Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Something really wrong going on: Win32/Bagle ? [RESOLVED]


  • This topic is locked This topic is locked

#16
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Can you zip the log and attach it?
  • 0

Advertisements


#17
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
:)
  • 0

#18
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Was it attached ?
  • 0

#19
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No, it wasnt. I've tried it again but I'm getting the following message:

"Upload failed. You are not permitted to upload this type of file"
  • 0

#20
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here it is now.

Regards,
Marcos

Attached Files


  • 0

#21
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Got it. Now it will take me a bit of time to go through, and I also have to take my daughter out for a while today, so I'll get you a fix back later on today.

Regards,
RatHat
  • 0

#22
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No worries, mate. Take your time. Have a good day with your kid.


Best regards,
Marcos
  • 0

#23
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well, the wife is taking forever to get ready, so I had time to go through the log.

Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Svconr -> Svconr.exe [C:\Arquivos de programas\Svconr\Svconr.exe]
YN -> WinTouch -> WinTouch.exe [C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\WinTouch\WinTouch.exe]
< Run [HKEY_USERS\S-1-5-21-1004336348-448539723-682003330-1003\] > -> HKEY_USERS\S-1-5-21-1004336348-448539723-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Svconr -> Svconr.exe [C:\Arquivos de programas\Svconr\Svconr.exe]
YN -> WinTouch -> WinTouch.exe [C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\WinTouch\WinTouch.exe]
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> 1 domain(s) and sub-domain(s) not assigned to a zone. -> 
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
NY -> {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL [Megaupload Toolbar]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
NY -> WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL [Megaupload Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
NY -> ShellBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL [Megaupload Toolbar]
NY -> WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL [Megaupload Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
NY -> ShellBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL [Megaupload Toolbar]
NY -> WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL [Megaupload Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1004336348-448539723-682003330-1003\] > -> HKEY_USERS\S-1-5-21-1004336348-448539723-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\
NY -> WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} [HKEY_LOCAL_MACHINE] -> %SystemDrive%\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL [Megaupload Toolbar]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[CKAVWebScan Object]
YN -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}[HKEY_LOCAL_MACHINE] -> http://support.f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3]
[Files/Folders - Created Within 90 days]
NY -> FOUND.140 -> %SystemDrive%\FOUND.140
NY -> FOUND.006 -> %SystemDrive%\FOUND.006
NY -> FOUND.007 -> %SystemDrive%\FOUND.007
NY -> FOUND.008 -> %SystemDrive%\FOUND.008
NY -> FOUND.009 -> %SystemDrive%\FOUND.009
NY -> FOUND.117 -> %SystemDrive%\FOUND.117
NY -> FOUND.118 -> %SystemDrive%\FOUND.118
NY -> FOUND.119 -> %SystemDrive%\FOUND.119
NY -> FOUND.120 -> %SystemDrive%\FOUND.120
NY -> FOUND.121 -> %SystemDrive%\FOUND.121
NY -> FOUND.122 -> %SystemDrive%\FOUND.122
NY -> FOUND.123 -> %SystemDrive%\FOUND.123
NY -> FOUND.125 -> %SystemDrive%\FOUND.125
NY -> FOUND.124 -> %SystemDrive%\FOUND.124
NY -> FOUND.126 -> %SystemDrive%\FOUND.126
NY -> FOUND.127 -> %SystemDrive%\FOUND.127
NY -> FOUND.128 -> %SystemDrive%\FOUND.128
NY -> FOUND.129 -> %SystemDrive%\FOUND.129
NY -> FOUND.130 -> %SystemDrive%\FOUND.130
NY -> FOUND.131 -> %SystemDrive%\FOUND.131
NY -> FOUND.132 -> %SystemDrive%\FOUND.132
NY -> FOUND.133 -> %SystemDrive%\FOUND.133
NY -> FOUND.134 -> %SystemDrive%\FOUND.134
NY -> FOUND.135 -> %SystemDrive%\FOUND.135
NY -> FOUND.136 -> %SystemDrive%\FOUND.136
NY -> FOUND.137 -> %SystemDrive%\FOUND.137
NY -> FOUND.138 -> %SystemDrive%\FOUND.138
NY -> FOUND.139 -> %SystemDrive%\FOUND.139
NY -> Combo-Fix -> %SystemDrive%\Combo-Fix
NY -> QooBox -> %SystemDrive%\QooBox
NY -> down -> %SystemRoot%\System32\drivers\down
NY -> Kaspersky Lab -> %SystemRoot%\System32\Kaspersky Lab
NY -> 1 C:\KILLWIN\System32\*.tmp files -> C:\KILLWIN\System32\*.tmp
NY -> rVCPj3C2.exe_ -> %SystemRoot%\System32\rVCPj3C2.exe_
NY -> b156.exe -> %SystemRoot%\b156.exe
NY -> b155.exe -> %SystemRoot%\b155.exe
NY -> b152.exe -> %SystemRoot%\b152.exe
NY -> 27 C:\KILLWIN\*.tmp files -> C:\KILLWIN\*.tmp
NY -> At25.job -> %SystemRoot%\tasks\At25.job
NY -> At26.job -> %SystemRoot%\tasks\At26.job
NY -> At27.job -> %SystemRoot%\tasks\At27.job
NY -> At28.job -> %SystemRoot%\tasks\At28.job
NY -> At29.job -> %SystemRoot%\tasks\At29.job
NY -> At30.job -> %SystemRoot%\tasks\At30.job
NY -> At31.job -> %SystemRoot%\tasks\At31.job
NY -> At32.job -> %SystemRoot%\tasks\At32.job
NY -> At33.job -> %SystemRoot%\tasks\At33.job
NY -> At34.job -> %SystemRoot%\tasks\At34.job
NY -> At35.job -> %SystemRoot%\tasks\At35.job
NY -> At36.job -> %SystemRoot%\tasks\At36.job
NY -> At37.job -> %SystemRoot%\tasks\At37.job
NY -> At38.job -> %SystemRoot%\tasks\At38.job
NY -> At39.job -> %SystemRoot%\tasks\At39.job
NY -> At40.job -> %SystemRoot%\tasks\At40.job
NY -> At41.job -> %SystemRoot%\tasks\At41.job
NY -> At42.job -> %SystemRoot%\tasks\At42.job
NY -> At43.job -> %SystemRoot%\tasks\At43.job
NY -> At44.job -> %SystemRoot%\tasks\At44.job
NY -> At45.job -> %SystemRoot%\tasks\At45.job
NY -> At46.job -> %SystemRoot%\tasks\At46.job
NY -> At47.job -> %SystemRoot%\tasks\At47.job
NY -> At48.job -> %SystemRoot%\tasks\At48.job
NY -> At49.job -> %SystemRoot%\tasks\At49.job
NY -> At50.job -> %SystemRoot%\tasks\At50.job
NY -> At51.job -> %SystemRoot%\tasks\At51.job
NY -> At52.job -> %SystemRoot%\tasks\At52.job
NY -> At53.job -> %SystemRoot%\tasks\At53.job
NY -> At54.job -> %SystemRoot%\tasks\At54.job
NY -> At55.job -> %SystemRoot%\tasks\At55.job
NY -> At56.job -> %SystemRoot%\tasks\At56.job
NY -> At57.job -> %SystemRoot%\tasks\At57.job
NY -> At58.job -> %SystemRoot%\tasks\At58.job
NY -> At59.job -> %SystemRoot%\tasks\At59.job
NY -> At60.job -> %SystemRoot%\tasks\At60.job
NY -> At61.job -> %SystemRoot%\tasks\At61.job
NY -> At62.job -> %SystemRoot%\tasks\At62.job
NY -> At63.job -> %SystemRoot%\tasks\At63.job
NY -> At64.job -> %SystemRoot%\tasks\At64.job
NY -> At65.job -> %SystemRoot%\tasks\At65.job
NY -> At66.job -> %SystemRoot%\tasks\At66.job
NY -> At67.job -> %SystemRoot%\tasks\At67.job
NY -> At68.job -> %SystemRoot%\tasks\At68.job
NY -> At69.job -> %SystemRoot%\tasks\At69.job
NY -> At70.job -> %SystemRoot%\tasks\At70.job
NY -> At71.job -> %SystemRoot%\tasks\At71.job
NY -> At72.job -> %SystemRoot%\tasks\At72.job
[Files/Folders - Modified Within 90 days]
NY -> Combo-Fix -> %SystemDrive%\Combo-Fix
NY -> QooBox -> %SystemDrive%\QooBox
NY -> down -> %SystemRoot%\System32\drivers\down
NY -> 27 C:\KILLWIN\*.tmp files -> C:\KILLWIN\*.tmp
[File - Purity Scan: Additional Folder Scans - Non-Microsoft Only]
NY -> InetGet2 -> C:\Arquivos de programas\InetGet2
[Extra Files]
Purity
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets try again with Combofix. Delete any versions that you have remaining on your computer, then download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Regards,
RatHat
  • 0

#24
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
In the fix above make sure that it is Combofix.exe that you rename to Combo-Fix.exe and not the folder OK.

Cheers,
RatHat
  • 0

#25
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Ok.

Here's the OTScanIt Run Fix log:


Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Svconr deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinTouch deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1004336348-448539723-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Svconr not found.
Registry value HKEY_USERS\S-1-5-21-1004336348-448539723-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinTouch not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ deleted successfully.
C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL unregistered successfully.
C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
File C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
File C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
File C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
File C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
File C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL not found.
Registry value HKEY_USERS\S-1-5-21-1004336348-448539723-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
File C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL not found.
Starting removal of ActiveX control {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}\Contains\Files\ not found.
C:\KILLWIN\Downloaded Program Files\kavwebscan.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}\ deleted successfully.
Starting removal of ActiveX control {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}
C:\KILLWIN\Downloaded Program Files\fscax.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}\ deleted successfully.
[Files/Folders - Created Within 90 days]
C:\FOUND.140 folder moved successfully.
C:\FOUND.006 folder moved successfully.
C:\FOUND.007 folder moved successfully.
C:\FOUND.008 folder moved successfully.
C:\FOUND.009 folder moved successfully.
C:\FOUND.117 folder moved successfully.
C:\FOUND.118 folder moved successfully.
C:\FOUND.119 folder moved successfully.
C:\FOUND.120 folder moved successfully.
C:\FOUND.121 folder moved successfully.
C:\FOUND.122 folder moved successfully.
C:\FOUND.123 folder moved successfully.
C:\FOUND.125 folder moved successfully.
C:\FOUND.124 folder moved successfully.
C:\FOUND.126 folder moved successfully.
C:\FOUND.127 folder moved successfully.
C:\FOUND.128 folder moved successfully.
C:\FOUND.129 folder moved successfully.
C:\FOUND.130 folder moved successfully.
C:\FOUND.131 folder moved successfully.
C:\FOUND.132 folder moved successfully.
C:\FOUND.133 folder moved successfully.
C:\FOUND.134 folder moved successfully.
C:\FOUND.135 folder moved successfully.
C:\FOUND.136 folder moved successfully.
C:\FOUND.137 folder moved successfully.
C:\FOUND.138 folder moved successfully.
C:\FOUND.139 folder moved successfully.
File C:\Combo-Fix not found!
C:\QooBox\BackEnv folder moved successfully.
C:\QooBox\Quarantine\C folder moved successfully.
C:\QooBox\Quarantine folder moved successfully.
C:\QooBox folder moved successfully.
C:\KILLWIN\System32\drivers\down folder moved successfully.
C:\KILLWIN\System32\Kaspersky Lab\Kaspersky Online Scanner folder moved successfully.
C:\KILLWIN\System32\Kaspersky Lab folder moved successfully.
File C:\KILLWIN\System32\rVCPj3C2.exe_ not found!
C:\KILLWIN\b156.exe moved successfully.
C:\KILLWIN\b155.exe moved successfully.
C:\KILLWIN\b152.exe moved successfully.
C:\KILLWIN\tasks\At25.job moved successfully.
C:\KILLWIN\tasks\At26.job moved successfully.
C:\KILLWIN\tasks\At27.job moved successfully.
C:\KILLWIN\tasks\At28.job moved successfully.
C:\KILLWIN\tasks\At29.job moved successfully.
C:\KILLWIN\tasks\At30.job moved successfully.
C:\KILLWIN\tasks\At31.job moved successfully.
C:\KILLWIN\tasks\At32.job moved successfully.
C:\KILLWIN\tasks\At33.job moved successfully.
C:\KILLWIN\tasks\At34.job moved successfully.
C:\KILLWIN\tasks\At35.job moved successfully.
C:\KILLWIN\tasks\At36.job moved successfully.
C:\KILLWIN\tasks\At37.job moved successfully.
C:\KILLWIN\tasks\At38.job moved successfully.
C:\KILLWIN\tasks\At39.job moved successfully.
C:\KILLWIN\tasks\At40.job moved successfully.
C:\KILLWIN\tasks\At41.job moved successfully.
C:\KILLWIN\tasks\At42.job moved successfully.
C:\KILLWIN\tasks\At43.job moved successfully.
C:\KILLWIN\tasks\At44.job moved successfully.
C:\KILLWIN\tasks\At45.job moved successfully.
C:\KILLWIN\tasks\At46.job moved successfully.
C:\KILLWIN\tasks\At47.job moved successfully.
C:\KILLWIN\tasks\At48.job moved successfully.
C:\KILLWIN\tasks\At49.job moved successfully.
C:\KILLWIN\tasks\At50.job moved successfully.
C:\KILLWIN\tasks\At51.job moved successfully.
C:\KILLWIN\tasks\At52.job moved successfully.
C:\KILLWIN\tasks\At53.job moved successfully.
C:\KILLWIN\tasks\At54.job moved successfully.
C:\KILLWIN\tasks\At55.job moved successfully.
C:\KILLWIN\tasks\At56.job moved successfully.
C:\KILLWIN\tasks\At57.job moved successfully.
C:\KILLWIN\tasks\At58.job moved successfully.
C:\KILLWIN\tasks\At59.job moved successfully.
C:\KILLWIN\tasks\At60.job moved successfully.
C:\KILLWIN\tasks\At61.job moved successfully.
C:\KILLWIN\tasks\At62.job moved successfully.
C:\KILLWIN\tasks\At63.job moved successfully.
C:\KILLWIN\tasks\At64.job moved successfully.
C:\KILLWIN\tasks\At65.job moved successfully.
C:\KILLWIN\tasks\At66.job moved successfully.
C:\KILLWIN\tasks\At67.job moved successfully.
C:\KILLWIN\tasks\At68.job moved successfully.
C:\KILLWIN\tasks\At69.job moved successfully.
C:\KILLWIN\tasks\At70.job moved successfully.
C:\KILLWIN\tasks\At71.job moved successfully.
C:\KILLWIN\tasks\At72.job moved successfully.
[Files/Folders - Modified Within 90 days]
File C:\Combo-Fix not found!
File C:\QooBox not found!
File C:\KILLWIN\System32\drivers\down not found!
[File - Purity Scan: Additional Folder Scans - Non-Microsoft Only]
C:\Arquivos de programas\InetGet2 folder moved successfully.
[Extra Files]
< Purity >
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.3 fix logfile created on 05242008_032725

Files moved on Reboot...
C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Marcos.CASA\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\wnj3z9gp.default\Cache\_CACHE_003_ moved successfully.
  • 0

Advertisements


#26
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Unless it was a hard reboot, running Combo-Fix.exe crashed the computer again.

Anyway, here's the log I found in its folder :

ComboFix 08-05-21.3 - Marcos 2008-05-24 3:33:14.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1148 [GMT -3:00]
Executando de: C:\Documents and Settings\Marcos.CASA\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
  • 0

#27
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Well, and just for (my) practicing, here's a fresh DSS log :

Deckard's System Scanner v20071014.68
Run by Marcos on 2008-05-24 04:05:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Marcos.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:05, on 2008-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\KILLWIN\System32\smss.exe
C:\KILLWIN\system32\csrss.exe
C:\KILLWIN\system32\winlogon.exe
C:\KILLWIN\system32\services.exe
C:\KILLWIN\system32\lsass.exe
C:\KILLWIN\system32\svchost.exe
C:\KILLWIN\System32\svchost.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\KILLWIN\system32\spoolsv.exe
C:\KILLWIN\Explorer.EXE
C:\Arquivos de programas\Lexmark 1400 Series\lxdjamon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\KILLWIN\system32\lxdjcoms.exe
C:\KILLWIN\system32\UAService7.exe
C:\KILLWIN\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marcos.CASA\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\Marcos.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com.br/
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Arquivos de programas\Lexmark Toolbar\toolband.dll
O2 - BHO: ssh2 Class - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O3 - Toolbar: Lexmark Barra de ferramentas - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Arquivos de programas\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [lxdjamon] "C:\Arquivos de programas\Lexmark 1400 Series\lxdjamon.exe"
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"
O4 - HKLM\..\Run: [UDC Integration] C:\ARQUIV~1\UNIVER~1\getstart.exe "C:\Arquivos de programas\Universal Document Converter" -silent -default -noshowmanual
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Setup] C:\Program Files\Common Files\setup.exe -cleaning
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [JavaCore] C:\Arquivos de programas\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\KILLWIN\system32\ctfmon.exe
O4 - HKCU\..\Run: [Twain] C:\Arquivos de programas\Twain\Twain.exe
O4 - HKCU\..\Run: [Steam] "C:\Arquivos de programas\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\KILLWIN\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\KILLWIN\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\KILLWIN\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\KILLWIN\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Recorte de tela e Iniciador do OneNote 2007.lnk = C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PersonalBrain 4.lnk = C:\Arquivos de programas\PersonalBrain\PersonalBrainS.exe
O4 - Global Startup: PalTalk.lnk = C:\Arquivos de programas\Paltalk Messenger\paltalk.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Arquivos de programas\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Arquivos de programas\Arquivos comuns\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Arquivos de programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa...cab/gbpdist.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GbPluginCef - C:\Arquivos de programas\GbPlugin\gbiehcef.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\KILLWIN\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\KILLWIN\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe
O23 - Service: lxdj_device - - C:\KILLWIN\system32\lxdjcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\KILLWIN\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\KILLWIN\system32\UAService7.exe

--
End of file - 8477 bytes

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 03:32:51 0 d-------- C:\Combo-Fix
2008-05-24 02:13:14 0 d--hs---- C:\FOUND.141
2008-05-23 09:14:40 30722 --a------ C:\KILLWIN\system32\rVCPj3C2.exe
2008-05-22 07:57:35 0 d-------- C:\Arquivos de programas\Trend Micro
2008-05-21 20:09:03 0 d-------- C:\Arquivos de programas\Yahoo!
2008-05-20 11:25:09 0 d-------- C:\fsaua.data
2008-05-20 10:55:10 68096 --a------ C:\KILLWIN\zip.exe
2008-05-20 10:55:10 49152 --a------ C:\KILLWIN\VFind.exe
2008-05-20 10:55:10 212480 --a------ C:\KILLWIN\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-20 10:55:10 136704 --a------ C:\KILLWIN\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-20 10:55:10 161792 --a------ C:\KILLWIN\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-20 10:55:10 98816 --a------ C:\KILLWIN\sed.exe
2008-05-20 10:55:10 80412 --a------ C:\KILLWIN\grep.exe
2008-05-20 10:55:10 89504 --a------ C:\KILLWIN\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-20 10:38:43 0 d-------- C:\Arquivos de programas\Participatory Culture Foundation
2008-05-20 10:02:31 0 d-------- C:\Arquivos de programas\PersonalBrain
2008-05-20 09:48:43 0 d-------- C:\My Brains
2008-05-20 09:47:53 0 d-------- C:\Arquivos de programas\TheBrain
2008-05-20 08:36:36 0 d-------- C:\KILLWIN\system32\QuickTime
2008-05-20 08:25:36 5632 --a------ C:\KILLWIN\system32\udcpm.dll <Not Verified; fCoder Group, Inc.; Universal Document Converter>
2008-05-20 08:25:34 0 d-------- C:\UDC Snapshots
2008-05-20 08:25:33 0 d-------- C:\Arquivos de programas\Universal Document Converter
2008-05-20 08:05:26 0 d-------- C:\lotuspro
2008-05-20 07:57:15 0 d-------- C:\Arquivos de programas\Arquivos comuns\TechSmith Shared
2008-05-20 07:57:12 0 d-------- C:\Arquivos de programas\TechSmith
2008-05-19 13:39:38 10240 --a------ C:\KILLWIN\system32\MVut14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 50688 --a------ C:\KILLWIN\system32\MVtl14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 51200 --a------ C:\KILLWIN\system32\MVsr14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 32768 --a------ C:\KILLWIN\system32\MVmg14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 73728 --a------ C:\KILLWIN\system32\MVmc14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 68608 --a------ C:\KILLWIN\system32\MVix14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 56320 --a------ C:\KILLWIN\system32\MVfs14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 112128 --a------ C:\KILLWIN\system32\MVcl14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 25600 --a------ C:\KILLWIN\system32\MVbk14n.dll <Not Verified; Microsoft Corporation; Microsoft Media View>
2008-05-19 13:39:38 0 d-------- C:\KILLWIN\Epa
2008-05-18 23:05:26 0 d-------- C:\Arquivos de programas\Alwil Software
2008-05-18 23:04:09 0 d-------- C:\Arquivos de programas\RootKit Hook Analyzer
2008-05-18 22:56:17 3584 --a------ C:\KILLWIN\system32\wmfhotfix.dll
2008-05-18 22:56:17 0 d-------- C:\Arquivos de programas\WindowsMetafileFix
2008-05-18 20:46:21 0 d-------- C:\Arquivos de programas\CCleaner
2008-05-18 19:35:48 0 d-------- C:\Arquivos de programas\Arquivos comuns\Panda Software
2008-05-13 16:43:02 126976 --a------ C:\KILLWIN\system32\UAService7.exe
2008-05-13 05:12:50 53248 --a------ C:\KILLWIN\system32\oml.dll
2008-05-13 04:21:13 0 d-------- C:\Arquivos de programas\Metastock Expresso e-Book
2008-05-05 15:27:37 0 d-------- C:\Arquivos de programas\Svconr
2008-05-02 09:25:45 0 d-------- C:\Arquivos de programas\AMP Font Viewer
2008-04-28 13:17:41 0 d-------- C:\Arquivos de programas\Arquivos comuns\SourceTec
2008-04-28 13:17:37 0 d-------- C:\Arquivos de programas\SourceTec
2008-04-26 07:14:57 33280 --a------ C:\KILLWIN\system32\nRXLf3X2.dll
2008-04-24 04:39:34 0 d-------- C:\Arquivos de programas\Juice
2008-04-24 02:47:08 0 d-------- C:\Arquivos de programas\MagicISO
2008-04-24 02:44:59 0 d-------- C:\Arquivos de programas\MagicISO Maker v5 4


-- Find3M Report ---------------------------------------------------------------

2008-05-22 07:10:16 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\PCF-VLC
2008-05-20 10:39:20 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Participatory Culture Foundation
2008-05-20 10:03:34 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\PersonalBrain
2008-05-19 17:54:42 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Audacity
2008-05-13 16:43:08 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\SecuROM
2008-05-13 01:23:36 4563 --a------ C:\KILLWIN\mozver.dat
2008-04-24 04:39:46 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\iPodder
2008-04-22 05:07:10 0 d-------- C:\Arquivos de programas\Stardock
2008-04-22 05:07:10 0 d-------- C:\Arquivos de programas\Arquivos comuns\Stardock
2008-04-19 20:53:44 0 d-------- C:\Arquivos de programas\Inet_Get_2
2008-04-19 20:43:52 0 d-------- C:\Arquivos de programas\JavaCore
2008-04-19 20:33:46 0 d-------- C:\Arquivos de programas\Temporary
2008-04-15 16:35:08 55596 --a------ C:\KILLWIN\system32\AnalFTP2.exe
2008-04-14 15:26:02 0 d-------- C:\Arquivos de programas\GbPlugin
2008-04-13 05:37:00 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\MegauploadToolbar
2008-04-13 05:37:00 0 d-------- C:\Arquivos de programas\MegauploadToolbar
2008-04-12 22:01:56 0 d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Lexmark Productivity Studio
2008-04-06 23:45:38 0 d-------- C:\Arquivos de programas\passFIRST-Certificate-Demo
2008-03-30 21:54:26 0 d-------- C:\Arquivos de programas\QuienNoAdmitido


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdjamon"="C:\Arquivos de programas\Lexmark 1400 Series\lxdjamon.exe" [2007-04-30 08:19]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-18 23:06]
"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2007-12-20 13:16]
"UDC Integration"="C:\ARQUIV~1\UNIVER~1\getstart.exe" [2006-02-06 19:00]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Setup"="C:\Program Files\Common Files\setup.exe" [2008-02-19 05:30]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 09:41]
"nwiz"="nwiz.exe" [2002-01-15 05:06 C:\KILLWIN\system32\nwiz.exe]
"NvCplDaemon"="NvQTwk" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaCore"="C:\Arquivos de programas\\JavaCore\\JavaCore.exe" []
"ctfmon.exe"="C:\KILLWIN\system32\ctfmon.exe" [2004-08-04 00:45]
"Twain"="C:\Arquivos de programas\Twain\Twain.exe" []
"Steam"="C:\Arquivos de programas\Steam\Steam.exe" []
"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-06-08 15:18]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"DAEMON Tools Lite"="C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-01-17 14:51]

C:\Documents and Settings\Marcos.CASA\Menu Iniciar\Programas\Inicializar\
Stardock ObjectDock.lnk - C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe [2008-04-22 05:07:27]
Recorte de tela e Iniciador do OneNote 2007.lnk - C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]
PersonalBrain 4.lnk - C:\Arquivos de programas\PersonalBrain\PersonalBrainS.exe [2008-05-20 10:02:37]

C:\Documents and Settings\All Users.KILLWIN\Menu Iniciar\Programas\Inicializar\
PalTalk.lnk - C:\Arquivos de programas\Paltalk Messenger\paltalk.exe [2008-05-08 19:17:29]
InterVideo WinCinema Manager.lnk - C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-08-04 17:17:11]
Adobe Reader Synchronizer.lnk - C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\Arquivos de programas\GbPlugin\gbiehcef.dll [2008-03-05 11:29 341576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
C:\Arquivos de programas\GbPlugin\gbiehcef.dll 2008-03-05 11:29 341576 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-05-24 04:05:57 ------------


Best regards,
Marcos
  • 0

#28
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Well Combofix is still not running properly, but we have got rid of quite a lot of the rubbish that is spawned by bagle, so lets see if we can find the dropper which keeps it alive.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


As soon as you have completed the above, run an F-Secure online scan:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient


Post me the DrWeb log and the F-Secure log when you can. Also delete everything that Combofix creates, the Combo-Fix.exe file, the folder Qoobox, and the Combofix folder. Delete all logs that it has made too.

Regards,
RatHat
  • 0

#29
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
DrWeb-CureIt Express scan was very quick indeed. Here's a screenshot of the results:

DRWEB_1stScan.jpg


On the other hand, DrWeb-CureIt Full Scan was taking around 6 hours when it crashed very close to the end. Poor thing... I'm afraid it created no log of it, did it ?

Sometimes I took a look at the scanning process and as far as I can remember it had found and eliminated 206 infected files, mostly *.exe from a Temp directory in C:\ as well as the ones moved by OTMoveit . There were some 3 In D:\$VAULT$.AVG and one or two adwares from other folders.

Anyway, if need be, I'm willing to perform another scan... or should I try the F-Secure scan first ?


Thanks for helping.

Marcos
  • 0

#30
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Yes, lets try the F-Secure scan. This is the scan that has identified the dropper for me in previouse bagle logs. DrWeb cleans up a lot of junk first though which makes the F-Secure scan quicker. Anyway, lets see what F-Secure turns up.

Regards,
RatHat
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP