My system is Windows 2003 Server.
When i shutdown the computer or restart it, this virus go to almost all computers in the network.
i´m using kaspersky in my machine, and everytime the computer starts, appears a different kind of virus.
Now the name is Net-Worm.Win32.Kido.t - detected by Kaspersky
i suspect the svchost is infected, but i don´t know how to desinfect it..
here´s my log.
i´m brazilian and it´s my first post here.
hope someone help me.
sry my bad english.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:51, on 29/12/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\cisvc.exe
S:\dell\dataeng\bin\dcevt32.exe
S:\dell\dataeng\bin\dcstor32.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FIBS 2.0.2\fibs202.exe
C:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
S:\dell\sm\mr2kserv.exe
S:\dell\oma\bin\omsad32.exe
c:\Windows\srvany.exe
C:\Program Files\Bayer CropScience\SetupPegasus\PgsConfig.exe
C:\Program Files\Siagri\Agribusiness\Proteq\pserv32.exe
S:\dell\iws\bin\win32\omaws32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
S:\Clanwin\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
S:\Clanwin\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
S:\Clanwin\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Apoio Distribuidora\Alpha\Alpha.exe
S:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
S:\Clanwin\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
S:\Clanwin\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
S:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
S:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Siagri\Agribusiness\Bin\sagrfina.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
S:\Clanwin\ClamWin\bin\clamscan.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - S:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ClamWin] "S:\Clanwin\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1963785134-826866253-3417678975-1026\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'FINANCEIRO SFI')
O4 - HKUS\S-1-5-21-1963785134-826866253-3417678975-1040\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'administracao')
O4 - HKUS\S-1-5-21-1963785134-826866253-3417678975-1055\..\Run: [] (User 'Antonio')
O4 - HKUS\S-1-5-21-1963785134-826866253-3417678975-1062\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'André')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - S:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - S:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://www.abusar.org
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://www.adslayuda.com
O15 - ESC Trusted Zone: http://*.apoioagricola
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://www.brasilescola.com
O15 - ESC Trusted Zone: http://tools.bvrp.com
O15 - ESC Trusted Zone: http://tools.cisco.com
O15 - ESC Trusted Zone: http://www.cisco.com
O15 - ESC Trusted Zone: http://www.clamwin.com
O15 - ESC Trusted Zone: http://adclient-af.lp.uol.com.br
O15 - ESC Trusted Zone: http://ads.clubedohardware.com.br
O15 - ESC Trusted Zone: http://afiliados.adslresidencial.com.br
O15 - ESC Trusted Zone: http://baixaki.ig.com.br
O15 - ESC Trusted Zone: http://busca.uol.com.br
O15 - ESC Trusted Zone: http://diversao.uol.com.br
O15 - ESC Trusted Zone: http://dyn2.superdownloads.uol.com.br
O15 - ESC Trusted Zone: http://eleicoes.uol.com.br
O15 - ESC Trusted Zone: http://esporte.uol.com.br
O15 - ESC Trusted Zone: http://esportes.terra.com.br
O15 - ESC Trusted Zone: http://forum.clubedohardware.com.br
O15 - ESC Trusted Zone: http://forum.wmonline.com.br
O15 - ESC Trusted Zone: http://home.item.com.br
O15 - ESC Trusted Zone: http://imasters.uol.com.br
O15 - ESC Trusted Zone: http://my.uolk.uol.com.br
O15 - ESC Trusted Zone: http://noticias.uol.com.br
O15 - ESC Trusted Zone: http://paginas.terra.com.br
O15 - ESC Trusted Zone: http://ppi.terra.com.br
O15 - ESC Trusted Zone: http://sea.search.msn.com.br
O15 - ESC Trusted Zone: http://siagri.com.br
O15 - ESC Trusted Zone: http://sisnema.com.br
O15 - ESC Trusted Zone: http://superdownloads.uol.com.br
O15 - ESC Trusted Zone: http://vitrine.buscape.com.br
O15 - ESC Trusted Zone: http://www.activedelphi.com.br
O15 - ESC Trusted Zone: http://www.agatetepe.com.br
O15 - ESC Trusted Zone: http://www.baboo.com.br
O15 - ESC Trusted Zone: http://www.babooforum.com.br
O15 - ESC Trusted Zone: http://www.boadica.com.br
O15 - ESC Trusted Zone: http://www.buscape.com.br
O15 - ESC Trusted Zone: http://www.cceinformatica.com.br
O15 - ESC Trusted Zone: http://www.clubedohardware.com.br
O15 - ESC Trusted Zone: http://www.correios.com.br
O15 - ESC Trusted Zone: http://www.digirati.com.br
O15 - ESC Trusted Zone: http://www.enem.com.br
O15 - ESC Trusted Zone: http://www.forumpcs.com.br
O15 - ESC Trusted Zone: http://www.forumweb.com.br
O15 - ESC Trusted Zone: http://www.google.com.br
O15 - ESC Trusted Zone: http://www.ig.com.br
O15 - ESC Trusted Zone: http://www.istf.com.br
O15 - ESC Trusted Zone: http://www.itau.com.br
O15 - ESC Trusted Zone: http://www.itauempresas.com.br
O15 - ESC Trusted Zone: http://www.juliobattisti.com.br
O15 - ESC Trusted Zone: http://www.modulo.com.br
O15 - ESC Trusted Zone: http://www.netdownloads.com.br
O15 - ESC Trusted Zone: http://www.pcforum.com.br
O15 - ESC Trusted Zone: http://www.pcsnews.com.br
O15 - ESC Trusted Zone: http://www.santander.com.br
O15 - ESC Trusted Zone: http://www.siagri.com.br
O15 - ESC Trusted Zone: http://www.terra.com.br
O15 - ESC Trusted Zone: http://www.uol.com.br
O15 - ESC Trusted Zone: http://www.winconnection.com.br
O15 - ESC Trusted Zone: http://www.dtk.com.tw
O15 - ESC Trusted Zone: http://www.personalfirewall.comodo.com
O15 - ESC Trusted Zone: http://pt.delphi.com
O15 - ESC Trusted Zone: http://www.gfi.com
O15 - ESC Trusted Zone: http://www.gfisoftware.com
O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
O15 - ESC Trusted Zone: http://www.sefaz.rs.gov.br
O15 - ESC Trusted Zone: http://www.grisoft.com
O15 - ESC Trusted Zone: http://www.guiadohardware.net
O15 - ESC Trusted Zone: http://h10025.www1.hp.com
O15 - ESC Trusted Zone: http://h20180.www2.hp.com
O15 - ESC Trusted Zone: http://h20285.www2.hp.com
O15 - ESC Trusted Zone: http://h30091.www3.hp.com
O15 - ESC Trusted Zone: http://search.hp.com
O15 - ESC Trusted Zone: http://welcome.hp.com
O15 - ESC Trusted Zone: http://adserver.ig.com.br
O15 - ESC Trusted Zone: http://www.java.com
O15 - ESC Trusted Zone: http://www.knowledgestorm.com
O15 - ESC Trusted Zone: http://help.live.com
O15 - ESC Trusted Zone: http://search.live.com
O15 - ESC Trusted Zone: http://shared.live.com
O15 - ESC Trusted Zone: http://www.mail-archive.com
O15 - ESC Trusted Zone: http://www.mobilefun.co.uk
O15 - ESC Trusted Zone: http://www.motorola.com
O15 - ESC Trusted Zone: http://br.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://www.nsauditor.com
O15 - ESC Trusted Zone: http://www.openwindow.com
O15 - ESC Trusted Zone: http://*.portableapps.com
O15 - ESC Trusted Zone: http://www.programurl.com
O15 - ESC Trusted Zone: http://www.rnp.br
O15 - ESC Trusted Zone: http://optusnet.dl.sourceforge.net
O15 - ESC Trusted Zone: http://prdownloads.sourceforge.net
O15 - ESC Trusted Zone: http://ufpr.dl.sourceforge.net
O15 - ESC Trusted Zone: http://*.sourceforge.net
O15 - ESC Trusted Zone: http://download2.speedbit.com
O15 - ESC Trusted Zone: http://sdlc-esd.sun.com
O15 - ESC Trusted Zone: http://barra.uol.com.br
O15 - ESC Trusted Zone: http://de.uol.com.br
O15 - ESC Trusted Zone: http://www.vitaltech-group.com
O15 - ESC Trusted Zone: http://www.warez-bb.org
O15 - ESC Trusted Zone: http://m.webtrends.com
O15 - ESC Trusted Zone: http://en.wikipedia.org
O15 - ESC Trusted Zone: http://pt.wikipedia.org
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.xteq.de
O15 - ESC Trusted Zone: http://www.yougetsignal.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://201.18.39.42
O15 - ESC Trusted IP range: http://207.46.19.30
O15 - ESC Trusted IP range: http://192.168.0.1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211198522540
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211891972421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - S:\dell\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - S:\dell\dataeng\bin\dcstor32.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FIBSBackupService - Talat Dogan - C:\Program Files\FIBS 2.0.2\fibs202.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\bin\fbserver.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: mr2kserv - LSI Logic Corporation - S:\dell\sm\mr2kserv.exe
O23 - Service: OM Common Services (omsad) - Dell Inc. - S:\dell\oma\bin\omsad32.exe
O23 - Service: Pegasus - Unknown owner - c:\Windows\srvany.exe
O23 - Service: Pserv32 - SafeNet, Inc - C:\Program Files\Siagri\Agribusiness\Proteq\pserv32.exe
O23 - Service: Secure Port Server (Server Administrator) - Unknown owner - S:\dell\iws\bin\win32\omaws32.exe
--
End of file - 15265 bytes