Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PC infected with TR/Crypt.XPACK.Gen (kavo.exe). Please Help! [RESO

Started by agodoido , May 13 2008 06:53 PM

  • This topic is locked This topic is locked

#1
agodoido
Posted 13 May 2008 - 06:53 PM

agodoido

    New Member

  • Member
  • Pip
  • 5 posts
Hi!


My PC is infected with Trojan Horse TR/Crypt.XPACK.Gen, which is executing kavo.exe. I am not sure if it is the only infection in my computer. I already tried to remove it with Avira antivirus, but I couldn't get rid of it. Also, I can't reboot my computer in the safe mode and I am experiencing some problems in explore the hard drives in Windows explorer. It is really annoying... Since each computer is different, I decided to open my own topic (hope I did the right thing). I need some help from you, please!!!

I am posting the (1) HijackThis logfile and (2) Avira scan report

I appreciate your help.


1) HijackThis logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45:17, on 13/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.EXE
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Arquivos de programas\Velox\Manager\desp2k.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Creative\MediaSource\Detector\CTDetect.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\cli.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\cli.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [ATICCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [desp2k] C:\Arquivos de programas\Velox\Manager\desp2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Arquivos de programas\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Arquivos de programas\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99058AC7-06E4-4B8C-AA84-5889BA8ACEB8}: NameServer = 200.165.132.147 200.165.132.155
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9412 bytes


2) Avira scan report

Avira AntiVir Personal
Report file date: terça-feira, 13 de maio de 2008 20:25

Scanning for 1165085 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: DUOCORE

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 9/4/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/3/2008 14:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 7/2/2008 13:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 28/2/2008 13:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 21/2/2008 13:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/7/2007 15:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 7/3/2008 18:08:58
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 21/3/2008 00:12:34
ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 25/3/2008 13:27:50
Engineversion : 8.1.0.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 25/2/2008 14:58:21
AESCRIPT.DLL : 8.1.0.19 229754 Bytes 7/4/2008 20:34:44
AESCN.DLL : 8.1.0.12 115060 Bytes 7/4/2008 20:34:44
AERDL.DLL : 8.1.0.19 418164 Bytes 7/4/2008 20:34:44
AEPACK.DLL : 8.1.1.0 364918 Bytes 18/3/2008 16:20:42
AEOFFICE.DLL : 8.1.0.15 192889 Bytes 7/4/2008 20:34:44
AEHEUR.DLL : 8.1.0.15 1147253 Bytes 7/4/2008 20:34:44
AEHELP.DLL : 8.1.0.11 115061 Bytes 7/4/2008 20:34:43
AEGEN.DLL : 8.1.0.15 299379 Bytes 7/4/2008 20:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 7/4/2008 20:34:43
AECORE.DLL : 8.1.0.25 168309 Bytes 8/4/2008 14:58:32
AVWINLL.DLL : 1.0.0.7 14593 Bytes 23/1/2008 22:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 18/2/2008 15:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 16/4/2007 18:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 23/1/2008 22:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/2/2008 13:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/2/2008 13:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/1/2008 22:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23/1/2008 22:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 25/1/2008 17:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/3/2008 19:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 6/3/2008 17:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\arquivos de programas\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: terça-feira, 13 de maio de 2008 20:25

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'acrobat_sl.exe' - '1' Module(s) have been scanned
Scan process 'CTDetect.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'LaunchApplication.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'desp2k.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
49 processes with 49 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '34' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP176\A0017691.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP176\A0017693.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP176\A0017710.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP176\A0017712.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017716.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017732.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017734.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017749.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017751.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017765.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017781.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017783.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017792.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017794.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017806.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017808.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP179\A0017810.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP179\A0017822.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP179\A0017824.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP180\A0017845.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP181\A0018196.bat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP181\A0018198.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\kavo0.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!


End of the scan: terça-feira, 13 de maio de 2008 21:18
Used time: 52:51 min

The scan has been done completely.

6434 Scanning directories
227394 Files were scanned
23 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
23 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
227371 Files not concerned
1033 Archives were scanned
1 Warnings
23 Notes
  • 0

Advertisements

#2
greyknight17
Posted 13 May 2008 - 08:04 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\kavo.exe

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
agodoido
Posted 13 May 2008 - 10:22 PM

agodoido

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for spending time helping me!

I followed your instructions, however, I would like to report a few things that hapened during the procedures (I hope I did the right thing):

a) I deleted the entries you said with HijackThis; however, I didn't find the file/folder C:\WINDOWS\system32\kavo.exe even after I search it (including hidden documents);

b) it seems that an incompatibility between Panda ActiveScan and Avira happened, so I had to disable the antivirus in order to perform the scan.

c) After computer restarted during Combofix scan, an error message "desp2k.exe" prompted. I disabled the antivirus again and Combofix continued the scan and the generation of the report file.

d) Good news :) : Now I can explore my hard drives with windows explore again!

Now, the reports of the procedures I did:

1) Panda ActiveScan

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-05-14 00:49:51
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Avira AntiVir PersonalEdition 8.0.1.15 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\autorun.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP176\A0017694.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP176\A0017713.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017717.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017735.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP177\A0017752.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017766.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017784.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017795.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP178\A0017809.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP179\A0017811.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP179\A0017825.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP180\A0017846.inf
02938277 W32/Lineage.IER.worm Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP181\A0018197.inf
02947105 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{826E3890-CFBE-40A9-A2CC-87B680C47E8D}\RP181\A0018209.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location C

;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description C

;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002 C

184379 MEDIUM MS08-001 C

182048 HIGH MS07-069 C

182046 HIGH MS07-067 C

182043 HIGH MS07-064 C

179553 HIGH MS07-061 C

176382 HIGH MS07-057 C

176383 HIGH MS07-058 C

170911 HIGH MS07-050 C

170907 HIGH MS07-046 C

170906 HIGH MS07-045 C

170904 HIGH MS07-043 C

164915 HIGH MS07-035 C

164913 HIGH MS07-033 C

164911 HIGH MS07-031 C

160623 HIGH MS07-027 C

157262 HIGH MS07-022 C

157261 HIGH MS07-021 C

157260 HIGH MS07-020 C

157259 HIGH MS07-019 C

156477 HIGH MS07-017 C

150253 HIGH MS07-016 C

150249 HIGH MS07-013 C

150248 HIGH MS07-012 C

150247 HIGH MS07-011 C

150243 HIGH MS07-008 C

150242 HIGH MS07-007 C

150241 MEDIUM MS07-006 C

145501 HIGH MS07-004 C

141034 HIGH MS06-076 C

141033 MEDIUM MS06-075 C

137571 HIGH MS06-070 C

133387 MEDIUM MS06-065 C

133386 MEDIUM MS06-064 C

133385 MEDIUM MS06-063 C

133379 HIGH MS06-057 C

129977 MEDIUM MS06-053 C

129976 MEDIUM MS06-052 C

126093 HIGH MS06-051 C

126092 MEDIUM MS06-050 C

126087 HIGH MS06-046 C

126086 MEDIUM MS06-045 C

126082 HIGH MS06-041 C

126081 HIGH MS06-040 C

123421 HIGH MS06-036 C

123420 HIGH MS06-035 C

120825 MEDIUM MS06-032 C

120823 MEDIUM MS06-030 C

120818 HIGH MS06-025 C

120815 HIGH MS06-022 C

117384 MEDIUM MS06-018 C

114666 HIGH MS06-015 C

;===============================================================================
=================================================================================
===================

2) ComboFix

ComboFix 08-05-12.1 - Andre 2008-05-14 0:55:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.646 [GMT -3:00]
Executando de: C:\Documents and Settings\Andre\Desktop\ComboFix.exe
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Andre\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\AFCR8P6J\www.broadcaster.com
C:\Documents and Settings\Andre\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Andre\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((( Ficheiros criados de 2008-04-14 to 2008-05-14 ))))))))))))))))))))))))))))))))
.

2008-05-14 00:59 . 2008-05-14 00:59 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-14 00:59 . 2008-05-14 00:59 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage
2008-05-13 23:41 . 2008-05-13 23:43 <DIR> d-------- C:\Arquivos de programas\Panda Security
2008-05-13 21:44 . 2008-05-13 21:44 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-05-13 20:16 . 2008-05-13 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avira
2008-05-13 20:16 . 2008-05-13 20:16 <DIR> d-------- C:\Arquivos de programas\Avira
2008-05-09 22:25 . 2008-05-13 21:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 22:25 . 2008-05-09 22:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-17 00:06 . 2008-04-17 00:06 <DIR> d-------- C:\Documents and Settings\Andre\Dados de aplicativos\Nokia Multimedia Player

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 23:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Symantec
2008-05-13 23:14 --------- d-----w C:\Arquivos de programas\Symantec AntiVirus
2008-05-13 23:14 --------- d-----w C:\Arquivos de programas\Symantec
2008-05-13 23:14 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2008-05-13 23:12 --------- d-----w C:\Documents and Settings\Andre\Dados de aplicativos\Skype
2008-05-13 23:12 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Skype
2008-05-13 23:12 --------- d-----w C:\Arquivos de programas\Skype
2008-05-10 23:08 --------- d-----w C:\Documents and Settings\Andre\Dados de aplicativos\uTorrent
2008-04-29 23:24 --------- d-----w C:\Documents and Settings\Andre\Dados de aplicativos\SecondLife
2008-04-21 15:59 --------- d-----w C:\Arquivos de programas\Apple Software Update
2008-04-09 00:26 --------- d-----w C:\Arquivos de programas\SecondLife
2008-03-17 23:24 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-17 23:24 --------- d--h--r C:\Documents and Settings\Andre\Dados de aplicativos\SecuROM
2008-03-17 23:11 --------- d-----w C:\Arquivos de programas\EA SPORTS
.

------- Sigcheck -------

2006-04-17 23:05 360448 9c515b8621d34478dfaa89b6b5434a54 C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
  • 0

#4
greyknight17
Posted 14 May 2008 - 05:52 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Can you post the log from C:\ComboFix.txt again? It seems to be cut off at the bottom there. Preview it before you post in your next reply to make sure the whole file is copied over.
  • 0

#5
agodoido
Posted 14 May 2008 - 06:12 PM

agodoido

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi!

Here it is the ComboFix log again!

Thanks!

ComboFix 08-05-12.1 - Andre 2008-05-14 0:55:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.646 [GMT -3:00]
Executando de: C:\Documents and Settings\Andre\Desktop\ComboFix.exe
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\Documents and Settings\Andre\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\AFCR8P6J\www.broadcaster.com
C:\Documents and Settings\Andre\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Andre\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((( Ficheiros criados de 2008-04-14 to 2008-05-14 ))))))))))))))))))))))))))))))))
.

2008-05-14 00:59 . 2008-05-14 00:59 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-05-14 00:59 . 2008-05-14 00:59 <DIR> d-------- C:\Arquivos de programas\microsoft frontpage
2008-05-13 23:41 . 2008-05-13 23:43 <DIR> d-------- C:\Arquivos de programas\Panda Security
2008-05-13 21:44 . 2008-05-13 21:44 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-05-13 20:16 . 2008-05-13 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avira
2008-05-13 20:16 . 2008-05-13 20:16 <DIR> d-------- C:\Arquivos de programas\Avira
2008-05-09 22:25 . 2008-05-13 21:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-09 22:25 . 2008-05-09 22:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-17 00:06 . 2008-04-17 00:06 <DIR> d-------- C:\Documents and Settings\Andre\Dados de aplicativos\Nokia Multimedia Player

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 23:14 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Symantec
2008-05-13 23:14 --------- d-----w C:\Arquivos de programas\Symantec AntiVirus
2008-05-13 23:14 --------- d-----w C:\Arquivos de programas\Symantec
2008-05-13 23:14 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2008-05-13 23:12 --------- d-----w C:\Documents and Settings\Andre\Dados de aplicativos\Skype
2008-05-13 23:12 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Skype
2008-05-13 23:12 --------- d-----w C:\Arquivos de programas\Skype
2008-05-10 23:08 --------- d-----w C:\Documents and Settings\Andre\Dados de aplicativos\uTorrent
2008-04-29 23:24 --------- d-----w C:\Documents and Settings\Andre\Dados de aplicativos\SecondLife
2008-04-21 15:59 --------- d-----w C:\Arquivos de programas\Apple Software Update
2008-04-09 00:26 --------- d-----w C:\Arquivos de programas\SecondLife
2008-03-17 23:24 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-17 23:24 --------- d--h--r C:\Documents and Settings\Andre\Dados de aplicativos\SecuROM
2008-03-17 23:11 --------- d-----w C:\Arquivos de programas\EA SPORTS
.

------- Sigcheck -------

2006-04-17 23:05 360448 9c515b8621d34478dfaa89b6b5434a54 C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:45 15360]
"WMPNSCFG"="C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe" [2006-11-02 23:32 204288]
"BitTorrent"="C:\Arquivos de programas\BitTorrent\bittorrent.exe" [ ]
"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 00:56 1694208]
"Creative Detector"="C:\Arquivos de programas\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 03:00 16050176 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 07:04 2879488 C:\WINDOWS\SkyTel.exe]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-08-13 23:51 352256]
"ATICCC"="C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 09:12 90112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"Acrobat Assistant 7.0"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"desp2k"="C:\Arquivos de programas\Velox\Manager\desp2k.exe" [2006-08-03 16:05 65536]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2007-04-05 14:45 35328]
"TkBellExe"="C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2007-07-27 23:12 180269]
"PCSuiteTrayApplication"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 13:20 227328]
"avgnt"="C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 03:45 15360]
"Nokia.PCSync"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 03:45 400384 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 03:34 44544]

C:\Documents and Settings\Andre\Menu Iniciar\Programas\Inicializar\
Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-03-05 20:54:41 25214]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\eMule\\emule.exe"=
"C:\\Arquivos de programas\\uTorrent\\utorrent.exe"=
"C:\\Arquivos de programas\\America's Army\\System\\ArmyOps.exe"=
"C:\\Arquivos de programas\\SecondLife\\SecondLife.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 00:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 00:39]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]

.
Conte£do da pasta 'Tarefas Agendadas'
"2008-04-21 14:20:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 01:00:02
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.exe
C:\Arquivos de programas\Windows Media Player\wmpnetwk.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-05-14 1:06:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 04:05:02

Pre-Run: 88,705,396,736 bytes disponíveis
Post-Run: 88,642,412,544 bytes dispon¡veis

151
  • 0

#6
greyknight17
Posted 15 May 2008 - 06:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
agodoido
Posted 16 May 2008 - 06:25 AM

agodoido

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks a lot grey knight! Thanks for spending your time helping me with this issue!
  • 0

#8
greyknight17
Posted 16 May 2008 - 04:48 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP