Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde / Win32:tratbho [trj] Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 southernblot

southernblot

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 24 February 2008 - 02:05 PM

Hello guys and thanks for all the help you can give me. I appreciate it.
Since 3 weeks avast has been recognising that my computer is infected. Right after, pop-ups appear telling me to buy a new anti-virus....this happens every 5 min or so. At the beggining,it was recognised (i think by avast) as a Win32:TratBO Infection. Later, Spybot told me I am infected with Virtumonde (I'm sorry, i don't know if it's the same thing because i'm not an expert in computers). I ran Spybot several times, but it could never delete Virtumonde.
I have followed all the steps writen in the forum guidelines. But there still an infection. Bellow is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54:41, on 24-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
C:\Programas\EzButton\EzButton.EXE
C:\Programas\TOSHIBA\TouchPad\TPTray.exe
C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\vsnpstd.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programas\MSN Messenger\usnsvc.exe
C:\Programas\MSN Messenger\livecall.exe
C:\Programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [145549fd] rundll32.exe "C:\WINDOWS\system32\taqvyrgg.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM17667a61] Rundll32.exe "C:\WINDOWS\system32\qfxuwght.dll",s
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programas\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Programas\Rainlendar\Rainlendar.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Image Zone.lnk = C:\Programas\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MBNet-Sidebar - {C014B140-3835-11d6-BC1D-00C095EEAD5D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4E592651-4590-11D6-BC20-00C095EEAD5D} (MBNet) - https://www.mbnet.pt/sidebar/mbnetsidebar.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122909960968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124198108671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by23fd.bay23.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://tkfiles.storage.msn.com/x1pkvwgTG5z...Vhy3Z3VjEdg_h63

--
End of file - 10235 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 25 February 2008 - 11:04 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 southernblot

southernblot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 25 February 2008 - 03:52 PM

hello miekiemoes! thank you for replying to my problem!

i've disinstalled Tea Timer and I downloaded Combo Fix. I am ready to run it, but i'm not sure of one thing.
I read on the forum instructions that I should install the windows XP recovery console. Since I don't have the cd, I followed the forum instructions to download it from this site: http://support.microsoft.com/kb/310994
As instructed, I downloaded something called: Windows XP Setup boot disk for Service Pack 2. I also did as follows and dragged this program that I downloaded into the ComboFix.exe icon. But Combo Fix did not install it. Rather, ComboFix was oppened. I tried to see if Windows Recovery Console mode had actually been installed by restarting windows, but I did not find the option to start the pc in Windows Recovery Console mode. So i guess this program was not installed. And I'm afraid to run Combo Fix without it.

Please, how can I install Windows Recovery Console then?

Thank you!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 25 February 2008 - 04:44 PM

Hi,

Normally after Combofix installed the Recovery Console, it should open a log first. Do you have XP Pro or Home?
What language version of your OS do you have? Because this is also important... Your google startpage is set to italian, however your OS version looks Portugese??

Anyway, please proceed with the normal instructions to run Combofix without installing the Recovery Console. Then I can tell you what exact file you have to download since the Combofix log should display the OS language..

Edited by miekiemoes, 25 February 2008 - 05:05 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 southernblot

southernblot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 26 February 2008 - 12:57 PM

hi again,
I have windows home with service pack 2. the OS language is portuguese.

Combo Fix Report:

ComboFix 08-02-25.3 - Luísa Antunes 2008-02-26 20:21:53.1 - NTFSx86
Executando de: C:\Documents and Settings\Luísa Antunes\Ambiente de trabalho\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\arcupfty.dll
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini2
C:\WINDOWS\system32\bpewqcgw.ini
C:\WINDOWS\system32\dcdditaf.dll
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\dp1
C:\WINDOWS\system32\feq9
C:\WINDOWS\system32\fhdnfvmd.dll
C:\WINDOWS\system32\ggryvqat.ini
C:\WINDOWS\system32\hgghghh.dll
C:\WINDOWS\system32\hsptrgum.dll
C:\WINDOWS\system32\ivyvrvky.ini
C:\WINDOWS\system32\kcgpgwcy.ini
C:\WINDOWS\system32\kgrhepxc.ini
C:\WINDOWS\system32\khdenxkh.dll
C:\WINDOWS\system32\lqsslufr.ini
C:\WINDOWS\system32\lqxucejr.ini
C:\WINDOWS\system32\mcettbaj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdvsvccg.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\oqsavksk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\phdmxkit.dll
C:\WINDOWS\system32\qiemqyhj.dll
C:\WINDOWS\system32\rfulssql.dll
C:\WINDOWS\system32\riiwqupj.ini
C:\WINDOWS\system32\ussovldn.ini
C:\WINDOWS\system32\xgqmnesd.ini
C:\WINDOWS\system32\xodwsanu.dll
C:\WINDOWS\system32\ycwgpgck.dll
C:\WINDOWS\system32\ytfpucra.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((( Ficheiros criados de 2008-01-26 to 2008-02-26 ))))))))))))))))))))))))))))))))
.

2008-02-24 17:40 . 2008-02-24 21:48 65,280 --a------ C:\WINDOWS\RTLNIC51.SYS
2008-02-24 01:45 . 2008-02-24 01:45 <DIR> d-------- C:\Programas\iPod
2008-02-23 23:57 . 2008-02-23 23:57 396,288 --a------ C:\Programas\HijackThis.exe
2008-02-23 22:18 . 2008-02-24 03:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-23 20:28 . 2008-02-23 20:32 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-23 20:28 . 2008-02-23 20:32 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-23 20:27 . 2008-02-23 20:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-23 20:27 . 2008-02-23 20:32 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-23 17:40 . 2008-02-23 17:41 <DIR> d-------- C:\Programas\Spybot - Search & Destroy
2008-02-21 20:33 . 2008-02-26 20:14 136,580 --a------ C:\WINDOWS\BM17667a61.xml
2008-02-21 20:33 . 2008-02-26 20:22 21 --a------ C:\WINDOWS\pskt.ini
2008-02-21 01:27 . 2008-02-21 01:27 <DIR> d-------- C:\Programas\MSECache
2008-02-19 18:06 . 2008-02-26 20:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-19 18:06 . 2008-02-19 18:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-19 18:02 . 2008-02-24 01:47 <DIR> d-------- C:\Programas\iTunes
2008-02-19 18:00 . 2008-02-23 15:33 <DIR> d-------- C:\Programas\Bonjour
2008-02-18 20:42 . 2008-02-18 20:42 0 --a------ C:\WINDOWS\CePMTray.INI
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Programas\Microsoft CAPICOM 2.1.0.2
2008-02-17 21:57 . 2008-02-17 21:57 1,900 --a------ C:\WINDOWS\hpbvnstp.his
2008-02-17 21:57 . 2008-02-17 21:57 696 --a------ C:\WINDOWS\hpbvnstp.ini
2008-02-17 21:54 . 2005-01-21 13:41 208,896 --a------ C:\WINDOWS\system32\HPP2800V.DLL
2008-02-17 21:54 . 2004-12-24 11:12 45,056 --a------ C:\WINDOWS\system32\hppapts0.dll
2008-02-17 21:54 . 2004-12-24 11:12 36,864 --a------ C:\WINDOWS\system32\hppasnm0.dll
2008-02-17 21:54 . 2004-12-24 11:12 36,864 --a------ C:\WINDOWS\system32\hppapml0.dll
2008-02-17 21:54 . 2004-12-24 11:12 36,864 --a------ C:\WINDOWS\system32\hppadt40.dll
2008-02-17 21:54 . 2004-12-24 11:12 32,768 --a------ C:\WINDOWS\system32\hppamon0.dll
2008-02-17 21:54 . 2005-01-20 14:18 484 --a------ C:\WINDOWS\system32\HPP2800V.DAT
2008-02-17 21:53 . 2001-08-17 20:47 8,704 --a------ C:\WINDOWS\system32\drivers\Dot4Scan.sys
2008-02-17 21:53 . 2001-08-17 20:47 8,704 --a--c--- C:\WINDOWS\system32\dllcache\dot4scan.sys
2008-02-17 21:10 . 2004-08-20 14:02 102,400 --a------ C:\WINDOWS\system32\PMLJNI.dll
2008-02-17 21:10 . 2003-06-16 22:52 74,752 --a------ C:\WINDOWS\system32\jst.dll
2008-02-17 21:10 . 2004-05-10 21:11 40,960 --a------ C:\WINDOWS\system32\d4channel.dll
2008-02-17 21:10 . 2003-06-20 18:21 36,864 --a------ C:\WINDOWS\system32\hpbmmjno.dll
2008-02-17 21:10 . 2005-02-03 18:31 32,768 --a------ C:\WINDOWS\system32\compJNI.dll
2008-02-17 21:09 . 2008-02-17 21:11 <DIR> d--h----- C:\Programas\Zero G Registry
2008-02-17 20:52 . 2008-02-17 21:04 <DIR> d-------- C:\Programas\Ficheiros comuns\HP
2008-02-17 20:45 . 2008-02-17 20:45 <DIR> d-------- C:\Programas\Ficheiros comuns\Hewlett-Packard
2008-02-17 20:40 . 2004-12-24 11:10 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-02-17 20:40 . 2004-12-24 11:12 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-02-17 20:40 . 2004-12-24 11:07 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-02-17 20:40 . 2004-12-24 11:11 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-02-17 20:40 . 2004-12-24 11:05 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-02-17 20:40 . 2004-12-24 11:07 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-02-17 18:40 . 2008-02-17 21:25 54,226 --a------ C:\WINDOWS\hppins01.dat
2008-02-17 18:40 . 2005-04-08 08:52 2,392 --------- C:\WINDOWS\hppmdl01.dat
2008-02-17 00:37 . 2008-02-22 19:20 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-16 22:36 . 2008-02-17 20:59 <DIR> d-------- C:\Programas\HP
2008-02-16 21:19 . 2008-02-16 21:27 <DIR> d----c--- C:\hp_CLJ_2820-2840_Full_Solution
2008-02-15 14:04 . 2008-02-15 14:04 <DIR> d----c--- C:\SureSupply
2008-02-14 12:07 . 2008-02-14 12:07 1,239,737 ---hs---- C:\WINDOWS\system32\bpewqcgw.tmp
2008-02-11 11:36 . 2001-08-17 20:47 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2008-02-11 11:36 . 2001-08-17 20:47 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2008-02-11 11:31 . 2004-08-03 22:58 207,360 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2008-02-11 11:31 . 2004-08-03 22:58 207,360 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2008-02-11 11:31 . 2001-11-20 16:10 24,064 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2008-02-11 11:31 . 2001-11-20 16:10 24,064 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2008-02-05 21:38 . 2008-02-05 21:38 <DIR> d-------- C:\Programas\Webroot
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 19:06 --------- d-----w C:\Programas\Bowlfish
2008-02-26 17:48 9,584 ----a-w C:\Programas\hijackthis.log
2008-02-23 23:25 --------- d-----w C:\Programas\Hitman Pro
2008-02-23 22:56 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-02-23 17:20 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 15:10 --------- d-----w C:\Programas\Ficheiros comuns\Ahead
2008-02-23 14:51 --------- d-----w C:\Programas\Google
2008-02-19 16:59 --------- d-----w C:\Programas\QuickTime
2008-02-17 20:11 --------- d-----w C:\Programas\Hewlett-Packard
2008-02-16 20:27 --------- d-----w C:\Programas\Ficheiros comuns\SWF Studio
2008-02-15 13:01 --------- d-----w C:\Programas\Lavasoft
2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-12-06 23:34 90,112 ----a-w C:\WINDOWS\DUMPac1e.tmp
2005-11-04 11:31 957,499 -c--a-w C:\Programas\worldclock.exe
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Programas\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"swg"="C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-08 11:43 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"Skype"="C:\Programas\Skype\Phone\Skype.exe" [2006-07-21 13:06 20036648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 22:10 339968]
"Apoint"="C:\Programas\Apoint2K\Apoint.exe" [2003-10-30 14:46 192512]
"PadTouch"="C:\Programas\TOSHIBA\PadTouch\PadExe.exe" [2004-02-12 13:04 1019904]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 04:00 88363 C:\WINDOWS\agrsmmsg.exe]
"CeEPOWER"="C:\Programas\TOSHIBA\Power Management\CePMTray.exe" [2004-08-18 11:21 135168]
"CeEKEY"="C:\Programas\TOSHIBA\E-KEY\CeEKey.exe" [2004-08-06 16:14 643072]
"EzButton"="C:\Programas\EzButton\EzButton.EXE" [2004-07-07 15:25 712704]
"TPNF"="C:\Programas\TOSHIBA\TouchPad\TPTray.exe" [2004-07-28 17:23 53248]
"SmoothView"="C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe" [ ]
"NDSTray.exe"="NDSTray.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-07-20 02:04 122939]
"CFSServ.exe"="CFSServ.exe" []
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-05-10 18:37 286720]
"Windows Defender"="C:\Programas\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"NWEReboot"="" []
"HP Software Update"="C:\Programas\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"QuickTime Task"="C:\Programas\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"145549fd"="C:\WINDOWS\system32\taqvyrgg.dll" [ ]
"iTunesHelper"="C:\Programas\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"TomcatStartup 2.5"="C:\Programas\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 17:57 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
HP Digital Imaging Monitor.lnk - C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-02 16:07:12 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=MsgPlusLoader.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Programas\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
--a------ 2006-10-27 14:41 190024 C:\Programas\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Programas\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
--a------ 2006-10-05 17:22 304128 C:\Programas\TuneUp Utilities 2006\MemOptimizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipStunt]
C:\Programas\VoipStunt.com\VoipStunt\VoipStunt.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\Messenger\\msmsgs.exe"=
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programas\\Bonjour\\mDNSResponder.exe"=
"C:\\Programas\\iTunes\\iTunes.exe"=
"C:\\Programas\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule Bowlfish TCP
"4672:UDP"= 4672:UDP:Emule Bowlfish UDP

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2005-08-01 16:14]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 11:00]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []
S3 HPPLSBULK;HPPLSBULK;C:\WINDOWS\system32\drivers\hpplsbulk.sys [2005-02-02 15:29]
S3 usbscan;Controlador de scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
S3 USBSTOR;Controlador de armazenamento de massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0dbf2bdc-0c67-11d9-8852-806d6172696f}]
\Shell\AutoRun\command - D:\browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30061fe8-7cb4-11dc-bcaa-000e35edbcad}]
\Shell\AutoRun\command - D:\LaunchU3.exe

.
Conte£do da pasta 'Tarefas Agendadas'
"2008-02-23 23:33:14 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programas\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-02-20 20:44:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programas\Apple Software Update\SoftwareUpdate.exe
"2008-02-26 19:35:34 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programas\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-26 20:33:50
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programas\TOSHIBA\ConfigFree\CFSServ.exe
C:\Programas\Apoint2K\Apntex.exe
C:\Programas\Rainlendar\Rainlendar.exe
C:\Programas\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Programas\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-02-26 20:38:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 19:38:19
.
2008-02-24 19:39:58 --- E O F ---


HijackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:29, on 26-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\TOSHIBA\Power Management\CePMTray.exe
C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
C:\Programas\EzButton\EzButton.EXE
C:\Programas\TOSHIBA\TouchPad\TPTray.exe
C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe
C:\Programas\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\vsnpstd.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programas\Rainlendar\Rainlendar.exe
C:\Programas\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Programas\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\explorer.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\internet explorer\iexplore.exe
C:\Programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [145549fd] rundll32.exe "C:\WINDOWS\system32\taqvyrgg.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programas\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Programas\Rainlendar\Rainlendar.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MBNet-Sidebar - {C014B140-3835-11d6-BC1D-00C095EEAD5D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4E592651-4590-11D6-BC20-00C095EEAD5D} (MBNet) - https://www.mbnet.pt/sidebar/mbnetsidebar.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122909960968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124198108671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by23fd.bay23.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://tkfiles.storage.msn.com/x1pkvwgTG5z...Vhy3Z3VjEdg_h63

--
End of file - 9936 bytes

Edited by southernblot, 26 February 2008 - 02:47 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 26 February 2008 - 03:14 PM

Hi,

As far as I can see, the recovery console should be installed though..

Navigate to and delete the following files:

C:\WINDOWS\BM17667a61.xml
C:\WINDOWS\pskt.ini

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following:

O4 - HKLM\..\Run: [145549fd] rundll32.exe "C:\WINDOWS\system32\taqvyrgg.dll",b

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

By the way, are you aware that your Windows Firewall is disabled? Did you disable it?

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 southernblot

southernblot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 27 February 2008 - 05:53 PM

My windows firewall was disabled because to run ComboFix I tried to close all programs possible.

Today I ran Spybot twice (which found something called "Media Plex") and also avast, which found infections in Windows system32.

This is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:53:00, on 27-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\TOSHIBA\Power Management\CePMTray.exe
C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
C:\Programas\EzButton\EzButton.EXE
C:\Programas\TOSHIBA\TouchPad\TPTray.exe
C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe
C:\Programas\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsnpstd.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Programas\MSN Messenger\livecall.exe
C:\Programas\MSN Messenger\usnsvc.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Programas\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Programas\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programas\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [EzButton] C:\Programas\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [TPNF] C:\Programas\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programas\TOSHIBA\Utilitário de Zooming da TOSHIBA\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programas\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainlendar.lnk = C:\Programas\Rainlendar\Rainlendar.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MBNet-Sidebar - {C014B140-3835-11d6-BC1D-00C095EEAD5D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4E592651-4590-11D6-BC20-00C095EEAD5D} (MBNet) - https://www.mbnet.pt/sidebar/mbnetsidebar.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122909960968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124198108671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by23fd.bay23.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programas\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programas\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://tkfiles.storage.msn.com/x1pkvwgTG5z...Vhy3Z3VjEdg_h63

--
End of file - 9677 bytes

Edited by southernblot, 27 February 2008 - 05:56 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 27 February 2008 - 05:59 PM

Hi,

Please enable your Windows Firewall again.

I am pretty sure that the infections that Avast found were present in the C:\qoobox\C\Windows\system32 folder instead :thumbsup:

Your HijackThislog looks clean again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 southernblot

southernblot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 28 February 2008 - 05:59 PM

Hi,

ok, combofix is deleted. today there were no messages of trojan attacks from avast. but spybot again found something called "media plex". is this normal?
one other thing please: should i reinstall teatimer now?

thank you.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 29 February 2008 - 01:41 AM

but spybot again found something called "media plex". is this normal?

Hi,

MediaPlex is just a tracking cookie.
Please don't worry about tracking cookies. You'll always get them and they will always return. This just depends what sites you visit.
Everyone has them. They are even present on the MSN startpage, Yahoo startpage...
You may also want to read next:
http://www.spywareinfo.com/articles/cookies/
http://www.mvps.org/winhelp2002/cookies.htm

If you want to manage your cookies you can use next programs:

For Internet explorer: CookieWall

For Firefox: CookieSafe

Keep in mind that you're not supposed to block every cookie, because some cookies are required.
Most people don't use an additional cookie manager, because it may be annoying in some cases to manually filter all cookies in the beginning, so they clean their cookies once in a while via the "clean cookies" option in their browser settings.

should i reinstall teatimer now?

I guess you mean to enable it again? Yes, enable it again. :blink:

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 southernblot

southernblot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 29 February 2008 - 11:59 AM

Thank you for all your help. I really appreciate it. :thumbsup:

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 29 February 2008 - 12:44 PM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:54 PM

Posted 04 March 2008 - 01:41 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users