isamonitor.exe
C:\Programas\iVideoCodec\pmsngr.exe
C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\iVideoCodec\pmmon.exe
C:\program files\altnet\points manager\points manager.exe
C:\Programas\iVideoCodec\isamini.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\TBONBin\tbon.exe
C:\Programas\Realtek\Rtl8180\RtlWake.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~2\Altnet\DOWNLO~1\asm.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\vasco\Ambiente de trabalho\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Programas\iVideoCodec\isaddon.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Programas\RXToolBar\sfcont.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Programas\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SemanticInsight] C:\Programas\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [tbon] C:\Programas\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .pdf: C:\Programas\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.energy-factor.com
O15 - Trusted Zone: *.hardcorefantasyland.com
O15 - Trusted Zone: *.hardfootballbabes.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.ener...vex_2802_it.exe
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programas\RXToolBar\sfcont.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
  • 0

#3
Crustyoldbloke
Posted 10 November 2006 - 05:22 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Bom Dia and welcome to Geeks To Go

Some malware has the ability to hide when interrogated by HijackThis; I believe this may be true in your case. Please right click on hijackthis.exe and rename it to crusty.exe

Now please rescan with the newly named file and post the log into this thread by using the ADD REPLY button on the bottom right of this post, and I'll have a fresh look.

From now on, you will have to use crusty.exe to produce a HJT log.

Obrigad
  • 0

#4
agua-marinha
Posted 10 November 2006 - 08:05 AM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I renamed the file
There is the fresh log

Logfile of HijackThis v1.99.1
Scan saved at 15:01:34, on 10-11-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\iVideoCodec\isamonitor.exe
C:\Programas\iVideoCodec\pmsngr.exe
C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Programas\iVideoCodec\pmmon.exe
C:\program files\altnet\points manager\points manager.exe
C:\Programas\iVideoCodec\isamini.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\TBONBin\tbon.exe
C:\Programas\Realtek\Rtl8180\RtlWake.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\PROGRA~2\Altnet\DOWNLO~1\asm.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\vasco\Ambiente de trabalho\crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Programas\iVideoCodec\isaddon.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Programas\RXToolBar\sfcont.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Programas\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SemanticInsight] C:\Programas\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [tbon] C:\Programas\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .pdf: C:\Programas\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.energy-factor.com
O15 - Trusted Zone: *.hardcorefantasyland.com
O15 - Trusted Zone: *.hardfootballbabes.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.ener...vex_2802_it.exe
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programas\RXToolBar\sfcont.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe


Thanks for your help
agua-marinha
  • 0

#5
Crustyoldbloke
Posted 10 November 2006 - 10:18 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello agua-marinha and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have a Puper infection. Let’s see what we can do.

Please note that you have renamed HJT thus, crusty.exe.exe Please remove one .exe extension as AV scanners will see this as a virus.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

A. Please download the 30-day trial version of: AVG Anti Spyware
  • Please install, and update AVG Anti-Spyware/Ewido
  • Load AVGas/Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Close AVGas/Ewido. Do not run it yet.
B. Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

C. Open the SmitfraudFix Folder, (right click and choose Extract All) then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

D. Clean out your Temporary Internet files. Proceed like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

E. Close ALL open Windows / Programmes / Folders.
  • In Safe Mode, load AVGas/Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas/Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
Close AVGas/Ewido and Reboot in Normal Mode.
______________________________

F. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

G. Please post:
  • c:\rapport.txt
  • AVGas/Ewido log
  • A new HijackThis log (from normal mode).
You may need more than one reply to post the requested logs, otherwise they might get cut off.
  • 0

#6
agua-marinha
Posted 15 November 2006 - 07:14 AM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello Crustyoldbloke

Thanks for your help, i made all steps that you said, and there is the:


1-c:\rapport.txt

SmitFraudFix v2.120

Scan done at 11:30:05,07, 15-11-2006
Run from C:\unzipped\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



2- AvGas/Ewido log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:11:25 15-11-2006

+ Scan result:



C:\Programas\INSTAFINK -> Adware.404Search : Cleaned with backup (quarantined).
C:\Programas\INSTAFINK\instafink.dll -> Adware.404Search : Cleaned with backup (quarantined).
C:\Documents and Settings\vasco\Definições locais\Temp\ADMCache\adm21.tmp/asm.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\Documents and Settings\vasco\Definições locais\Temp\ADMCache\adm21.tmp/asmps.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\adm25.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\adm4.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\adm4005.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\admdloader.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\admfdi.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\admprog.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\altnetuninstall.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\asm.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Download Manager\asmps.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Points Manager\Points Manager.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\Atl.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\DMinfo3.cab -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\Setup.cab -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\Setup.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\adm.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\adm25.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\adm4.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\admdata.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\admdloader.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\admfdi.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\admprog.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\dmfiles.cab -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\dminstall7.cab -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\msvcirt.dll -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\mysearch.cab -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\pmexe.cab -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\pmfiles.cab -> Adware.Altnet : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\Altnet\pminstall.cab -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\ADM -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\ADM\ADMCache -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard\Setup -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\Dashboard\Temp Internet Shares -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\DownloadManager -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\LocalFiles -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Altnet\TopSearch -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM.ADM -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM.ADM.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM.ADM\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM.ADM\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SigningModule.SigningModule -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SigningModule.SigningModule.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SigningModule.SigningModule\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltnetDM -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010490.exe -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010533.exe -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010552.exe -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010564.exe -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011564.exe -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011594.exe -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011620.exe -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\Programas\TBONBin -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Programas\TBONBin\TBONUnst.htm -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Programas\TBONBin\TBONWnd.EXE -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Programas\TBONBin\Uninstall.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Programas\TBONBin\tbon.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\Programas\TBONBin\tboninst.cfg -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\PROGRAM FILES\Altnet\Points Manager\sysdetect.dll -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\Bug Doctor Help.chm -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\BugDoctor.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\BugDoctorLiveUpdate.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\Get Bonuses.url -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin.ini -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\LiveUpdate_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\LiveUpdate_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\LiveUpdate_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\LiveUpdate_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\SubMainDisable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\SubMainNormal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\SubMainPressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\SubMainRollOver.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\bug.swf -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fix_complete-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fix_complete-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fix_complete-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fix_complete-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fixing_error-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fixing_error-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fixing_error-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\fixing_error-rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\main_disable.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\main_enable.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\main_pressed.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\main_roll_over.jpg -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\mask.bmp -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\mask1.bmp -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scan.swf -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scan_complete-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scan_complete-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scan_complete-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scan_complete-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scancomplete.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scanning_error-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scanning_error-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scanning_error-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\scanning_error-rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\schedule_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\schedule_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\schedule_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\schedule_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\skin.ini -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\support_disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\support_normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\support_pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\support_rollover.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\unlock_key-disable.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\unlock_key-normal.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\unlock_key-pressed.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\skin\unlock_key-roll_over.gif -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\unins000.dat -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\Programas\Bug Doctor\unins000.exe -> Adware.BugDoctor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_0_0_106800.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_0_0_107400.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_1_0_449200.gif -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_1_0_449600.gif -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_1_0_454300.gif -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_2_0_106800.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_2_0_107400.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_3_0_106800.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_3_0_107400.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_4_0_111600.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_4_0_152400.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_4_0_155300.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\AdCache\B_329_4_0_164100.htm -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1074 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4496 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4543 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1068 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_1074 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1068 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_1074 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1116 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1524 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1553 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_1641 -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1801674531-1677128483-1957994488-1004\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking v126.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking\Cache -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking\Cache\Database -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-105.sig -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking\Cache\Database\file-10001-118.sig -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking\Cache\Database\index256.dbb -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking\MARSHAL.DLL -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\system32\P2P Networking\P2P Networking.eng -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer.1 -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CLSID -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CurVer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> Adware.PeerNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010485.dll -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010486.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010487.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010528.dll -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010529.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010530.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010547.dll -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010548.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010549.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010555.EXE -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010560.dll -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0010561.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011560.dll -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011561.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011589.dll -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011590.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011604.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011605.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011606.dll -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011607.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011608.exe -> Downloader.Zlob.aus : Cleaned with backup (quarantined).
C:\Documents and Settings\vasco\Application Data\errorsafebrazilnewreleaseinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERSZ_9999_N91S2009NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1958412E-CC59-4266-82E4-6C8AF8BCD835}\RP49\A0011603.dll -> Not-A-Virus.Hoax.Win32.Renos.gb : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\vasco\Cookies\vasco@bfast[1].txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.29:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.25:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.26:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\vasco\Cookies\vasco@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\vasco\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.30:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.31:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.32:C:\Documents and Settings\VASCO SILVA\Application Data\Mozilla\Profiles\default\xg53wsrr.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\vasco\Definições locais\Temp\Ficheiros temporários da Internet\Content.IE5\NC7CEAW9\2236[1].htm -> Trojan.Agent.pk : Cleaned with backup (quarantined).


::Report end


3-New Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 13:41:43, on 15-11-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Realtek\Rtl8180\RtlWake.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\Documents and Settings\vasco\Ambiente de trabalho\crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [E-nrgyPlus] C:\Programas\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SemanticInsight] C:\Programas\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .pdf: C:\Programas\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.ener...vex_2802_it.exe
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programas\RXToolBar\sfcont.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe


Thanks for your precious help
I´ll wait for more information

agua-marinha
:whistling:
  • 0

#7
Crustyoldbloke
Posted 15 November 2006 - 08:24 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
combofix.exe

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [E-nrgyPlus] C:\Programas\E-nrgyPlus\E-nrgyPlus.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Programas\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {FFFF0001-0001-101A-A3C9-08002B2F49FC} - http://download.ener...vex_2802_it.exe
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programas\RXToolBar\sfcont.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Programas\E-nrgyPlus\
C:\Programas\RXToolBar\
c:\program files\altnet\

Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Programas\E-nrgyPlus\E-nrgyPlus.exe
C:\Programas\RXToolBar\Semantic Insight\SemanticInsight.exe
c:\program files\altnet\points manager\points manager.exe -s
C:\WINDOWS\System32\vbsys2.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck AVGas Anti-malware log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look.
  • 0

#8
agua-marinha
Posted 16 November 2006 - 09:09 AM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Crustyoldbold

I maid all the steps that you said.
During the killbox operation i reciebed the " pendingfilerenameoperations as delected by external support" or something like that .

There is my combofix log

vasco - 06-11-16 15:52:00,75 Service Pack 1
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\vasco\Ambiente de trabalho"

((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))


2006-11-15 11:28 2,514 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-15 10:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-09 14:26 210,032 --a------ C:\WINDOWS\system32\DBCLIENT.DLL


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-16 15:40 -------- d-------- C:\Programas\CCleaner
2006-11-15 11:34 10 --a------ C:\WINDOWS\smdat32m.sys
2006-11-15 10:48 -------- d-------- C:\Programas\Grisoft
2006-11-09 15:26 -------- d-------- C:\Programas\MalwareWiper
2006-11-09 14:26 -------- d-------- C:\Programas\Ficheiros comuns\Borland Shared
2006-10-08 10:11 -------- d-------- C:\Programas\AntiVir PersonalEdition Classic
2006-10-08 09:19 157184 --a------ C:\WINDOWS\system32\2236_32.dll
2006-09-07 12:56 57384 --a------ C:\WINDOWS\system32\avsda.dll
2006-08-23 19:13 0 --a------ C:\WINDOWS\smdat32a.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Programas\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Adobe Photo Downloader"="\"C:\\Programas\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Share-to-Web Namespace Daemon"="C:\\Programas\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="C:\\Programas\\Java\\j2re1.4.2_11\\bin\\jusched.exe"
"WorksFUD"="C:\\Programas\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Programas\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Programas\\Microsoft Works\\WkDetect.exe"
"P2P Networking"="C:\\WINDOWS\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"TkBellExe"="\"C:\\Programas\\Ficheiros comuns\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"avgnt"="\"C:\\Programas\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-carregador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon da cache de categorias dos componentes"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-16 15:52:37.08
C:\ComboFix.txt ... 06-11-16 15:52


and the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 15:53:39, on 16-11-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Realtek\Rtl8180\RtlWake.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\vasco\Ambiente de trabalho\crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O12 - Plugin for .pdf: C:\Programas\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Thanks for your precious help
I`ll wait for more information

agua-marinha
:whistling:
  • 0

#9
Crustyoldbloke
Posted 16 November 2006 - 09:50 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Bom Dia

Obrigad for the logs, they are not looking too bad now. I am being warned that your system maybe infected by a rootkit, we will have to scan for that, we also need to close an exploit in Java, and ComboFix has revealed a bad file hidden away.

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\2236_32.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
How's the PC running now?
  • 0

#10
agua-marinha
Posted 24 November 2006 - 07:17 PM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Crustyoldbloke

The pc get better, but i continue with a problem with the date and time sometimes i have to make them correct. sometimes the time and the date are in 2999 in oder month and in oder day.

There is the rootkiitrevealer.txt

HKLM\SECURITY\Policy\Secrets\SAC* 21-05-2006 20:29 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 21-05-2006 20:29 0 bytes Key name contains embedded nulls (*)


Thanks forr your help
I´ll wait for more information or good news!!
:whistling:
agua-marinha
  • 0

Advertisements

#11
Crustyoldbloke
Posted 24 November 2006 - 08:03 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

This looks like a rootkit to me, try this:

Please download: RustBfix ...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of those logs along with a new HijackThis log from normal mode.
  • 0

#12
agua-marinha
Posted 25 November 2006 - 05:04 AM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Crusty, good morning

There is the rustbfix log

************************* Rustock.b-fix -- By ejvindh *************************
25-11-2006 12:01:02,27


No Rustock.b-rootkits found


******************************* End of Logfile ********************************




and the new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:01:20, on 25-11-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\msasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Java\jre1.5.0_09\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Realtek\Rtl8180\RtlWake.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\services.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Documents and Settings\vasco\Ambiente de trabalho\crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\vasco\DEFINI~1\Temp\epjp5766782.exe
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: qGhVAWkvm - {1C2719E2-B68D-B348-02B2-FF6457A98FC3} - C:\WINDOWS\System32\vbwxj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EKNJPMAQTOW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\vasco\DEFINI~1\Temp\EKNJPMAQTOW.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: QIJCOSABRYRTVJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\vasco\DEFINI~1\Temp\QIJCOSABRYRTVJ.exe

Thank for your attention
:whistling:
agua-marinha
  • 0

#13
Crustyoldbloke
Posted 25 November 2006 - 05:22 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Well your log has surprised me but it might be a good thing that suddenly the malware is visible. I am fairly certain that I have seen this pattern of infection before, within the past month.

Please delete your temporary files.

Click on START > RUN > type in cleanmgr and hit ENTER

You will see a window asking you to choose your harddrive (most likely C: Drive)

Click it and Windows will now scan the drive and show you the results

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Compress Old Files (if you want more disk space)
Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder). A couple of files may be in memory and will not therefore delete, this is normal.

Go to Start > Run and type or copy & paste this into the Run box:

sc delete MsaSvc

Hit ENTER

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

QIJCOSABRYRTVJ

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

QIJCOSABRYRTVJ

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvilx.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\vasco\DEFINI~1\Temp\epjp5766782.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: qGhVAWkvm - {1C2719E2-B68D-B348-02B2-FF6457A98FC3} - C:\WINDOWS\System32\vbwxj.dll
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: QIJCOSABRYRTVJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\vasco\DEFINI~1\Temp\QIJCOSABRYRTVJ.exe

Click on Fix Checked when finished and exit HijackThis.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\System32\msasvc.exe
C:\WINDOWS\system32\durvilx.dll
C:\DOCUME~1\vasco\DEFINI~1\Temp\epjp5766782.exe
c:\windows\system32\ldcore.dll
C:\WINDOWS\System32\vbwxj.dll
C:\DOCUME~1\vasco\DEFINI~1\Temp\QIJCOSABRYRTVJ.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post back a fresh HijackThis log, from normal mode, and I will take another look.
  • 0

#14
agua-marinha
Posted 25 November 2006 - 01:08 PM

agua-marinha

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi Crustyoldbloke

During the killbox run i don´t recieved anz message.

There is my fresh hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 20:06:43, on 25-11-2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Java\jre1.5.0_09\bin\jusched.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Realtek\Rtl8180\RtlWake.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\services.exe
C:\Documents and Settings\vasco\Ambiente de trabalho\crusty.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programas\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\vasco\DEFINI~1\Temp\epjp5766782.exe
O4 - Global Startup: RtlWake.lnk = ?
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcente...trolLite_EN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: qGhVAWkvm - {1C2719E2-B68D-B348-02B2-FF6457A98FC3} - C:\WINDOWS\System32\vbwxj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programas\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programas\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EKNJPMAQTOW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\vasco\DEFINI~1\Temp\EKNJPMAQTOW.exe


Thank one more time for your precious help
:whistling:
agua-marinha
  • 0

#15
Crustyoldbloke
Posted 25 November 2006 - 01:32 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Well you appear to have a very tough infection there so this time I am going double all attempts to clear these Trojans, if this fails I will get very tough and force a deletion but I'd rather do that as a last option.

Go to Start > Run and type or copy & paste this into the Run box:

sc delete EKNJPMAQTOW

Hit ENTER

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

EKNJPMAQTOW

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

EKNJPMAQTOW

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\vasco\DEFINI~1\Temp\epjp5766782.exe
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: qGhVAWkvm - {1C2719E2-B68D-B348-02B2-FF6457A98FC3} - C:\WINDOWS\System32\vbwxj.dll
O23 - Service: EKNJPMAQTOW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\vasco\DEFINI~1\Temp\EKNJPMAQTOW.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please set your system to show all files;
please see here if you're unsure how to do this.

Using Windows Explorer, locate the following files, and delete them:

C:\DOCUME~1\vasco\DEFINI~1\Temp\epjp5766782.exe
c:\windows\system32\ldcore.dll
C:\WINDOWS\System32\vbwxj.dll
C:\DOCUME~1\vasco\DEFINI~1\Temp\EKNJPMAQTOW.exe

Exit Explorer, and reboot as normal afterwards.

Is this folder legitimate: C:\DOCUME~1\vasco\DEFINI~1\ - (it will start DEFINI and then there will some more characters) If you judge it to be bad or contain more bad files delete it.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\DOCUME~1\vasco\DEFINI~1\Temp\epjp5766782.exe
c:\windows\system32\ldcore.dll
C:\WINDOWS\System32\vbwxj.dll
C:\DOCUME~1\vasco\DEFINI~1\Temp\EKNJPMAQTOW.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Finally, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder). A couple of files may be in memory and will not therefore delete, this is normal.

Reboot normally

Post back a fresh HijackThis log, from normal mode, and I will take another look.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP