Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ultimate Defender, Ultimate Cleaner And Winifixer


  • This topic is locked This topic is locked
18 replies to this topic

#1 civil3

civil3

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 21 April 2008 - 05:08 AM

Hi from Portugal

My girlfriend instaled Ultimate Defender, Ultimate Cleaner, and Winifixer on my computer. i have tryed to remove it but it wont go away... then all kind of pop ups and warnings were apearing about my computer was unprotected and infected.

i have run SUPERantispyware, ATFcleaner, and Hijackthis and it stopped but im not sure if it is gone.

My Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07, on 2008-04-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\HiJackThis(2).exe

O2 - BHO: (no name) - {ACB77006-EB8A-4B12-A2C9-8374CCD94518} - C:\WINDOWS\system32\urqRJCuR.dll
O4 - HKLM\..\Run: [BMabd65f14] Rundll32.exe "C:\WINDOWS\system32\nbhlngvh.dll",s
O21 - SSODL: zip - {164770c9-0b61-4e0c-a4e4-8e1b3d375784} - C:\WINDOWS\Installer\{164770c9-0b61-4e0c-a4e4-8e1b3d375784}\zip.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 1322 bytes

BC AdBot (Login to Remove)

 


#2 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 22 April 2008 - 02:06 AM

hello again

when i start the iexplorer all kinds of windows and warnings appear from: winanonymous.com, advancedcleaner, aptimizefixer ....

please help

#3 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 22 April 2008 - 10:29 AM

hello,

i've done all the instructions on the tutorial How to remove Ultimate Defender (Removal Instructions)
but i still get this fake windows security center at windows startup:
Posted Image
and when i close it i get this:
Posted Image

this is my report after running smitfraudfix:
SmitFraudFix v2.316

Scan done at 16:04:55.12, 2008-04-22
Run from C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
192.168.0.130 GPMS

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{ECF3C445-D41F-47C5-89AB-192728D23FF0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{ECF3C445-D41F-47C5-89AB-192728D23FF0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{ECF3C445-D41F-47C5-89AB-192728D23FF0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

--------------------------------------------------------------------------------------------------------------------------
/////////////////////////////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
--------------------------------------------------------------------------------------------------------------------------


and my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15, on 2008-04-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\HiJackThis(2).exe

O2 - BHO: (no name) - {6C28EFAF-AF36-47EF-B966-21A879D79522} - C:\WINDOWS\system32\urqRJCuR.dll
O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 1674 bytes

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 26 April 2008 - 02:09 PM

Hi

Please make sure you have read this :-

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Then come back here & post the requested updated logs...

Deckard's System Scanner (DSS) both reports

Kaspersky Online Scanner log

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 28 April 2008 - 10:02 AM

hello, thanks for your help

meanwhile, i've installed an anti-malware software and i think it removed the malware, but im not sure if it is really gonne, so if you could take a look at it will be very grateful. thanks


Deckard's System Scanner v20071014.68
Run by MARIA AFONSO on 2008-04-28 15:47:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
65: 2008-04-28 14:47:39 UTC - RP754 - Deckard's System Scanner Restore Point
64: 2008-04-28 08:06:20 UTC - RP753 - Ponto de verificação do sistema
63: 2008-04-23 14:32:23 UTC - RP752 - Installed SUPERAntiSpyware Professional
62: 2008-04-23 14:31:36 UTC - RP751 - Removed SUPERAntiSpyware Free Edition
61: 2008-04-22 12:39:53 UTC - RP750 - Ponto de verificação do sistema


-- First Restore Point --
1: 2008-04-18 13:15:08 UTC - RP690 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as MARIA AFONSO.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:49, on 2008-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\dss.exe
C:\DOCUME~1\MARIAA~1\AMBIEN~1\MARIA AFONSO.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.pt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: .protected
O4 - Global Startup: .protected
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 1912 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 VOBID - c:\windows\system32\drivers\vobid.sys <Not Verified; Pinnacle Systems; InstantDrive>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 vobiw - c:\windows\system32\drivers\vobiw.sys <Not Verified; Pinnacle Systems GmbH; InstantWrite>
R3 ASAPIW2K - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 cdrdrv - c:\windows\system32\drivers\cdrdrv.sys <Not Verified; Pinnacle Systems GmbH; InstantWrite>
R3 SASENUM - c:\programas\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 catchme - c:\docume~1\mariaa~1\defini~1\temp\catchme.sys (file missing)
S3 GMSIPCI - e:\install\gmsipci.sys (file missing)
S3 IPSECSHM (Nortel IPSECSHM Adapter) - c:\windows\system32\drivers\ipsecw2k.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R3 FLEXnet Licensing Service - "c:\programas\ficheiros comuns\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-23 15:31:43 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-04-23 14:52:02 0 d-------- C:\Programas\Enigma Software Group
2008-04-23 14:41:04 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-23 14:41:04 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-23 14:41:04 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-23 14:41:04 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-23 14:41:03 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-23 14:41:03 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-23 14:41:03 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-23 07:45:18 87616 --a------ C:\WINDOWS\system32\dsdcjeoo.dll
2008-04-22 15:49:02 1708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-22 07:45:27 87616 --a------ C:\WINDOWS\system32\tsqdgbsv.dll
2008-04-22 07:42:27 97344 --a------ C:\WINDOWS\system32\uamqberd.dll
2008-04-21 16:58:50 237057 --a------ C:\WINDOWS\system32\Office [Keygen].exe
2008-04-21 07:42:23 96320 --a------ C:\WINDOWS\system32\nbhlngvh.dll
2008-04-18 17:08:13 68096 --a------ C:\WINDOWS\zip.exe
2008-04-18 17:08:13 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-18 17:08:13 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-18 17:08:13 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-18 17:08:13 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-18 17:08:13 98816 --a------ C:\WINDOWS\sed.exe
2008-04-18 17:08:13 80412 --a------ C:\WINDOWS\grep.exe
2008-04-18 17:08:13 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-18 14:14:58 226320 --ahs---- C:\WINDOWS\system32\RuCJRqru.ini2
2008-04-18 14:09:57 0 d-------- C:\Programas\IE Extensions
2008-04-18 10:50:15 0 d-------- C:\Programas\uTorrent
2008-04-18 10:50:09 0 d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\uTorrent
2008-04-15 14:49:00 0 d-------- C:\Documents and Settings\MARIA AFONSO\IGC
2008-04-15 14:48:46 0 d-------- C:\Programas\IGC
2008-04-07 10:36:36 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-23 15:35:34 0 d-------- C:\Programas\SUPERAntiSpyware
2008-04-23 15:32:24 0 d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\SUPERAntiSpyware.com
2008-04-23 15:31:43 0 d-------- C:\Programas\Ficheiros comuns
2008-04-15 14:48:46 0 d--h----- C:\Programas\InstallShield Installation Information
2008-04-15 14:48:34 0 d-------- C:\Programas\Ficheiros comuns\InstallShield
2008-04-11 10:03:43 453706 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-11 10:03:43 74488 --a------ C:\WINDOWS\system32\perfc016.dat
2008-03-24 17:42:36 0 d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\Real
2008-03-24 17:37:10 0 d-------- C:\Programas\Ficheiros comuns\xing shared
2008-03-24 17:37:07 0 d-------- C:\Programas\Ficheiros comuns\Real
2008-03-13 15:11:18 0 d-------- C:\Programas\Virtual Earth 3D
2008-03-07 11:00:42 0 d-------- C:\Programas\Microsoft CAPICOM 2.1.0.2
2008-03-06 14:57:28 0 d-------- C:\Programas\Windows Live
2008-03-06 14:56:45 0 d--hs--c- C:\Programas\Ficheiros comuns\WindowsLiveInstaller
2008-02-25 10:00:22 78536 --a------ C:\Documents and Settings\MARIA AFONSO\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SUPERAntiSpyware"="C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-23 15:35]
"msnmsgr"="C:\Programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34]

C:\Documents and Settings\MARIA AFONSO\Menu Iniciar\Programas\Arranque\
.protected [2008-04-23 14:48:00]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
.protected [2008-04-23 14:48:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqRJCuR

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447d8006-e60c-11dc-9640-001109974c03}]
Auto\command- McRegWizz.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9e9fed-025c-11dd-9667-001109974c03}]
Auto\command- G:\RavMon.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04d53d4-fb07-11dc-965c-001109974c03}]
Auto\command- G:\RavMon.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e




-- Hosts -----------------------------------------------------------------------

192.168.0.130 GPMS


-- End of Deckard's System Scanner: finished at 2008-04-28 15:49:49 ------------




Kaspersky Online Virus Scanner is not working, i will post that report as soon as possible

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 28 April 2008 - 03:30 PM

Hi

I take it by "meanwhile, i've installed an anti-malware software and i think it removed the malware" you are referring to SUPERAntiSpyware ?

SUPERAntiSpyware is a good program to run, but you still have a lot of malware showing in your log ... including a flash drive infection ...please remember to post the Kaspersky Online scan log ...

Please also do this :-

Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

&

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 29 April 2008 - 10:19 AM

yes, i meant the SuperAntiSpyware :thumbsup:

i will post the logs as soon as possible.

thanks for the help

Edited by civil3, 29 April 2008 - 10:32 AM.


#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 29 April 2008 - 02:47 PM

OK .. but don't leave it too long, malware has a tenancy to increase the longer you leave it on your computer ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 30 April 2008 - 09:11 AM

ok, here we go:

1- Deckard's System Scanner

Deckard's System Scanner v20071014.68
Run by MARIA AFONSO on 2008-04-30 11:05:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as MARIA AFONSO.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:39, on 30-04-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\dss.exe
C:\DOCUME~1\MARIAA~1\AMBIEN~1\MARIAA~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.pt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: .protected
O4 - Global Startup: .protected
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 2261 bytes

-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-29 16:13:25 0 d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais <DEFINI~2>
2008-04-29 16:13:25 0 d-------- C:\Documents and Settings\MARIA AFONSO\Definiþ§es locais <DEFINI~2>
2008-04-29 16:13:25 0 d-------- C:\Documents and Settings\LocalService\Definiþ§es locais <DEFINI~2>
2008-04-29 16:13:24 0 d-------- C:\Documents and Settings\Administrador\Definiþ§es locais <DEFINI~2>
2008-04-29 16:03:13 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-29 15:59:14 68096 --a------ C:\WINDOWS\zip.exe
2008-04-29 15:59:14 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-29 15:59:14 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-29 15:59:14 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-29 15:59:14 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-29 15:59:14 98816 --a------ C:\WINDOWS\sed.exe
2008-04-29 15:59:14 80412 --a------ C:\WINDOWS\grep.exe
2008-04-29 15:59:14 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-29 08:11:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 08:11:52 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 07:55:34 0 d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\Malwarebytes
2008-04-29 07:55:15 0 d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-04-29 07:55:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 15:31:43 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-04-23 14:52:02 0 d-------- C:\Programas\Enigma Software Group
2008-04-23 14:41:04 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-23 14:41:04 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-23 14:41:04 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-23 14:41:04 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-23 14:41:03 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-23 14:41:03 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-23 14:41:03 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-22 15:49:02 1708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-21 16:58:50 237057 --a------ C:\WINDOWS\system32\Office [Keygen].exe
2008-04-18 14:09:57 0 d-------- C:\Programas\IE Extensions
2008-04-18 10:50:15 0 d-------- C:\Programas\uTorrent
2008-04-18 10:50:09 0 d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\uTorrent
2008-04-15 14:49:00 0 d-------- C:\Documents and Settings\MARIA AFONSO\IGC
2008-04-15 14:48:46 0 d-------- C:\Programas\IGC
2008-04-07 10:36:36 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-23 15:35:34 0 d-------- C:\Programas\SUPERAntiSpyware
2008-04-23 15:32:24 0 d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\SUPERAntiSpyware.com
2008-04-23 15:31:43 0 d-------- C:\Programas\Ficheiros comuns
2008-04-15 14:48:46 0 d--h----- C:\Programas\InstallShield Installation Information
2008-04-15 14:48:34 0 d-------- C:\Programas\Ficheiros comuns\InstallShield
2008-04-11 10:03:43 453706 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-11 10:03:43 74488 --a------ C:\WINDOWS\system32\perfc016.dat
2008-03-24 17:42:36 0 d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\Real
2008-03-24 17:37:10 0 d-------- C:\Programas\Ficheiros comuns\xing shared
2008-03-24 17:37:07 0 d-------- C:\Programas\Ficheiros comuns\Real
2008-03-13 15:11:18 0 d-------- C:\Programas\Virtual Earth 3D
2008-03-07 11:00:42 0 d-------- C:\Programas\Microsoft CAPICOM 2.1.0.2
2008-03-06 14:57:28 0 d-------- C:\Programas\Windows Live
2008-03-06 14:56:45 0 d--hs--c- C:\Programas\Ficheiros comuns\WindowsLiveInstaller
2008-02-25 10:00:22 78536 --a------ C:\Documents and Settings\MARIA AFONSO\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 13:00]
"SUPERAntiSpyware"="C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [23-04-2008 15:35]
"msnmsgr"="C:\Programas\Windows Live\Messenger\msnmsgr.exe" [18-10-2007 12:34]

C:\Documents and Settings\MARIA AFONSO\Menu Iniciar\Programas\Arranque\
.protected [23-04-2008 14:48:00]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
.protected [23-04-2008 14:48:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [20-12-2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 12:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447d8006-e60c-11dc-9640-001109974c03}]
Auto\command- McRegWizz.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9e9fed-025c-11dd-9667-001109974c03}]
Auto\command- G:\RavMon.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04d53d4-fb07-11dc-965c-001109974c03}]
Auto\command- G:\RavMon.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e




-- End of Deckard's System Scanner: finished at 2008-04-30 11:06:00 ------------

1.1- hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:39, on 30-04-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\dss.exe
C:\DOCUME~1\MARIAA~1\AMBIEN~1\MARIAA~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.pt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: .protected
O4 - Global Startup: .protected
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 2261 bytes

2- Combofix log:

ComboFix 08-04-28.2 - MARIA AFONSO 2008-04-30 11:07:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.263 [GMT 1:00]
Executando de: C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((( Ficheiros criados de 2008-03-28 to 2008-04-30 ))))))))))))))))))))))))))))))))
.

2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\Administrador\Definiþ§es locais
2008-04-29 08:11 . 2008-04-29 08:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 08:11 . 2008-04-29 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\Malwarebytes
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 15:47 . 2008-04-28 15:47 <DIR> d-------- C:\Deckard
2008-04-23 15:31 . 2008-04-23 15:31 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-04-23 14:52 . 2008-04-23 14:52 <DIR> d-------- C:\Programas\Enigma Software Group
2008-04-23 14:41 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-23 14:41 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-23 14:41 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-23 14:41 . 2008-04-22 13:43 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-23 14:41 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-23 14:41 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-23 14:41 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-22 15:49 . 2008-04-23 14:41 1,708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-21 16:58 . 2008-04-21 17:00 237,057 --a------ C:\WINDOWS\system32\Office [Keygen].exe
2008-04-21 07:42 . 2008-04-23 15:29 109,776 --a------ C:\WINDOWS\BMabd65f14.xml
2008-04-18 14:09 . 2008-04-21 11:07 <DIR> d-------- C:\Programas\IE Extensions
2008-04-18 10:50 . 2008-04-18 10:50 <DIR> d-------- C:\Programas\uTorrent
2008-04-18 10:50 . 2008-04-23 15:41 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\uTorrent
2008-04-15 14:49 . 2008-04-15 14:52 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\IGC
2008-04-15 14:48 . 2008-04-15 14:48 <DIR> d-------- C:\Programas\IGC
2008-04-07 10:36 . 2008-04-07 10:36 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-24 17:37 . 2008-03-24 17:37 <DIR> d-------- C:\Programas\Ficheiros comuns\xing shared
2008-03-24 17:36 . 2008-03-24 17:37 <DIR> d-------- C:\Programas\Ficheiros comuns\Real
2008-03-24 17:36 . 2008-03-24 17:36 <DIR> d-------- C:\Program Files
2008-03-13 15:01 . 2008-03-13 15:11 <DIR> d-------- C:\Programas\Virtual Earth 3D
2008-03-10 08:58 . 2008-03-01 13:58 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-10 08:58 . 2007-07-01 04:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-10 08:58 . 2007-07-01 04:36 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-10 08:58 . 2008-03-01 13:58 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-10 08:58 . 2008-03-01 13:58 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-10 08:58 . 2008-03-01 13:58 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-10 08:58 . 2008-03-01 13:58 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-10 08:58 . 2008-03-01 13:58 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-10 08:58 . 2008-02-22 11:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-10 08:57 . 2008-03-10 08:59 <DIR> d-------- C:\WINDOWS\system32\pt-pt
2008-03-10 08:55 . 2008-03-10 08:55 <DIR> d-------- C:\989587ff892f41615e
2008-03-10 08:55 . 2008-03-10 08:55 <DIR> d-------- C:\91f97b87d0091e477f4e
2008-03-07 11:00 . 2008-03-07 11:00 <DIR> d-------- C:\Programas\Microsoft CAPICOM 2.1.0.2
2008-03-07 08:36 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-07 08:36 . 2007-07-30 20:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-07 08:36 . 2007-07-30 20:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-06 14:56 . 2008-03-06 14:57 <DIR> d-------- C:\Programas\Windows Live
2008-03-06 14:56 . 2008-03-06 14:56 <DIR> d--hsc--- C:\Programas\Ficheiros comuns\WindowsLiveInstaller
2008-03-06 14:56 . 2008-03-06 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 14:35 --------- d-----w C:\Programas\SUPERAntiSpyware
2008-04-23 14:32 --------- d-----w C:\Documents and Settings\MARIA AFONSO\Application Data\SUPERAntiSpyware.com
2008-04-22 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-15 13:48 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-04-15 13:48 --------- d-----w C:\Programas\Ficheiros comuns\InstallShield
2008-03-20 08:07 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 09:00 78,536 ----a-w C:\Documents and Settings\MARIA AFONSO\Application Data\GDIPFONTCACHEV1.DAT
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-29_16.13.09.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 15:04:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 06:37:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"SUPERAntiSpyware"="C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-23 15:35 1470464]
"msnmsgr"="C:\Programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programas\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Programas\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programas\\Mozilla Firefox\\firefox.exe"=
"C:\\Programas\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programas\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2003-08-01 14:47]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-07-06 17:06]
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2004-08-03 11:10]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 usbscan;Controlador de scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Controlador de armazenamento de massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447d8006-e60c-11dc-9640-001109974c03}]
\Shell\Auto\command - McRegWizz.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9e9fed-025c-11dd-9667-001109974c03}]
\Shell\Auto\command - G:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04d53d4-fb07-11dc-965c-001109974c03}]
\Shell\Auto\command - G:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 11:09:34
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...


**************************************************************************
.
Tempo para conclusão: 2008-04-30 11:12:21
ComboFix-quarantined-files.txt 2008-04-30 10:11:19
ComboFix2.txt 2008-04-29 15:13:23

Pre-Run: 65,797,873,664 bytes livres
Post-Run: 65,771,929,600 bytes livres

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

149 --- E O F --- 2008-04-11 09:04:31

3- Malwarebites log:

Malwarebytes' Anti-Malware 1.11
Versão do banco de dados: 694

Tipo de Verificação: Completa (A:\|C:\|D:\|E:\|F:\|Z:\|)
Objetos verificados: 129795
Tempo decorrido: 45 minute(s), 15 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 4
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 1
Arquivos infectados: 12

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_CLASSES_ROOT\cj.cjmgr (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\cj.cjmgr.1 (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
C:\Programas\IE Extensions (Trojan.BHO) -> No action taken.

Arquivos infectados:
C:\QooBox\Quarantine\C\WINDOWS\system32\uamqberd.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP748\A0123499.dll (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP750\A0124658.exe (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP750\A0124659.exe (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP750\A0124784.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP750\A0124823.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP750\A0124830.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP752\A0125914.cpl (Rouge.ISecurity) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP752\A0126963.exe (Trojan.Clicker) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP752\A0126964.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP752\A0126965.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP755\A0127325.dll (Trojan.Vundo) -> No action taken.

4- Kaspersky log:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 30, 2008 2:56:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/04/2008
Kaspersky Anti-Virus database records: 732922


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Z:\

Scan Statistics
Total number of scanned objects 94258
Number of viruses found 6
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 01:04:01

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\Varios\spyware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\Varios\spyware\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\Varios\spyware\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\Varios\spyware\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\MARIA AFONSO\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Histórico\History.IE5\MSHist012008043020080501\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\UserData\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dsdcjeoo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\nbhlngvh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\tsqdgbsv.dll.vir Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP750\A0124783.dll Infected: Trojan-Dropper.Win32.Agent.qfy skipped

C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP750\A0124786.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qol skipped

C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP755\A0127322.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped

C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP755\A0127323.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped

C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP755\A0127324.dll Infected: Packed.Win32.Monder.gen skipped

C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP756\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 30 April 2008 - 03:25 PM

Hi

Please post the log from the first run of Combofix, it shows files removed, which do not show in the log from the second tun ( which you posted) ... you'll find it here :- C:\ComboFix2.txt

Then please run Malwarebytes again , & this time select remove what it finds ...

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.


NEXT ...

Delete these files/folder :-

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix ... folder
C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix.exe ... file
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\Varios\spyware\SmitfraudFix.exe ... file

NEXT ...

This will clear all your infected restore points...

Turn off (Disable) System Restore in XP :-

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Then...

Turn on (enable) System Restore :-

Follow the same procedure, but this time uncheck Turn off System Restore

if you have any problem with this... here's a link to instructions :-


Disabling or enabling Windows XP System Restore >

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

...

So please post :-

1. Original Combofix log
2. new Malwarebytes report
3. Run KASPERSKY on-line scan & post a new log
4. Run hijackthis & post a new log

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 06 May 2008 - 03:52 AM

hello again


COMBOFIX:

ComboFix 08-04-28.2 - MARIA AFONSO 2008-04-29 16:01:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.219 [GMT 1:00]
Executando de: C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\.protected
C:\WINDOWS\.protected
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\system32\dsdcjeoo.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nbhlngvh.dll
C:\WINDOWS\system32\ooejcdsd.ini
C:\WINDOWS\system32\piwvbria.ini
C:\WINDOWS\system32\RuCJRqru.ini
C:\WINDOWS\system32\RuCJRqru.ini2
C:\WINDOWS\system32\tsqdgbsv.dll
C:\WINDOWS\system32\uamqberd.dll
C:\WINDOWS\system32\vsbgdqst.ini

.
((((((((((((((((((((((( Ficheiros criados de 2008-03-28 to 2008-04-29 ))))))))))))))))))))))))))))))))
.

2008-04-29 08:11 . 2008-04-29 08:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 08:11 . 2008-04-29 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\Malwarebytes
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 15:47 . 2008-04-28 15:47 <DIR> d-------- C:\Deckard
2008-04-23 15:31 . 2008-04-23 15:31 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-04-23 14:52 . 2008-04-23 14:52 <DIR> d-------- C:\Programas\Enigma Software Group
2008-04-23 14:41 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-23 14:41 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-23 14:41 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-23 14:41 . 2008-04-22 13:43 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-23 14:41 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-23 14:41 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-23 14:41 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-22 15:49 . 2008-04-23 14:41 1,708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-21 16:58 . 2008-04-21 17:00 237,057 --a------ C:\WINDOWS\system32\Office [Keygen].exe
2008-04-21 07:42 . 2008-04-23 15:29 109,776 --a------ C:\WINDOWS\BMabd65f14.xml
2008-04-18 14:09 . 2008-04-21 11:07 <DIR> d-------- C:\Programas\IE Extensions
2008-04-18 10:50 . 2008-04-18 10:50 <DIR> d-------- C:\Programas\uTorrent
2008-04-18 10:50 . 2008-04-23 15:41 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\uTorrent
2008-04-15 14:49 . 2008-04-15 14:52 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\IGC
2008-04-15 14:48 . 2008-04-15 14:48 <DIR> d-------- C:\Programas\IGC
2008-04-07 10:36 . 2008-04-07 10:36 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 14:35 --------- d-----w C:\Programas\SUPERAntiSpyware
2008-04-23 14:32 --------- d-----w C:\Documents and Settings\MARIA AFONSO\Application Data\SUPERAntiSpyware.com
2008-04-22 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-15 13:48 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-04-15 13:48 --------- d-----w C:\Programas\Ficheiros comuns\InstallShield
2008-03-24 16:37 --------- d-----w C:\Programas\Ficheiros comuns\xing shared
2008-03-24 16:37 --------- d-----w C:\Programas\Ficheiros comuns\Real
2008-03-13 14:11 --------- d-----w C:\Programas\Virtual Earth 3D
2008-03-07 10:00 --------- d-----w C:\Programas\Microsoft CAPICOM 2.1.0.2
2008-03-06 13:57 --------- d-----w C:\Programas\Windows Live
2008-03-06 13:56 --------- dcsh--w C:\Programas\Ficheiros comuns\WindowsLiveInstaller
2008-03-06 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-25 09:00 78,536 ----a-w C:\Documents and Settings\MARIA AFONSO\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"SUPERAntiSpyware"="C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-23 15:35 1470464]
"msnmsgr"="C:\Programas\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programas\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Programas\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programas\\Mozilla Firefox\\firefox.exe"=
"C:\\Programas\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programas\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2003-08-01 14:47]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-07-06 17:06]
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2004-08-03 11:10]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 usbscan;Controlador de scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Controlador de armazenamento de massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447d8006-e60c-11dc-9640-001109974c03}]
\Shell\Auto\command - McRegWizz.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9e9fed-025c-11dd-9667-001109974c03}]
\Shell\Auto\command - G:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04d53d4-fb07-11dc-965c-001109974c03}]
\Shell\Auto\command - G:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 16:05:24
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-04-29 16:13:22 - machine was rebooted [MARIA AFONSO]
ComboFix-quarantined-files.txt 2008-04-29 15:13:20

Pre-Run: 65,883,713,536 bytes livres
Post-Run: 65,821,171,712 bytes livres

137 --- E O F --- 2008-04-11 09:04:31


MALWAREBYTES:

Malwarebytes' Anti-Malware 1.11
Versão do banco de dados: 694

Tipo de Verificação: Completa (A:\|C:\|D:\|E:\|F:\|Z:\|)
Objetos verificados: 130532
Tempo decorrido: 50 minute(s), 4 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)


KASPERSKY:

KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 8:54:53 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 741846


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Z:\

Scan Statistics
Total number of scanned objects 78660
Number of viruses found 4
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 01:04:17

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix\IEDFix.exe Infected: Constructor.Win32.Binder.bk skipped

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix.exe/SmitfraudFix/IEDFix.exe Infected: Constructor.Win32.Binder.bk skipped

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix.exe RAR: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Application Data\Microsoft\Modelos\Normal.dot Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Histórico\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temp\tmp4.tmp Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temp\~DFBA1E.tmp Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temp\~WRD0000.doc Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temp\~WRF0001.tmp Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temp\~WRS0002.tmp Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dsdcjeoo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\nbhlngvh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{0C32B4E4-2E26-48AF-9F79-49048D5CA16F}\RP1\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\IEDFix.exe Infected: Constructor.Win32.Binder.bk skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:31, on 06-05-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.pt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: .protected
O4 - Global Startup: .protected
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 2171 bytes

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 06 May 2008 - 10:16 AM

Hi

You didn't remove the SmitfraudFix exe & folder from the Administrador account ... you only removed it from your (MARIA AFONSO) account ...

C:\Documents and Settings\Administrador\Ambiente de trabalho\SmitfraudFix

-
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O4 - Startup: .protected
O4 - Global Startup: .protected


-
Then...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word Registry:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba9e9fed-025c-11dd-9667-001109974c03}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d04d53d4-fb07-11dc-965c-001109974c03}]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 08 May 2008 - 01:44 AM

Hi
Let's see if it's gone :thumbsup:

Combofix:

ComboFix 08-05-01.3 - MARIA AFONSO 2008-05-07 8:03:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.287 [GMT 1:00]
Executando de: C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\CFScript.txt
* Criado um novo ponto de restauro
.

((((((((((((((((((((((( Ficheiros criados de 2008-04-07 to 2008-05-07 ))))))))))))))))))))))))))))))))
.

2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais
2008-04-29 16:13 . 2008-04-29 16:13 <DIR> d-------- C:\Documents and Settings\Administrador\Definiþ§es locais
2008-04-29 08:11 . 2008-04-29 08:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 08:11 . 2008-04-29 08:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\Malwarebytes
2008-04-29 07:55 . 2008-04-29 07:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-28 15:47 . 2008-04-28 15:47 <DIR> d-------- C:\Deckard
2008-04-23 15:31 . 2008-04-23 15:31 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-04-23 14:52 . 2008-04-23 14:52 <DIR> d-------- C:\Programas\Enigma Software Group
2008-04-23 14:41 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-23 14:41 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-23 14:41 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-23 14:41 . 2008-04-22 13:43 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-23 14:41 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-23 14:41 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-23 14:41 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-22 15:49 . 2008-04-23 14:41 1,708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-21 16:58 . 2008-04-21 17:00 237,057 --a------ C:\WINDOWS\system32\Office [Keygen].exe
2008-04-21 07:42 . 2008-04-23 15:29 109,776 --a------ C:\WINDOWS\BMabd65f14.xml
2008-04-18 10:50 . 2008-04-18 10:50 <DIR> d-------- C:\Programas\uTorrent
2008-04-18 10:50 . 2008-04-23 15:41 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\Application Data\uTorrent
2008-04-15 14:49 . 2008-04-15 14:52 <DIR> d-------- C:\Documents and Settings\MARIA AFONSO\IGC
2008-04-15 14:48 . 2008-04-15 14:48 <DIR> d-------- C:\Programas\IGC
2008-04-07 10:36 . 2008-04-07 10:36 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 14:35 --------- d-----w C:\Programas\SUPERAntiSpyware
2008-04-23 14:32 --------- d-----w C:\Documents and Settings\MARIA AFONSO\Application Data\SUPERAntiSpyware.com
2008-04-22 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-15 13:48 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-04-15 13:48 --------- d-----w C:\Programas\Ficheiros comuns\InstallShield
2008-03-24 16:37 --------- d-----w C:\Programas\Ficheiros comuns\xing shared
2008-03-24 16:37 --------- d-----w C:\Programas\Ficheiros comuns\Real
2008-03-20 08:07 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 14:11 --------- d-----w C:\Programas\Virtual Earth 3D
2008-03-07 10:00 --------- d-----w C:\Programas\Microsoft CAPICOM 2.1.0.2
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 09:00 78,536 ----a-w C:\Documents and Settings\MARIA AFONSO\Application Data\GDIPFONTCACHEV1.DAT
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-29_16.13.09.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 15:04:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-07 06:37:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programas\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Programas\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programas\\Mozilla Firefox\\firefox.exe"=
"C:\\Programas\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programas\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 VOBID;VOBID;C:\WINDOWS\system32\DRIVERS\vobid.sys [2003-08-01 14:47]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-07-06 17:06]
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2004-08-03 11:10]
S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys []
S3 usbscan;Controlador de scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Controlador de armazenamento de massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447d8006-e60c-11dc-9640-001109974c03}]
\Shell\Auto\command - McRegWizz.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL McRegWizz.exe e

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 08:05:56
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2008-05-07 8:07:25
ComboFix-quarantined-files.txt 2008-05-07 07:07:21
ComboFix2.txt 2008-04-30 10:12:22
ComboFix3.txt 2008-04-29 15:13:23

Pre-Run: 67,145,490,432 bytes livres
Post-Run: 67,210,448,896 bytes livres

112 --- E O F --- 2008-04-11 09:04:31


Hijachthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:47, on 07-05-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\MARIA AFONSO\Ambiente de trabalho\HiJackThis.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 971 bytes

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:45 PM

Posted 08 May 2008 - 04:18 PM

HI

Delete this file :-

C:\WINDOWS\BMabd65f14.xml

Then ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

Then post a new KASPERSKY ONLINE SCANNER REPORT

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 civil3

civil3
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 09 May 2008 - 01:49 AM

ok, i've done that

can i delete this file as well?

C:\WINDOWS\BMabd65f14.txt

kaspersky log:

KASPERSKY ONLINE SCANNER REPORT
Friday, May 09, 2008 8:59:53 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/05/2008
Kaspersky Anti-Virus database records: 748941


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Z:\

Scan Statistics
Total number of scanned objects 78101
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 01:04:35

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\ENTRECANAIS\2008\2 Correspondencia\2 Cartas\1 Clientes\Envio de Facturas e Recibos\Living room\Living room.doc Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Histórico\History.IE5\MSHist012008050920080510\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temp\IMG7.tmp Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\MARIA AFONSO\UserData\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Programas\Microsoft Office\Office10\Biblioteca\EUROTOOL.XLA Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\IEDFix.exe Infected: Constructor.Win32.Binder.bk skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Edited by civil3, 09 May 2008 - 03:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users