Well iam prety new at this forum and, as you will notice, i'am not ''pro'' at all this computer things....
My Pc is brand new but kasperky (and other anti i used) found out this infection : Trojan.Win32.BHO.agz
I tryed a lot of things, all a waste of time....
Can you please help me get an end of this?!
Thanks !!!
Full Version: Please, help me....
First:
Download the current version of HiJackThis from here:
http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe
Double Click on the HJTInstall.exe file. It will be installed to the default location of C:\Program File\Trend Micro\HiJackThis\
DO NOT RUN HiJackTHis at this time. We'll get to it in a moment.
Second:
Please download ATF Cleaner by Atribune.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Third:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Download the current version of HiJackThis from here:
http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe
Double Click on the HJTInstall.exe file. It will be installed to the default location of C:\Program File\Trend Micro\HiJackThis\
DO NOT RUN HiJackTHis at this time. We'll get to it in a moment.
Second:
Please download ATF Cleaner by Atribune.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Third:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log using HiJackThis that you installed in Step 1 for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
HicakThis Log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07:18, on 16/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3Trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Free Download Manager\FUM\fumoei.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\lxdacoms.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\SafestMail\safo_x.exe
C:\Arquivos de programas\SafestMail\launcher.exe
C:\Arquivos de programas\MultiKeyboard Driver\KbdDrv.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {760F996B-9F43-4E20-AE81-F0411FDD89D3} - C:\WINDOWS\system32\adsldpd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3Trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Arquivos de programas\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Arquivos de programas\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SafO.X (Outlook Express)] C:\Arquivos de programas\SafestMail\safo_x.exe
O4 - HKCU\..\Run: [Launcher for SafO.X] C:\Arquivos de programas\SafestMail\launcher.exe
O4 - HKCU\..\Run: [SafO keep working] C:\Arquivos de programas\SafestMail\regsafo.exe
O4 - Startup: MutiKeyboard Driver.lnk = C:\Arquivos de programas\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: SafestMail - {B0494CB9-A494-4218-8558-798F8BBAF4B0} - www.safestmail.com.br (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Arquivos de programas\Free Download Manager\FUM\fumiebtn.dll (file missing)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - AppInit_DLLs: c:\windows\system32\vturpqn.dll
O20 - Winlogon Notify: c_114s - c_114s.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: lxda_device - - C:\WINDOWS\system32\lxdacoms.exe
--
End of file - 6483 bytes
Combofix Log :
ComboFix 08-02-16.2 - User 2008-02-16 14:54:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.621 [GMT -2:00]
Executando de: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\sys_dll.dll
.
((((((((((((((((((((((( Ficheiros criados de 2008-01-16 to 2008-02-16 ))))))))))))))))))))))))))))))))
.
2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-02-16 00:52 . 2008-02-16 00:52 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\TrojanHunter
2008-02-16 00:05 . 2008-02-16 00:05 <DIR> d-------- C:\Arquivos de programas\ATS2
2008-02-16 00:03 . 2007-01-12 12:50 1,828,440 --a------ C:\WINDOWS\system32\Skype4COM.dll
2008-02-16 00:03 . 2005-02-07 21:55 596,992 --a------ C:\WINDOWS\system32\Redemption.dll
2008-02-16 00:03 . 1999-12-09 11:19 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-16 00:03 . 2007-03-02 18:38 24,576 --a------ C:\WINDOWS\system32\SafO_OL2003.dll
2008-02-16 00:00 . 2008-02-16 00:00 <DIR> d-------- C:\Arquivos de programas\TrojanHunter 5.0
2008-02-15 23:59 . 2008-02-16 00:03 <DIR> d-------- C:\Arquivos de programas\SafestMail
2008-02-15 23:51 . 2008-02-16 00:06 <DIR> d-------- C:\Arquivos de programas\Trojan Guarder Gold Version
2008-02-15 22:31 . 2008-02-15 22:31 <DIR> d-------- C:\Arquivos de programas\InCode Solutions
2008-02-15 17:32 . 2008-02-15 17:32 <DIR> d-------- C:\LinhaDefensiva
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\User\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\Default User\Configuraþ§es locais
2008-02-14 22:58 . 2008-02-15 00:32 <DIR> d-------- C:\Arquivos de programas\XoftSpySE
2008-02-14 21:58 . 2008-02-14 21:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-14 21:52 . 2008-02-15 01:20 <DIR> d-------- C:\SDFix
2008-02-14 20:39 . 2008-02-14 20:45 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-14 20:39 . 2008-02-14 20:39 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-14 20:38 . 2008-02-16 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab
2008-02-14 20:38 . 2008-02-16 14:55 2,171,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-14 20:38 . 2008-02-16 14:55 200,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-14 20:38 . 2008-02-16 03:33 32,336 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-14 20:38 . 2008-02-16 03:33 21,644 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-14 17:46 . 2008-02-14 17:46 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Blizzard Entertainment
2008-02-14 17:38 . 2008-02-14 18:15 <DIR> d-------- C:\Arquivos de programas\World of Warcraft
2008-02-13 03:14 . 2008-02-15 19:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-13 03:14 . 2008-02-13 03:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 19:49 . 2008-01-19 20:39 <DIR> d-------- C:\Arquivos de programas\VentSrv
2008-01-19 18:05 . 2008-01-19 18:05 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\teamspeak2
2008-01-19 18:05 . 2008-01-19 18:05 <DIR> d-------- C:\Arquivos de programas\Teamspeak2_RC2
2008-01-19 18:05 . 2008-01-19 18:05 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 23:44 22 ----a-w C:\WINDOWS\system32\drivers\CONFIOUNONAMORADOEFOIPARARNANET.zip
2008-02-14 22:38 --------- d-----w C:\Arquivos de programas\Kaspersky Lab
2008-02-11 20:43 19,584 ----a-w C:\WINDOWS\system32\drivers\vnafudcc.dat
2008-01-19 22:26 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\Ventrilo
2008-01-19 21:22 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-01-12 01:58 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\LimeWire
2008-01-08 20:04 --------- d-----w C:\Arquivos de programas\LeechGet 2007
2008-01-08 01:15 --------- d-----w C:\Arquivos de programas\Ventrilo
2008-01-04 03:22 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\Orbit
2007-12-31 19:25 --------- d-----w C:\Arquivos de programas\Tibia
2007-12-25 19:50 --------- d-----w C:\Arquivos de programas\Google
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 02:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-18 02:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-07 01:07 661,504 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-30 22:52 20,352 ----a-w C:\Documents and Settings\User\Dados de aplicativos\GDIPFONTCACHEV1.DAT
2004-10-01 18:00 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{760F996B-9F43-4E20-AE81-F0411FDD89D3}]
2004-08-04 01:45 84992 --a------ C:\WINDOWS\system32\adsldpd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:45 15360]
"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 14:24 1694208]
"Free Uploader Oe Integration"="C:\Arquivos de programas\Free Download Manager\FUM\fumoei.exe" [2007-06-10 20:02 40960]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"AnyDVD"="C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe" [2007-09-10 07:29 1477568]
"SafO.X (Outlook Express)"="C:\Arquivos de programas\SafestMail\safo_x.exe" [2008-01-28 12:36 1949696]
"Launcher for SafO.X"="C:\Arquivos de programas\SafestMail\launcher.exe" [2005-05-27 15:48 45056]
"SafO keep working"="C:\Arquivos de programas\SafestMail\regsafo.exe" [2006-12-21 07:29 45056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 08:04 2879488 C:\WINDOWS\SkyTel.exe]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 15:05 1953792]
"RemoteControl"="C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2005-06-30 03:16 88203 C:\WINDOWS\AGRSMMSG.exe]
"VTTimer"="VTTimer.exe" [2006-09-21 06:36 53248 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3Trayp.exe" [2006-10-09 19:14 176128 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 01:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]
"THGuard"="C:\Arquivos de programas\TrojanHunter 5.0\THGuard.exe" [2008-02-08 11:22 1047712]
C:\Documents and Settings\User\Menu Iniciar\Programas\Inicializar\
MutiKeyboard Driver.lnk - C:\Arquivos de programas\MultiKeyboard Driver\KbdDrv.exe [2007-07-24 17:17:20 348160]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_114s]
c_114s.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\vturpqn.dll
R0 mglpewgn;mglpewgn;C:\WINDOWS\system32\drivers\vnafudcc.dat []
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 09:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 09:39]
R2 lxda_device;lxda_device;C:\WINDOWS\system32\lxdacoms.exe [2007-01-29 14:57]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-11-10 00:06]
S2 agrsm;Agere Modem Driver;C:\WINDOWS\system32\agrsmnt.sys [2005-06-30 03:44]
S3 S3G700;S3G700;C:\WINDOWS\system32\DRIVERS\VTGKModeDX32.sys [2006-11-29 20:50]
.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-02-01 13:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 11:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 12:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 13:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 14:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 15:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 16:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 17:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 18:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 19:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 20:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 21:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 22:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 23:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 00:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 01:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 04:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 05:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-14 06:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-08 07:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-08 08:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-08 09:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-14 10:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 10:53:58 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Arquivos de programas\XoftSpySE\XoftSpy.exe
"2008-02-16 05:06:26 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Arquivos de programas\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 14:55:36
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusão: 2008-02-16 14:56:23
ComboFix-quarantined-files.txt 2008-02-16 16:56:20
ComboFix2.txt 2008-02-15 03:29:16
ComboFix3.txt 2008-02-15 00:21:00
.
2008-02-16 05:32:43 --- E O F ---
Something strange just hapend....
I did just what you told (open combofix and all) then my net was not woking so i saved combofix log and restarted my PC....
Then i scan wht hijackthis (log is posted) and open my kapesrsky... kapesrsky sayed the virus i've posted was ''not found'', instead , it found : Trojan.Win32.Pakes.cdw
??
thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07:18, on 16/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3Trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Free Download Manager\FUM\fumoei.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\lxdacoms.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\SafestMail\safo_x.exe
C:\Arquivos de programas\SafestMail\launcher.exe
C:\Arquivos de programas\MultiKeyboard Driver\KbdDrv.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {760F996B-9F43-4E20-AE81-F0411FDD89D3} - C:\WINDOWS\system32\adsldpd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3Trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Arquivos de programas\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Arquivos de programas\Free Download Manager\FUM\fumoei.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AnyDVD] C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SafO.X (Outlook Express)] C:\Arquivos de programas\SafestMail\safo_x.exe
O4 - HKCU\..\Run: [Launcher for SafO.X] C:\Arquivos de programas\SafestMail\launcher.exe
O4 - HKCU\..\Run: [SafO keep working] C:\Arquivos de programas\SafestMail\regsafo.exe
O4 - Startup: MutiKeyboard Driver.lnk = C:\Arquivos de programas\MultiKeyboard Driver\KbdDrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: SafestMail - {B0494CB9-A494-4218-8558-798F8BBAF4B0} - www.safestmail.com.br (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Arquivos de programas\Free Download Manager\FUM\fumiebtn.dll (file missing)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - AppInit_DLLs: c:\windows\system32\vturpqn.dll
O20 - Winlogon Notify: c_114s - c_114s.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: lxda_device - - C:\WINDOWS\system32\lxdacoms.exe
--
End of file - 6483 bytes
Combofix Log :
ComboFix 08-02-16.2 - User 2008-02-16 14:54:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.621 [GMT -2:00]
Executando de: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\sys_dll.dll
.
((((((((((((((((((((((( Ficheiros criados de 2008-01-16 to 2008-02-16 ))))))))))))))))))))))))))))))))
.
2008-02-16 14:48 . 2008-02-16 14:48 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-02-16 00:52 . 2008-02-16 00:52 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\TrojanHunter
2008-02-16 00:05 . 2008-02-16 00:05 <DIR> d-------- C:\Arquivos de programas\ATS2
2008-02-16 00:03 . 2007-01-12 12:50 1,828,440 --a------ C:\WINDOWS\system32\Skype4COM.dll
2008-02-16 00:03 . 2005-02-07 21:55 596,992 --a------ C:\WINDOWS\system32\Redemption.dll
2008-02-16 00:03 . 1999-12-09 11:19 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-02-16 00:03 . 2007-03-02 18:38 24,576 --a------ C:\WINDOWS\system32\SafO_OL2003.dll
2008-02-16 00:00 . 2008-02-16 00:00 <DIR> d-------- C:\Arquivos de programas\TrojanHunter 5.0
2008-02-15 23:59 . 2008-02-16 00:03 <DIR> d-------- C:\Arquivos de programas\SafestMail
2008-02-15 23:51 . 2008-02-16 00:06 <DIR> d-------- C:\Arquivos de programas\Trojan Guarder Gold Version
2008-02-15 22:31 . 2008-02-15 22:31 <DIR> d-------- C:\Arquivos de programas\InCode Solutions
2008-02-15 17:32 . 2008-02-15 17:32 <DIR> d-------- C:\LinhaDefensiva
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\User\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\NetworkService\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\LocalService\Configuraþ§es locais
2008-02-15 01:29 . 2008-02-15 01:29 <DIR> d-------- C:\Documents and Settings\Default User\Configuraþ§es locais
2008-02-14 22:58 . 2008-02-15 00:32 <DIR> d-------- C:\Arquivos de programas\XoftSpySE
2008-02-14 21:58 . 2008-02-14 21:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-14 21:52 . 2008-02-15 01:20 <DIR> d-------- C:\SDFix
2008-02-14 20:39 . 2008-02-14 20:45 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-14 20:39 . 2008-02-14 20:39 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-14 20:38 . 2008-02-16 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab
2008-02-14 20:38 . 2008-02-16 14:55 2,171,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-14 20:38 . 2008-02-16 14:55 200,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-14 20:38 . 2008-02-16 03:33 32,336 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-14 20:38 . 2008-02-16 03:33 21,644 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-14 17:46 . 2008-02-14 17:46 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Blizzard Entertainment
2008-02-14 17:38 . 2008-02-14 18:15 <DIR> d-------- C:\Arquivos de programas\World of Warcraft
2008-02-13 03:14 . 2008-02-15 19:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-13 03:14 . 2008-02-13 03:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 19:49 . 2008-01-19 20:39 <DIR> d-------- C:\Arquivos de programas\VentSrv
2008-01-19 18:05 . 2008-01-19 18:05 <DIR> d-------- C:\Documents and Settings\User\Dados de aplicativos\teamspeak2
2008-01-19 18:05 . 2008-01-19 18:05 <DIR> d-------- C:\Arquivos de programas\Teamspeak2_RC2
2008-01-19 18:05 . 2008-01-19 18:05 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-14 23:44 22 ----a-w C:\WINDOWS\system32\drivers\CONFIOUNONAMORADOEFOIPARARNANET.zip
2008-02-14 22:38 --------- d-----w C:\Arquivos de programas\Kaspersky Lab
2008-02-11 20:43 19,584 ----a-w C:\WINDOWS\system32\drivers\vnafudcc.dat
2008-01-19 22:26 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\Ventrilo
2008-01-19 21:22 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-01-12 01:58 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\LimeWire
2008-01-08 20:04 --------- d-----w C:\Arquivos de programas\LeechGet 2007
2008-01-08 01:15 --------- d-----w C:\Arquivos de programas\Ventrilo
2008-01-04 03:22 --------- d-----w C:\Documents and Settings\User\Dados de aplicativos\Orbit
2007-12-31 19:25 --------- d-----w C:\Arquivos de programas\Tibia
2007-12-25 19:50 --------- d-----w C:\Arquivos de programas\Google
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 02:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-18 02:43 23,396 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2007-12-07 01:07 661,504 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-08-30 22:52 20,352 ----a-w C:\Documents and Settings\User\Dados de aplicativos\GDIPFONTCACHEV1.DAT
2004-10-01 18:00 40,960 ----a-w C:\Arquivos de programas\Uninstall_CDS.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{760F996B-9F43-4E20-AE81-F0411FDD89D3}]
2004-08-04 01:45 84992 --a------ C:\WINDOWS\system32\adsldpd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:45 15360]
"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 14:24 1694208]
"Free Uploader Oe Integration"="C:\Arquivos de programas\Free Download Manager\FUM\fumoei.exe" [2007-06-10 20:02 40960]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"AnyDVD"="C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe" [2007-09-10 07:29 1477568]
"SafO.X (Outlook Express)"="C:\Arquivos de programas\SafestMail\safo_x.exe" [2008-01-28 12:36 1949696]
"Launcher for SafO.X"="C:\Arquivos de programas\SafestMail\launcher.exe" [2005-05-27 15:48 45056]
"SafO keep working"="C:\Arquivos de programas\SafestMail\regsafo.exe" [2006-12-21 07:29 45056]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2006-05-16 08:04 2879488 C:\WINDOWS\SkyTel.exe]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 15:05 1953792]
"RemoteControl"="C:\Arquivos de programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"AGRSMMSG"="AGRSMMSG.exe" [2005-06-30 03:16 88203 C:\WINDOWS\AGRSMMSG.exe]
"VTTimer"="VTTimer.exe" [2006-09-21 06:36 53248 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3Trayp.exe" [2006-10-09 19:14 176128 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 01:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-06-29 07:24 286720]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]
"THGuard"="C:\Arquivos de programas\TrojanHunter 5.0\THGuard.exe" [2008-02-08 11:22 1047712]
C:\Documents and Settings\User\Menu Iniciar\Programas\Inicializar\
MutiKeyboard Driver.lnk - C:\Arquivos de programas\MultiKeyboard Driver\KbdDrv.exe [2007-07-24 17:17:20 348160]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_114s]
c_114s.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\vturpqn.dll
R0 mglpewgn;mglpewgn;C:\WINDOWS\system32\drivers\vnafudcc.dat []
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 09:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 09:39]
R2 lxda_device;lxda_device;C:\WINDOWS\system32\lxdacoms.exe [2007-01-29 14:57]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-11-10 00:06]
S2 agrsm;Agere Modem Driver;C:\WINDOWS\system32\agrsmnt.sys [2005-06-30 03:44]
S3 S3G700;S3G700;C:\WINDOWS\system32\DRIVERS\VTGKModeDX32.sys [2006-11-29 20:50]
.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-02-01 13:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe
"2008-02-16 11:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 12:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 13:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 14:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 15:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 16:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 17:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 18:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 19:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 20:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 21:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 22:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-15 23:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 00:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 01:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 04:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 05:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-14 06:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-08 07:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-08 08:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-08 09:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-14 10:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\NgYF8v6l.exe
"2008-02-16 10:53:58 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Arquivos de programas\XoftSpySE\XoftSpy.exe
"2008-02-16 05:06:26 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Arquivos de programas\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 14:55:36
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusão: 2008-02-16 14:56:23
ComboFix-quarantined-files.txt 2008-02-16 16:56:20
ComboFix2.txt 2008-02-15 03:29:16
ComboFix3.txt 2008-02-15 00:21:00
.
2008-02-16 05:32:43 --- E O F ---
Something strange just hapend....
I did just what you told (open combofix and all) then my net was not woking so i saved combofix log and restarted my PC....
Then i scan wht hijackthis (log is posted) and open my kapesrsky... kapesrsky sayed the virus i've posted was ''not found'', instead , it found : Trojan.Win32.Pakes.cdw
??
thanks
We have some cleaning to do, then we'll see where you are...
First:
Please download ATF Cleaner by Atribune.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Second:
Open the Scheduled Tasks control panel and delete all scheduled tasks in the format ATnn.job, where 'nn' is any two digits.
Third:
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
First:
Please download ATF Cleaner by Atribune.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Second:
Open the Scheduled Tasks control panel and delete all scheduled tasks in the format ATnn.job, where 'nn' is any two digits.
Third:
1. Close any open browsers.
2. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
Killall::
File::
C:\WINDOWS\system32\adsldpd.dll
c:\windows\system32\vturpqn.dll
C:\WINDOWS\system32\c_114s.dll
C:\WINDOWS\system32\drivers\vnafudcc.dat
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{760F996B-9F43-4E20-AE81-F0411FDD89D3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_114s]
Driver::
mglpewgn
File::
C:\WINDOWS\system32\adsldpd.dll
c:\windows\system32\vturpqn.dll
C:\WINDOWS\system32\c_114s.dll
C:\WINDOWS\system32\drivers\vnafudcc.dat
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{760F996B-9F43-4E20-AE81-F0411FDD89D3}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c_114s]
Driver::
mglpewgn
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.