Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Something really wrong going on: Win32/Bagle ? [RESOLVED]


  • This topic is locked This topic is locked

#31
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Sorry for the delay, but in the meantime I'm finishing up a couple of university essays so computer has been quite busy. By the way, I've noticed that DrWeb-CureIt scanning did a lot of good to the computer and now it's running at speed again.

Here's F-Secure Online Scanning Report... at last !


Scanning Report
Sunday, May 25, 2008 18:12:25 - 20:12:31

Computer name: CASA
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 10 malware found
SDBot.CQL (virus)

* D:\BACKUPS\EDICAO\VIDEO\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52-FFF\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52_CRK-FFF\CRACK.EXE (Submitted)

Tracking Cookie (spyware)

* System

Trojan-Clicker.Win32.Costrat (virus)

* System

Trojan-Clicker.Win32.Costrat.hd (virus)

* C:\KJYH.EXE

Trojan-Downloader.Win32.Agent (virus)

* System

Trojan-Downloader.Win32.Agent.mcj (virus)

* C:\WINDOWS\SYSTEM32.CPL (Renamed & Submitted)

Trojan-Downloader.Win32.Agent.ofz (virus)

* C:\KILLWIN\B999.EXE

Trojan-Spy.Win32.Banker.fgw (virus)

* C:\WINDOWS\SYSTEM\CODECS.EXE (Renamed & Submitted)

Trojan.Win32.BHO.blh (virus)

* C:\DOCUMENTS AND SETTINGS\MARCOS.CASA\DESKTOP\OTSCANIT\MOVEDFILES\05242008_032725\C_KILLWIN\B155.EXE (Renamed & Submitted)

W32/Downloader (virus)

* C:\_OTMOVEIT\MOVEDFILES\05232008_081455\KILLWIN\B138.EXE (Submitted)

Statistics
Scanned:

* Files: 79045
* System: 4140
* Not scanned: 19

Actions:

* Disinfected: 0
* Renamed: 3
* Deleted: 0
* None: 7
* Submitted: 5

Files not scanned:

* C:\PAGEFILE.SYS
* C:\KILLWIN\SYSTEM32\DRIVERS\SPTD.SYS
* C:\KILLWIN\SYSTEM32\CONFIG\SECURITY
* C:\KILLWIN\SYSTEM32\CONFIG\SAM
* C:\KILLWIN\SYSTEM32\CONFIG\SYSTEM
* C:\KILLWIN\SYSTEM32\CONFIG\SOFTWARE
* C:\KILLWIN\SYSTEM32\CONFIG\DEFAULT
* D:\19EC50888B3A268EEE6D\SPMSG.DLL
* D:\19EC50888B3A268EEE6D\SPUNINST.EXE
* D:\19EC50888B3A268EEE6D\SPUPDSVC.EXE
* D:\19EC50888B3A268EEE6D\WUDFCOINSTALLER.DLL
* D:\19EC50888B3A268EEE6D\WUDFCUSTOM.DLL
* D:\19EC50888B3A268EEE6D\WUDFHOST.EXE
* D:\19EC50888B3A268EEE6D\WUDFPF.SYS
* D:\19EC50888B3A268EEE6D\WUDFPLATFORM.DLL
* D:\19EC50888B3A268EEE6D\WUDFRD.SYS
* D:\19EC50888B3A268EEE6D\WUDFSVC.DLL
* D:\19EC50888B3A268EEE6D\WUDFX.DLL
* D:\19EC50888B3A268EEE6D\WUDF_UPDATE.INF

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-05-25
* F-Secure AVP: 7.0.171, 2008-05-25
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

~~~~~~~~~~~~~~~~~~~~

Thanks for your support.
Marcos
  • 0

Advertisements


#32
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Lets make sure that those files that F-Secure found are removed.

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\BACKUPS\EDICAO\VIDEO\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52-FFF\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52_CRK-FFF\CRACK.EXE
C:\KJYH.EXE
C:\WINDOWS\SYSTEM32.CPL
C:\KILLWIN\B999.EXE
C:\WINDOWS\SYSTEM\CODECS.EXE


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please include the contents of OTM.txt in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets try Combofix once more.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Regards,
RatHat
  • 0

#33
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here they are. OTM.txt says:


D:\BACKUPS\EDICAO\VIDEO\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52-FFF\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52_CRK-FFF\CRACK.EXE moved successfully.
File/Folder C:\KJYH.EXE not found.
File/Folder C:\WINDOWS\SYSTEM32.CPL not found.
File/Folder C:\KILLWIN\B999.EXE not found.
File/Folder C:\WINDOWS\SYSTEM\CODECS.EXE not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05252008_210232

~~~~~~~~~~~~~~~~~~

But Combo-Fix keeps crashing:


ComboFix 08-05-25.3 - Marcos 2008-05-25 21:04:27.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1110 [GMT -3:00]
Executando de: C:\Documents and Settings\Marcos.CASA\Desktop\Combo-Fix.exe
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


~~~~~~~~~~~~~~~~~~

Regards,
Marcos
  • 0

#34
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, I guess yours is that 1 in a 100 computers that Combofix won't work on! Never mind, I think we are almost done anyway.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next please delete any remaining files/folders from SDFix, and re-download and run as outlined in my first posts. After that has run (if it runs), scan again with OTScanit and post the log as an attachment.

Regards,
RatHat
  • 0

#35
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
SDFix ran properly this time. Windows Alert Security is back on the task bar now. Here's the log :



SDFix: Version 1.185
Run by Marcos on 2008-05-25 at 22:47

Microsoft Windows XP [versÆo 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\-12302~1 - Deleted
C:\Arquivos de programas\JavaCore\UnInstall.exe - Deleted



Folder C:\Arquivos de programas\Helper - Removed
Folder C:\Arquivos de programas\JavaCore - Removed
Folder C:\Arquivos de programas\Temporary - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 22:53:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Arquivos de programas\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Arquivos de programas\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Arquivos de programas\\Paltalk Messenger\\paltalk.exe"="C:\\Arquivos de programas\\Paltalk Messenger\\paltalk.exe:*:Enabled:Paltalk 9.0"
"C:\\KILLWIN\\System32\\lxdjcoms.exe"="C:\\KILLWIN\\System32\\lxdjcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Arquivos de programas\\Lexmark 1400 Series\\lxdjamon.exe"="C:\\Arquivos de programas\\Lexmark 1400 Series\\lxdjamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Arquivos de programas\\Lexmark 1400 Series\\App4R.exe"="C:\\Arquivos de programas\\Lexmark 1400 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\KILLWIN\\System32\\spool\\drivers\\W32X86\\3\\lxdjwbgw.exe"="C:\\KILLWIN\\System32\\spool\\drivers\\W32X86\\3\\lxdjwbgw.exe:*:Enabled: "
"C:\\Program Files\\Hasbro Sports\\Grand Prix 3\\GP3.exe"="C:\\Program Files\\Hasbro Sports\\Grand Prix 3\\GP3.exe:*:Enabled:GP3"
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Arquivos de programas\\Cedro Market & Finances\\Cedro Lite\\zebedee\\tunnelcedro.exe"="C:\\Arquivos de programas\\Cedro Market & Finances\\Cedro Lite\\zebedee\\tunnelcedro.exe:*:Enabled:Tunnel Cedro"
"D:\\Jogos\\Bohemia Interactive\\ArmA Demo\\ArmADemo.exe"="D:\\Jogos\\Bohemia Interactive\\ArmA Demo\\ArmADemo.exe:*:Enabled:ArmA"
"C:\\Program Files\\Atari\\ArmA Demo\\ArmADemo.exe"="C:\\Program Files\\Atari\\ArmA Demo\\ArmADemo.exe:*:Enabled:ArmA Demo"
"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"D:\\Arquivos de Programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="D:\\Arquivos de Programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Arquivos de programas\\Mozilla Firefox\\FIREFOX.EXE"="C:\\Arquivos de programas\\Mozilla Firefox\\FIREFOX.EXE:*:Enabled:Firefox"
"C:\\Arquivos de programas\\Avant Browser\\avant.exe"="C:\\Arquivos de programas\\Avant Browser\\avant.exe:*:Enabled:Avant Browser"
"D:\\Arquivos de Programas\\DreMule\\emule.exe"="D:\\Arquivos de Programas\\DreMule\\emule.exe:*:Enabled:Dreamule"
"C:\\Arquivos de programas\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"="C:\\Arquivos de programas\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe:*:Enabled:Miro_Downloader"
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"="C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjPSWX.EXE"="C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjPSWX.EXE:*:Enabled: "
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjjswx.exe"="C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjjswx.exe:*:Enabled: "
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDJtime.exe"="C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDJtime.exe:*:Enabled: "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Aug 2004 60,416 A.SH. --- "C:\Arquivos de programas\Outlook Express\msimn.exe"
Wed 31 Oct 2007 51,431 ...H. --- "C:\Documents and Settings\Marcos\Meus documentos\~WRL2249.tmp"
Sun 23 Mar 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users.KILLWIN\DRM\DRMv1.bak"
Fri 25 Apr 2008 58,856 ...H. --- "C:\Documents and Settings\Marcos.CASA\Desktop\~WRL0482.tmp"
Sun 14 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~C.tmp"
Sun 14 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~12.tmp"
Sun 14 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~D.tmp"
Tue 16 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~7B.tmp"
Tue 16 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~E.tmp"
Thu 18 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~186.tmp"
Fri 19 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~A8.tmp"
Sat 20 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~D1.tmp"
Mon 29 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~2F.tmp"
Tue 2 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~4C.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~5.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~4.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~4B.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~6.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~7.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~B.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~3E.tmp"
Sun 7 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~8.tmp"
Fri 12 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~E4.tmp"
Fri 12 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~97.tmp"
Sun 14 Oct 2007 197,120 A..H. --- "C:\Documents and Settings\Marcos\Configura‡äes locais\Temp\~9E.tmp"
Tue 30 Oct 2007 59,904 ...H. --- "C:\Documents and Settings\Marcos\Dados de aplicativos\Microsoft\Word\~WRL0005.tmp"
Wed 31 Oct 2007 59,904 ...H. --- "C:\Documents and Settings\Marcos\Dados de aplicativos\Microsoft\Word\~WRL3328.tmp"
Sun 23 Mar 2008 20 A..H. --- "C:\Documents and Settings\Marcos.CASA\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv1lic.bak"
Sun 23 Mar 2008 4,348 ...H. --- "C:\Documents and Settings\Marcos.CASA\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv1key.bak"
Sun 23 Mar 2008 9,655 A.SH. --- "C:\Documents and Settings\Marcos.CASA\Meus documentos\Minhas m£sicas\Backup de Licen‡a\drmv2key.bak"
Tue 13 May 2008 444 ...HR --- "C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\SecuROM\UserData\securom_v7_01.bak"

Finished!


~~~~~~~~~~~~~~~~~~~~~~~~


Gonna OTScan it now. I'll be right back with the log.


Regards,
Marcos

Edited by marcos.rj, 25 May 2008 - 08:08 PM.

  • 0

#36
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here's OTScanIt report.

Regards,
Marcos

Attached File  OTScanIt.zip   23.07KB   64 downloads

Edited by marcos.rj, 25 May 2008 - 08:22 PM.

  • 0

#37
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
I want to have another go with Combofix. Delete any files/folder that have been created by Combofix, then download the attached zip file:



Unzip PauBrasil to your desktop. This is a copy of Combofix that I have renamed so if there is anything blocking Combofix, it won't detect it.

Now boot into Safe Mode by restarting your computer and hitting F8. Once in Safe Mode, locate PauBrasil.exe and double click it to run it. Post me the log it creates, and lets hope that this time it doesn't crash your computer.

Regards,
RatHat
  • 0

#38
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
It worked perfectly.

Regards,
Marcos

PS.: Dont know if it matters, but just for the records, I've kept all entries in MSConfig enabled since I started the topic.


Here's the log:


ComboFix 08-05-21.3 - Marcos 2008-05-26 0:19:09.1 - FAT32x86 MINIMAL

Executando de: C:\Documents and Settings\Marcos.CASA\Desktop\PauBrasil\PauBrasil.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Arquivos de programas\Svconr
C:\Documents and Settings\Marcos\Dados de aplicativos\inst.exe
C:\Documents and Settings\Marcos\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\Q735W7YM\iforex.com
C:\Documents and Settings\Marcos\Dados de aplicativos\macromedia\Flash Player\#SharedObjects\Q735W7YM\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Marcos\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Marcos\Dados de aplicativos\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\NetworkService.AUTORIDADE NT\Configurações locais\Temporary Internet Files\CPV.stt
C:\KILLWIN\msettings.ini
C:\Documents and Settings\Marcos.CASA\Configurações locais\Temporary Internet Files\bestwiner.stt . . . . falha na exclusão
C:\Documents and Settings\Marcos.CASA\Configurações locais\Temporary Internet Files\CPV.stt . . . . falha na exclusão

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((( Ficheiros criados de 2008-04-26 to 2008-05-26 ))))))))))))))))))))))))))))))))
.

2008-05-25 22:43 . 2008-05-25 22:43 <DIR> d-------- C:\KILLWIN\ERUNT
2008-05-25 22:37 . 2008-05-23 03:54 <DIR> d-------- C:\SDFix
2008-05-25 21:35 . 2008-05-25 21:35 <DIR> d-------- C:\DAEMON Tools
2008-05-25 21:28 . 2008-05-25 21:28 <DIR> d--hs---- C:\FOUND.007
2008-05-25 11:30 . 2008-05-25 11:30 <DIR> d--hs---- C:\FOUND.006
2008-05-24 15:28 . 2008-05-24 15:28 94,608 --a------ C:\KILLWIN\system32\drivers\dwshd.sys
2008-05-24 15:26 . 2008-05-25 01:33 664 --a------ C:\KILLWIN\system32\d3d9caps.dat
2008-05-24 15:20 . 2008-05-24 15:20 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\DoctorWeb
2008-05-24 02:13 . 2008-05-24 02:13 <DIR> d--hs---- C:\FOUND.141
2008-05-23 08:14 . 2008-05-23 08:14 <DIR> d-------- C:\_OTMoveIt
2008-05-22 19:53 . 2008-05-22 19:53 <DIR> d-------- C:\Deckard
2008-05-22 07:57 . 2008-05-22 07:57 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-05-22 07:10 . 2008-05-22 07:10 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\PCF-VLC
2008-05-21 20:09 . 2008-05-21 20:09 <DIR> d-------- C:\Arquivos de programas\Yahoo!
2008-05-20 23:51 . 2004-08-04 00:45 15,360 --a------ C:\KILLWIN\system32\dllcache\ctfmon.exe
2008-05-20 23:51 . 2004-08-04 00:45 15,360 --a------ C:\KILLWIN\system32\ctfmon.exe
2008-05-20 11:25 . 2008-05-20 11:25 <DIR> d-------- C:\fsaua.data
2008-05-20 10:39 . 2008-05-20 10:39 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Participatory Culture Foundation
2008-05-20 10:38 . 2008-05-20 10:38 <DIR> d-------- C:\Arquivos de programas\Participatory Culture Foundation
2008-05-20 10:03 . 2008-05-20 10:03 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\PersonalBrain
2008-05-20 10:03 . 2008-05-20 10:03 97 --a------ C:\Documents and Settings\EditLiveForJava.ini
2008-05-20 10:02 . 2008-05-20 10:02 <DIR> d-------- C:\Arquivos de programas\PersonalBrain
2008-05-20 09:48 . 2008-05-20 09:48 <DIR> d-------- C:\My Brains
2008-05-20 09:47 . 2008-05-20 09:47 <DIR> d-------- C:\Arquivos de programas\TheBrain
2008-05-20 08:46 . 2008-05-20 08:46 <DIR> d-------- C:\Documents and Settings\All Users.KILLWIN\Dados de aplicativos\TechSmith
2008-05-20 08:36 . 2008-05-20 08:36 <DIR> d-------- C:\KILLWIN\system32\QuickTime
2008-05-20 08:25 . 2008-05-20 08:25 <DIR> d-------- C:\UDC Snapshots
2008-05-20 08:25 . 2008-05-20 08:25 <DIR> d-------- C:\Arquivos de programas\Universal Document Converter
2008-05-20 08:25 . 2005-12-01 20:22 5,632 --a------ C:\KILLWIN\system32\udcpm.dll
2008-05-20 08:05 . 2008-05-20 08:05 <DIR> d-------- C:\lotuspro
2008-05-20 07:57 . 2008-05-20 07:57 <DIR> d-------- C:\Arquivos de programas\TechSmith
2008-05-20 07:57 . 2008-05-20 07:57 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\TechSmith Shared
2008-05-20 07:57 . 2008-03-12 02:37 107,864 --a------ C:\KILLWIN\system32\tsccvid.dll
2008-05-19 17:54 . 2008-05-19 17:54 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Audacity
2008-05-18 23:05 . 2008-05-18 23:05 <DIR> d-------- C:\Arquivos de programas\Alwil Software
2008-05-18 23:05 . 2003-03-18 18:20 1,060,864 --a------ C:\KILLWIN\system32\MFC71.dll
2008-05-18 23:05 . 2003-03-18 17:14 499,712 --a------ C:\KILLWIN\system32\MSVCP71.dll
2008-05-18 23:05 . 2003-02-21 01:42 348,160 --a------ C:\KILLWIN\system32\MSVCR71.dll
2008-05-18 23:04 . 2008-05-18 23:04 <DIR> d-------- C:\Arquivos de programas\RootKit Hook Analyzer
2008-05-18 22:56 . 2008-05-18 22:56 <DIR> d-------- C:\Arquivos de programas\WindowsMetafileFix
2008-05-18 22:56 . 2006-01-02 22:23 3,584 --a------ C:\KILLWIN\system32\wmfhotfix.dll
2008-05-18 20:46 . 2008-05-18 20:46 <DIR> d-------- C:\Arquivos de programas\CCleaner
2008-05-18 19:36 . 2008-05-18 19:42 26 --a------ C:\KILLWIN\DGcounter.ini
2008-05-18 19:35 . 2008-05-18 19:35 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Panda Software
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Documents and Settings\All Users.KILLWIN\Dados de aplicativos\Kaspersky Lab
2008-05-13 17:01 . 2008-05-20 08:40 54,156 --ah----- C:\KILLWIN\QTFont.qfn
2008-05-13 17:01 . 2008-05-13 17:01 1,409 --a------ C:\KILLWIN\QTFont.for
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\SecuROM
2008-05-13 16:43 . 2008-05-13 16:43 126,976 --a------ C:\KILLWIN\system32\UAService7.exe
2008-05-13 05:12 . 2008-05-13 05:12 53,248 --a------ C:\KILLWIN\system32\oml.dll
2008-05-13 04:21 . 2008-05-13 04:21 <DIR> d-------- C:\Arquivos de programas\Metastock Expresso e-Book
2008-05-12 18:18 . 2008-05-12 18:24 2 --a------ C:\KILLWIN\system32\RICHTX.DEP
2008-05-08 08:00 . 2008-05-08 08:00 <DIR> dr------- C:\Documents and Settings\NetworkService.AUTORIDADE NT\Favoritos
2008-05-08 08:00 . 2008-05-08 08:00 <DIR> d-------- C:\Documents and Settings\NetworkService.AUTORIDADE NT\Dados de aplicativos\MEGAUPLOADTOOLBAR
2008-05-02 09:25 . 2008-05-02 09:25 <DIR> d-------- C:\Arquivos de programas\AMP Font Viewer
2008-04-28 13:17 . 2008-04-28 13:17 <DIR> d-------- C:\Arquivos de programas\SourceTec
2008-04-28 13:17 . 2008-04-28 13:17 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\SourceTec
2008-04-26 07:14 . 2008-04-26 07:14 33,280 --a------ C:\KILLWIN\system32\nRXLf3X2.dll

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 07:39 --------- d-----w C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\iPodder
2008-04-24 07:39 --------- d-----w C:\Arquivos de programas\Juice
2008-04-24 05:47 --------- d-----w C:\Arquivos de programas\MagicISO
2008-04-24 05:45 --------- d-----w C:\Arquivos de programas\MagicISO Maker v5 4
2008-04-22 08:07 --------- d-----w C:\Arquivos de programas\Stardock
2008-04-22 08:07 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Stardock
2008-04-19 23:53 --------- d-----w C:\Arquivos de programas\Inet_Get_2
2008-04-14 18:26 --------- d-----w C:\Documents and Settings\All Users.KILLWIN\Dados de aplicativos\GbPlugin
2008-04-14 18:26 --------- d-----w C:\Arquivos de programas\GbPlugin
2008-04-13 08:37 --------- d-----w C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\MegauploadToolbar
2008-04-13 08:37 --------- d-----w C:\Arquivos de programas\MegauploadToolbar
2008-04-13 01:01 --------- d-----w C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Lexmark Productivity Studio
2008-04-07 02:45 --------- d-----w C:\Arquivos de programas\passFIRST-Certificate-Demo
2008-03-31 00:54 --------- d-----w C:\Arquivos de programas\QuienNoAdmitido
2008-03-12 23:27 50,520 ----a-w C:\KILLWIN\system32\csvidcap.dll
2007-08-20 14:21 94,208 ----a-w C:\Documents and Settings\Marcos\Dados de aplicativos\ezplay.sys
2007-08-20 14:21 47,360 ----a-w C:\Documents and Settings\Marcos\Dados de aplicativos\pcouffin.sys
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\KILLWIN\system32\ctfmon.exe" [2004-08-04 00:45 15360]
"Steam"="C:\Arquivos de programas\Steam\Steam.exe" [ ]
"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-06-08 15:18 23233576]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"DAEMON Tools Lite"="C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-01-17 14:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdjamon"="C:\Arquivos de programas\Lexmark 1400 Series\lxdjamon.exe" [2007-04-30 08:19 20480]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-18 23:06 79224]
"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2007-12-20 13:16 37376]
"UDC Integration"="C:\ARQUIV~1\UNIVER~1\getstart.exe" [2006-02-06 19:00 159744]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"nwiz"="nwiz.exe" [2002-01-15 05:06 299008 C:\KILLWIN\system32\nwiz.exe]
"NvCplDaemon"="NvQTwk" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\KILLWIN\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

C:\Documents and Settings\Marcos\Menu Iniciar\Programas\Inicializar\
Recorte de tela e Iniciador do OneNote 2007.lnk - C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\Marcos.CASA\Menu Iniciar\Programas\Inicializar\
Stardock ObjectDock.lnk - C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe [2008-04-22 05:07:27 2746104]
Recorte de tela e Iniciador do OneNote 2007.lnk - C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
PersonalBrain 4.lnk - C:\Arquivos de programas\PersonalBrain\PersonalBrainS.exe [2008-05-20 10:02:37 221184]

C:\Documents and Settings\All Users.KILLWIN\Menu Iniciar\Programas\Inicializar\
PalTalk.lnk - C:\Arquivos de programas\Paltalk Messenger\paltalk.exe [2008-05-08 19:17:29 10452992]
InterVideo WinCinema Manager.lnk - C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-08-04 17:17:11 278528]
Adobe Reader Synchronizer.lnk - C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\Arquivos de programas\GbPlugin\gbiehcef.dll [2008-03-05 11:29 341576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
C:\Arquivos de programas\GbPlugin\gbiehcef.dll 2008-03-05 11:29 341576 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\KILLWIN\system32\wmfhotfix.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"C:\\Arquivos de programas\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\Paltalk Messenger\\paltalk.exe"=
"C:\\KILLWIN\\System32\\lxdjcoms.exe"=
"C:\\Arquivos de programas\\Lexmark 1400 Series\\lxdjamon.exe"=
"C:\\Arquivos de programas\\Lexmark 1400 Series\\App4R.exe"=
"C:\\KILLWIN\\System32\\spool\\drivers\\W32X86\\3\\lxdjwbgw.exe"=
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"C:\\Arquivos de programas\\Mozilla Firefox\\FIREFOX.EXE"=
"C:\\Arquivos de programas\\Avant Browser\\avant.exe"=
"D:\\Arquivos de Programas\\DreMule\\emule.exe"=
"C:\\Arquivos de programas\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjPSWX.EXE"=
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjjswx.exe"=
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDJtime.exe"=

R1 aswSP;avast! Self Protection;C:\KILLWIN\system32\drivers\aswSP.sys [2008-05-15 20:20]
R2 aswFsBlk;aswFsBlk;C:\KILLWIN\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]
S2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;C:\KILLWIN\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe [2007-06-11 11:17]

.
Conte£do da pasta 'Tarefas Agendadas'
"2008-05-26 03:00:02 C:\KILLWIN\Tasks\At1.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-24 04:00:02 C:\KILLWIN\Tasks\At2.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 05:00:02 C:\KILLWIN\Tasks\At3.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 06:00:02 C:\KILLWIN\Tasks\At4.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 07:00:02 C:\KILLWIN\Tasks\At5.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 08:00:02 C:\KILLWIN\Tasks\At6.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 09:00:02 C:\KILLWIN\Tasks\At7.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 10:00:02 C:\KILLWIN\Tasks\At8.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 11:00:02 C:\KILLWIN\Tasks\At9.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 12:00:02 C:\KILLWIN\Tasks\At10.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 13:00:02 C:\KILLWIN\Tasks\At11.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 14:00:02 C:\KILLWIN\Tasks\At12.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 15:00:00 C:\KILLWIN\Tasks\At13.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 16:00:00 C:\KILLWIN\Tasks\At14.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 17:00:00 C:\KILLWIN\Tasks\At15.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 18:00:00 C:\KILLWIN\Tasks\At16.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 19:00:00 C:\KILLWIN\Tasks\At17.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 20:00:00 C:\KILLWIN\Tasks\At18.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 21:00:00 C:\KILLWIN\Tasks\At19.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 22:00:02 C:\KILLWIN\Tasks\At20.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 23:00:02 C:\KILLWIN\Tasks\At21.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 00:00:02 C:\KILLWIN\Tasks\At22.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 01:00:02 C:\KILLWIN\Tasks\At23.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 02:00:02 C:\KILLWIN\Tasks\At24.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-23 20:15:02 C:\KILLWIN\Tasks\1-Click Maintenance.job"
- C:\Arquivos de programas\TuneUp Utilities 2008\OneClick.exe
"2008-05-22 22:09:02 C:\KILLWIN\Tasks\AppleSoftwareUpdate.job"
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe
"2008-05-26 03:11:02 C:\KILLWIN\Tasks\At73.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-24 07:11:42 C:\KILLWIN\Tasks\At74.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 05:00:02 C:\KILLWIN\Tasks\At75.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 06:00:02 C:\KILLWIN\Tasks\At76.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 07:00:02 C:\KILLWIN\Tasks\At77.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 08:00:02 C:\KILLWIN\Tasks\At78.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 09:00:02 C:\KILLWIN\Tasks\At79.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 10:00:02 C:\KILLWIN\Tasks\At80.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 11:00:02 C:\KILLWIN\Tasks\At81.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 12:00:02 C:\KILLWIN\Tasks\At82.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 13:00:02 C:\KILLWIN\Tasks\At83.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 14:00:02 C:\KILLWIN\Tasks\At84.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 15:00:02 C:\KILLWIN\Tasks\At85.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 16:00:02 C:\KILLWIN\Tasks\At86.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 17:00:02 C:\KILLWIN\Tasks\At87.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 18:00:02 C:\KILLWIN\Tasks\At88.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 19:00:02 C:\KILLWIN\Tasks\At89.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 20:00:00 C:\KILLWIN\Tasks\At90.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 21:00:02 C:\KILLWIN\Tasks\At91.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 22:00:02 C:\KILLWIN\Tasks\At92.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 23:00:02 C:\KILLWIN\Tasks\At93.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 00:00:02 C:\KILLWIN\Tasks\At94.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 01:00:02 C:\KILLWIN\Tasks\At95.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 02:00:02 C:\KILLWIN\Tasks\At96.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 00:26:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\KILLWIN\explorer.exe
-> C:\Arquivos de programas\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\GBPSV.EXE
C:\KILLWIN\SYSTEM32\LXDJCOMS.EXE
C:\KILLWIN\SYSTEM32\WDFMGR.EXE
C:\KILLWIN\system32\UAService7.exe
C:\KILLWIN\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-05-26 0:29:50 - machine was rebooted [Marcos]
ComboFix-quarantined-files.txt 2008-05-26 03:29:46

Pre-Run: 5,254,250,496 bytes disponíveis
Post-Run: 5,303,107,584 bytes dispon¡veis

299
  • 0

#39
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Finally we got it to run, and it has killed the srosa driver that comes with bagle :)

Now lets start cleaning up, and have another look for the dropper.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\KILLWIN\system32\drivers\dwshd.sys
C:\KILLWIN\system32\d3d9caps.dat
C:\KILLWIN\system32\nRXLf3X2.dll
C:\KILLWIN\system32\ob227n37.exe

Folder::
C:\FOUND.007
C:\FOUND.006
C:\FOUND.141

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=-
"D:\\Arquivos de Programas\\DreMule\\emule.exe"=-


3. Save the above as CFScript.txt

4. Boot into safe mode again, then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. If Combofix doesn't reboot your computer, then reboot it normally.


6. Run ATF Cleaner again, then run a new F-Secure scan and post me the results along with the Combofix log.

Regards,
RatHat
  • 0

#40
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
ComboFix worked ok again (but why is it this warning keeps turning up?):


ComboFix 08-05-21.3 - Marcos 2008-05-26 2:43:44.2 - FAT32x86 MINIMAL

Executando de: C:\Documents and Settings\Marcos.CASA\Desktop\PauBrasil.exe
Command switches used :: C:\Documents and Settings\Marcos.CASA\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\KILLWIN\system32\d3d9caps.dat
C:\KILLWIN\system32\drivers\dwshd.sys
C:\KILLWIN\system32\nRXLf3X2.dll
C:\KILLWIN\system32\ob227n37.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.006
C:\FOUND.006\FILE0000.CHK
C:\FOUND.006\FILE0001.CHK
C:\FOUND.006\FILE0002.CHK
C:\FOUND.007
C:\FOUND.007\FILE0000.CHK
C:\FOUND.007\FILE0001.CHK
C:\FOUND.007\FILE0002.CHK
C:\FOUND.007\FILE0003.CHK
C:\FOUND.007\FILE0004.CHK
C:\FOUND.007\FILE0005.CHK
C:\FOUND.141
C:\FOUND.141\FILE0000.CHK
C:\FOUND.141\FILE0001.CHK
C:\FOUND.141\FILE0002.CHK
C:\FOUND.141\FILE0003.CHK
C:\FOUND.141\FILE0004.CHK
C:\KILLWIN\system32\d3d9caps.dat
C:\KILLWIN\system32\drivers\dwshd.sys
C:\KILLWIN\system32\nRXLf3X2.dll
C:\Documents and Settings\Marcos.CASA\Configurações locais\Temporary Internet Files\bestwiner.stt . . . . falha na exclusão
C:\Documents and Settings\Marcos.CASA\Configurações locais\Temporary Internet Files\CPV.stt . . . . falha na exclusão

.
((((((((((((((((((((((( Ficheiros criados de 2008-04-26 to 2008-05-26 ))))))))))))))))))))))))))))))))
.

2008-05-26 00:29 . 2008-05-26 00:29 <DIR> d-------- C:\KILLWIN\system32\config\systemprofile\Configurações locais
2008-05-26 00:29 . 2008-05-26 00:29 <DIR> d-------- C:\Documents and Settings\NetworkService.AUTORIDADE NT\Configurações locais
2008-05-26 00:29 . 2008-05-26 00:29 <DIR> d-------- C:\Documents and Settings\Marcos\Configurações locais
2008-05-26 00:29 . 2008-05-26 00:29 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Configurações locais
2008-05-26 00:29 . 2008-05-26 00:29 <DIR> d-------- C:\Documents and Settings\LocalService.AUTORIDADE NT\Configurações locais
2008-05-26 00:29 . 2008-05-26 00:29 <DIR> d-------- C:\Documents and Settings\Gamer\Configurações locais
2008-05-26 00:29 . 2008-05-26 00:29 <DIR> d-------- C:\Documents and Settings\Default User.KILLWIN\Configurações locais
2008-05-25 22:43 . 2008-05-25 22:43 <DIR> d-------- C:\KILLWIN\ERUNT
2008-05-25 22:37 . 2008-05-23 03:54 <DIR> d-------- C:\SDFix
2008-05-25 21:35 . 2008-05-25 21:35 <DIR> d-------- C:\DAEMON Tools
2008-05-24 15:20 . 2008-05-24 15:20 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\DoctorWeb
2008-05-23 08:14 . 2008-05-23 08:14 <DIR> d-------- C:\_OTMoveIt
2008-05-22 19:53 . 2008-05-22 19:53 <DIR> d-------- C:\Deckard
2008-05-22 07:57 . 2008-05-22 07:57 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-05-22 07:10 . 2008-05-22 07:10 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\PCF-VLC
2008-05-21 20:09 . 2008-05-21 20:09 <DIR> d-------- C:\Arquivos de programas\Yahoo!
2008-05-20 23:51 . 2004-08-04 00:45 15,360 --a------ C:\KILLWIN\system32\dllcache\ctfmon.exe
2008-05-20 23:51 . 2004-08-04 00:45 15,360 --a------ C:\KILLWIN\system32\ctfmon.exe
2008-05-20 11:25 . 2008-05-20 11:25 <DIR> d-------- C:\fsaua.data
2008-05-20 10:39 . 2008-05-20 10:39 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Participatory Culture Foundation
2008-05-20 10:38 . 2008-05-20 10:38 <DIR> d-------- C:\Arquivos de programas\Participatory Culture Foundation
2008-05-20 10:03 . 2008-05-20 10:03 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\PersonalBrain
2008-05-20 10:03 . 2008-05-20 10:03 97 --a------ C:\Documents and Settings\EditLiveForJava.ini
2008-05-20 10:02 . 2008-05-20 10:02 <DIR> d-------- C:\Arquivos de programas\PersonalBrain
2008-05-20 09:48 . 2008-05-20 09:48 <DIR> d-------- C:\My Brains
2008-05-20 09:47 . 2008-05-20 09:47 <DIR> d-------- C:\Arquivos de programas\TheBrain
2008-05-20 08:46 . 2008-05-20 08:46 <DIR> d-------- C:\Documents and Settings\All Users.KILLWIN\Dados de aplicativos\TechSmith
2008-05-20 08:36 . 2008-05-20 08:36 <DIR> d-------- C:\KILLWIN\system32\QuickTime
2008-05-20 08:25 . 2008-05-20 08:25 <DIR> d-------- C:\UDC Snapshots
2008-05-20 08:25 . 2008-05-20 08:25 <DIR> d-------- C:\Arquivos de programas\Universal Document Converter
2008-05-20 08:25 . 2005-12-01 20:22 5,632 --a------ C:\KILLWIN\system32\udcpm.dll
2008-05-20 08:05 . 2008-05-20 08:05 <DIR> d-------- C:\lotuspro
2008-05-20 07:57 . 2008-05-20 07:57 <DIR> d-------- C:\Arquivos de programas\TechSmith
2008-05-20 07:57 . 2008-05-20 07:57 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\TechSmith Shared
2008-05-20 07:57 . 2008-03-12 02:37 107,864 --a------ C:\KILLWIN\system32\tsccvid.dll
2008-05-19 17:54 . 2008-05-19 17:54 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Audacity
2008-05-18 23:05 . 2008-05-18 23:05 <DIR> d-------- C:\Arquivos de programas\Alwil Software
2008-05-18 23:05 . 2003-03-18 18:20 1,060,864 --a------ C:\KILLWIN\system32\MFC71.dll
2008-05-18 23:05 . 2003-03-18 17:14 499,712 --a------ C:\KILLWIN\system32\MSVCP71.dll
2008-05-18 23:05 . 2003-02-21 01:42 348,160 --a------ C:\KILLWIN\system32\MSVCR71.dll
2008-05-18 23:04 . 2008-05-18 23:04 <DIR> d-------- C:\Arquivos de programas\RootKit Hook Analyzer
2008-05-18 22:56 . 2008-05-18 22:56 <DIR> d-------- C:\Arquivos de programas\WindowsMetafileFix
2008-05-18 22:56 . 2006-01-02 22:23 3,584 --a------ C:\KILLWIN\system32\wmfhotfix.dll
2008-05-18 20:46 . 2008-05-18 20:46 <DIR> d-------- C:\Arquivos de programas\CCleaner
2008-05-18 19:36 . 2008-05-18 19:42 26 --a------ C:\KILLWIN\DGcounter.ini
2008-05-18 19:35 . 2008-05-18 19:35 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Panda Software
2008-05-17 20:41 . 2008-05-17 20:41 <DIR> d-------- C:\Documents and Settings\All Users.KILLWIN\Dados de aplicativos\Kaspersky Lab
2008-05-13 17:01 . 2008-05-20 08:40 54,156 --ah----- C:\KILLWIN\QTFont.qfn
2008-05-13 17:01 . 2008-05-13 17:01 1,409 --a------ C:\KILLWIN\QTFont.for
2008-05-13 16:43 . 2008-05-13 16:43 <DIR> d-------- C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\SecuROM
2008-05-13 16:43 . 2008-05-13 16:43 126,976 --a------ C:\KILLWIN\system32\UAService7.exe
2008-05-13 05:12 . 2008-05-13 05:12 53,248 --a------ C:\KILLWIN\system32\oml.dll
2008-05-13 04:21 . 2008-05-13 04:21 <DIR> d-------- C:\Arquivos de programas\Metastock Expresso e-Book
2008-05-12 18:18 . 2008-05-12 18:24 2 --a------ C:\KILLWIN\system32\RICHTX.DEP
2008-05-08 08:00 . 2008-05-08 08:00 <DIR> dr------- C:\Documents and Settings\NetworkService.AUTORIDADE NT\Favoritos
2008-05-08 08:00 . 2008-05-08 08:00 <DIR> d-------- C:\Documents and Settings\NetworkService.AUTORIDADE NT\Dados de aplicativos\MEGAUPLOADTOOLBAR
2008-05-02 09:25 . 2008-05-02 09:25 <DIR> d-------- C:\Arquivos de programas\AMP Font Viewer
2008-04-28 13:17 . 2008-04-28 13:17 <DIR> d-------- C:\Arquivos de programas\SourceTec
2008-04-28 13:17 . 2008-04-28 13:17 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\SourceTec

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 07:39 --------- d-----w C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\iPodder
2008-04-24 07:39 --------- d-----w C:\Arquivos de programas\Juice
2008-04-24 05:47 --------- d-----w C:\Arquivos de programas\MagicISO
2008-04-24 05:45 --------- d-----w C:\Arquivos de programas\MagicISO Maker v5 4
2008-04-22 08:07 --------- d-----w C:\Arquivos de programas\Stardock
2008-04-22 08:07 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Stardock
2008-04-19 23:53 --------- d-----w C:\Arquivos de programas\Inet_Get_2
2008-04-14 18:26 --------- d-----w C:\Documents and Settings\All Users.KILLWIN\Dados de aplicativos\GbPlugin
2008-04-14 18:26 --------- d-----w C:\Arquivos de programas\GbPlugin
2008-04-13 08:37 --------- d-----w C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\MegauploadToolbar
2008-04-13 08:37 --------- d-----w C:\Arquivos de programas\MegauploadToolbar
2008-04-13 01:01 --------- d-----w C:\Documents and Settings\Marcos.CASA\Dados de aplicativos\Lexmark Productivity Studio
2008-04-07 02:45 --------- d-----w C:\Arquivos de programas\passFIRST-Certificate-Demo
2008-03-31 00:54 --------- d-----w C:\Arquivos de programas\QuienNoAdmitido
2008-03-12 23:27 50,520 ----a-w C:\KILLWIN\system32\csvidcap.dll
2007-08-20 14:21 94,208 ----a-w C:\Documents and Settings\Marcos\Dados de aplicativos\ezplay.sys
2007-08-20 14:21 47,360 ----a-w C:\Documents and Settings\Marcos\Dados de aplicativos\pcouffin.sys
.

((((((((((((((((((((((((((((( [email protected]_ 0.29.25.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-26 03:23:20 2,048 --s-a-w C:\KILLWIN\bootstat.dat
+ 2008-05-26 05:47:02 2,048 --s-a-w C:\KILLWIN\bootstat.dat
+ 2008-05-26 05:49:30 16,384 ----a-w C:\KILLWIN\TEMP\Perflib_Perfdata_264.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\KILLWIN\system32\ctfmon.exe" [2004-08-04 00:45 15360]
"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-06-08 15:18 23233576]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"DAEMON Tools Lite"="C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-01-17 14:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lxdjamon"="C:\Arquivos de programas\Lexmark 1400 Series\lxdjamon.exe" [2007-04-30 08:19 20480]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-18 23:06 79224]
"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2007-12-20 13:16 37376]
"UDC Integration"="C:\ARQUIV~1\UNIVER~1\getstart.exe" [2006-02-06 19:00 159744]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"nwiz"="nwiz.exe" [2002-01-15 05:06 299008 C:\KILLWIN\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\KILLWIN\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

C:\Documents and Settings\Marcos\Menu Iniciar\Programas\Inicializar\
Recorte de tela e Iniciador do OneNote 2007.lnk - C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\Marcos.CASA\Menu Iniciar\Programas\Inicializar\
Stardock ObjectDock.lnk - C:\Arquivos de programas\Stardock\ObjectDock\ObjectDock.exe [2008-04-22 05:07:27 2746104]
Recorte de tela e Iniciador do OneNote 2007.lnk - C:\Arquivos de programas\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]
PersonalBrain 4.lnk - C:\Arquivos de programas\PersonalBrain\PersonalBrainS.exe [2008-05-20 10:02:37 221184]

C:\Documents and Settings\All Users.KILLWIN\Menu Iniciar\Programas\Inicializar\
PalTalk.lnk - C:\Arquivos de programas\Paltalk Messenger\paltalk.exe [2008-05-08 19:17:29 10452992]
InterVideo WinCinema Manager.lnk - C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-08-04 17:17:11 278528]
Adobe Reader Synchronizer.lnk - C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399003}"= C:\Arquivos de programas\GbPlugin\gbiehcef.dll [2008-03-05 11:29 341576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [2007-03-27 01:29 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginCef]
C:\Arquivos de programas\GbPlugin\gbiehcef.dll 2008-03-05 11:29 341576 C:\Arquivos de programas\GbPlugin\gbiehcef.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\KILLWIN\system32\wmfhotfix.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"C:\\Arquivos de programas\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\Paltalk Messenger\\paltalk.exe"=
"C:\\KILLWIN\\System32\\lxdjcoms.exe"=
"C:\\Arquivos de programas\\Lexmark 1400 Series\\lxdjamon.exe"=
"C:\\Arquivos de programas\\Lexmark 1400 Series\\App4R.exe"=
"C:\\KILLWIN\\System32\\spool\\drivers\\W32X86\\3\\lxdjwbgw.exe"=
"C:\\Arquivos de programas\\Mozilla Firefox\\FIREFOX.EXE"=
"C:\\Arquivos de programas\\Avant Browser\\avant.exe"=
"C:\\Arquivos de programas\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjPSWX.EXE"=
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdjjswx.exe"=
"C:\\KILLWIN\\System32\\SPOOL\\DRIVERS\\W32X86\\3\\LXDJtime.exe"=

R1 aswSP;avast! Self Protection;C:\KILLWIN\system32\drivers\aswSP.sys [2008-05-15 20:20]
R2 aswFsBlk;aswFsBlk;C:\KILLWIN\system32\DRIVERS\aswFsBlk.sys [2008-05-15 20:16]
S2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;C:\KILLWIN\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe [2007-06-11 11:17]

.
Conte£do da pasta 'Tarefas Agendadas'
"2008-05-26 03:00:02 C:\KILLWIN\Tasks\At1.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 04:00:02 C:\KILLWIN\Tasks\At2.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 05:00:00 C:\KILLWIN\Tasks\At3.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 06:00:02 C:\KILLWIN\Tasks\At4.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 07:00:02 C:\KILLWIN\Tasks\At5.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 08:00:02 C:\KILLWIN\Tasks\At6.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 09:00:02 C:\KILLWIN\Tasks\At7.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 10:00:02 C:\KILLWIN\Tasks\At8.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 11:00:02 C:\KILLWIN\Tasks\At9.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 12:00:02 C:\KILLWIN\Tasks\At10.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 13:00:02 C:\KILLWIN\Tasks\At11.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 14:00:02 C:\KILLWIN\Tasks\At12.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 15:00:00 C:\KILLWIN\Tasks\At13.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 16:00:00 C:\KILLWIN\Tasks\At14.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 17:00:00 C:\KILLWIN\Tasks\At15.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 18:00:00 C:\KILLWIN\Tasks\At16.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 19:00:00 C:\KILLWIN\Tasks\At17.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 20:00:00 C:\KILLWIN\Tasks\At18.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 21:00:00 C:\KILLWIN\Tasks\At19.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 22:00:02 C:\KILLWIN\Tasks\At20.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-25 23:00:02 C:\KILLWIN\Tasks\At21.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 00:00:02 C:\KILLWIN\Tasks\At22.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 01:00:02 C:\KILLWIN\Tasks\At23.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-26 02:00:02 C:\KILLWIN\Tasks\At24.job"
- C:\KILLWIN\system32\ob227n37.exe
"2008-05-23 20:15:02 C:\KILLWIN\Tasks\1-Click Maintenance.job"
- C:\Arquivos de programas\TuneUp Utilities 2008\OneClick.exe
"2008-05-22 22:09:02 C:\KILLWIN\Tasks\AppleSoftwareUpdate.job"
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe
"2008-05-26 03:11:02 C:\KILLWIN\Tasks\At73.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 04:00:02 C:\KILLWIN\Tasks\At74.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 05:00:02 C:\KILLWIN\Tasks\At75.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 06:00:02 C:\KILLWIN\Tasks\At76.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 07:00:02 C:\KILLWIN\Tasks\At77.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 08:00:02 C:\KILLWIN\Tasks\At78.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 09:00:02 C:\KILLWIN\Tasks\At79.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 10:00:02 C:\KILLWIN\Tasks\At80.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 11:00:02 C:\KILLWIN\Tasks\At81.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 12:00:02 C:\KILLWIN\Tasks\At82.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 13:00:02 C:\KILLWIN\Tasks\At83.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 14:00:02 C:\KILLWIN\Tasks\At84.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 15:00:02 C:\KILLWIN\Tasks\At85.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 16:00:02 C:\KILLWIN\Tasks\At86.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 17:00:02 C:\KILLWIN\Tasks\At87.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 18:00:02 C:\KILLWIN\Tasks\At88.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 19:00:02 C:\KILLWIN\Tasks\At89.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 20:00:00 C:\KILLWIN\Tasks\At90.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 21:00:02 C:\KILLWIN\Tasks\At91.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 22:00:02 C:\KILLWIN\Tasks\At92.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-25 23:00:02 C:\KILLWIN\Tasks\At93.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 00:00:02 C:\KILLWIN\Tasks\At94.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 01:00:02 C:\KILLWIN\Tasks\At95.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
"2008-05-26 02:00:02 C:\KILLWIN\Tasks\At96.job"
- C:\KILLWIN\system32\rVCPj3C2.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 02:48:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\KILLWIN\explorer.exe
-> C:\Arquivos de programas\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\GBPSV.EXE
C:\KILLWIN\SYSTEM32\LXDJCOMS.EXE
C:\KILLWIN\SYSTEM32\WDFMGR.EXE
C:\KILLWIN\system32\UAService7.exe
C:\KILLWIN\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-05-26 2:51:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 05:51:40
ComboFix2.txt 2008-05-26 03:29:52

Pre-Run: 5,286,526,976 bytes disponíveis
Post-Run: 5,296,357,376 bytes dispon¡veis

318

~~~~~~~~~~~~

F-Secure Online Scan comes in the following post.

Regards,
Marcos
  • 0

Advertisements


#41
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here it is:



Scanning Report
Monday, May 26, 2008 02:59:10 - 04:54:46

Computer name: CASA
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 7 malware found
SDBot.CQL (virus)

* C:\_OTMOVEIT\MOVEDFILES\05252008_210232\BACKUPS\EDICAO\VIDEO\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52-FFF\MOV.TO.MPG.AVI.WMV.CONVERTER.1.52_CRK-FFF\CRACK.EXE (Submitted)

Trojan-Clicker.Win32.Costrat.hd (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{870A3C65-BA33-45AA-A268-C7AD3757D792}\RP213\A0203067.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Agent.mcj (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{870A3C65-BA33-45AA-A268-C7AD3757D792}\RP213\A0203069.CPL (Renamed)

Trojan-Downloader.Win32.Agent.ofz (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{870A3C65-BA33-45AA-A268-C7AD3757D792}\RP213\A0203066.EXE (Renamed & Submitted)

Trojan-Spy.Win32.Banker.fgw (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{870A3C65-BA33-45AA-A268-C7AD3757D792}\RP213\A0203070.EXE (Renamed & Submitted)

Trojan.Win32.BHO.blh (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{870A3C65-BA33-45AA-A268-C7AD3757D792}\RP213\A0203068.EXE (Renamed & Submitted)

W32/Downloader (virus)

* C:\_OTMOVEIT\MOVEDFILES\05232008_081455\KILLWIN\B138.EXE (Submitted)

Statistics
Scanned:

* Files: 75255
* System: 4018
* Not scanned: 19

Actions:

* Disinfected: 0
* Renamed: 5
* Deleted: 0
* None: 2
* Submitted: 6

Files not scanned:

* C:\PAGEFILE.SYS
* C:\KILLWIN\SYSTEM32\DRIVERS\SPTD.SYS
* C:\KILLWIN\SYSTEM32\CONFIG\SECURITY
* C:\KILLWIN\SYSTEM32\CONFIG\SOFTWARE
* C:\KILLWIN\SYSTEM32\CONFIG\SYSTEM
* C:\KILLWIN\SYSTEM32\CONFIG\DEFAULT
* C:\KILLWIN\SYSTEM32\CONFIG\SAM
* D:\19EC50888B3A268EEE6D\SPMSG.DLL
* D:\19EC50888B3A268EEE6D\SPUNINST.EXE
* D:\19EC50888B3A268EEE6D\SPUPDSVC.EXE
* D:\19EC50888B3A268EEE6D\WUDFCOINSTALLER.DLL
* D:\19EC50888B3A268EEE6D\WUDFCUSTOM.DLL
* D:\19EC50888B3A268EEE6D\WUDFHOST.EXE
* D:\19EC50888B3A268EEE6D\WUDFPF.SYS
* D:\19EC50888B3A268EEE6D\WUDFPLATFORM.DLL
* D:\19EC50888B3A268EEE6D\WUDFRD.SYS
* D:\19EC50888B3A268EEE6D\WUDFSVC.DLL
* D:\19EC50888B3A268EEE6D\WUDFX.DLL
* D:\19EC50888B3A268EEE6D\WUDF_UPDATE.INF

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-05-26
* F-Secure AVP: 7.0.171, 2008-05-26
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Have a good day.
Marcos
  • 0

#42
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
THe warning is regarding the Windows Recovery Console. It is an option that we have to assist if something goes drastically wrong, and as a help against future infection recovery. If you are going to reformat this system, then it is not worth installing just now, but I can give you pointers on how to install it later if you want to.

Now how is your system behaving now?

Regards,
RatHat
  • 0

#43
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
So I guess the recovery system helps me set a restore point, isnt it ? I'd like to know how anyway. I'll be more cautious from now on and, just to be on the safe side, I won't reformat the system until I have backups of all my files.

Computer is running fine, no pop ups or strange stuff . Did F-Secure scan finish the job up? Am I cleaned up already?

Regards,
Marcos
  • 0

#44
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
F-Secure is only showing files in your restore points and in quarantined files that we have already dealt with, we'll clean them up in a minute.

The Recovery Console doesn't really do anything other than to allow us to bypass the windows boot menu and work from the Master Boot Record (MBR) which is useful on totally crapped out machines, and also against future malware, where the trend looks like it will be needed more often. We can install it next.

Now I would like to say you are clean, but I cannot be one hundred percent sure until you have been running it normally for a few days. What we will do now though is to clean up all the files we have used, set a new restore point, and install a few preventative programs. Then I'll keep this log open, and if you could let me know how things are running in a couple of days, then I can tell you if you are in the clear.

One thing I would recommend is to uninstall all the P2P programs that you have, and steer clear of them in the future. The malware writers love P2P programs, as they can spread infected files quickly, and use the P2P program as a conduit to download additional malware without you even knowing it is happening.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now for the recovery console.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, lets clean up.

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Note that you will need to delete PauBrasil.exe yourself.

Next, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 6). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 6
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So run your machine normally for a couple of days, then let me know here if anything has changed, or if all is still OK.

Regards,
RatHat
  • 0

#45
marcos.rj

marcos.rj

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Ok then. This whole thing is definetely a good incentive for me to cross out P2P programs. Or maybe I can designate an old computer for it (otherwise it'll take me forever to see the last episode of Lost :) ).

Combo didnt run this time. It crashed the computer instead. Do you think I should now give it one more try in safe mode or I should move on to the cleaning up?


Thanks for all your assistance !

Marcos
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP