Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans: Backdoor.Tideserv!inf and Dldr.Agent.dfhk


  • This topic is locked This topic is locked
12 replies to this topic

#1 RonnieRP

RonnieRP

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 28 March 2010 - 08:48 AM

Hello!

I've never used this forum before but I hope you could help me out with this problem. I've already tried everything I know.

My pc got infected by two trojans. Norton hasn't been able to remove the trojan "Backdoor.Tideserv!inf" it says I should do it manually (and that the problematic file is at C:\WINDOWS\system32\drivers\atapi.sys). I went to the symantec webpage where it could give me the instructions on how to remove it.
On the webpage it said I should repair that file by booting up from my windows XP cd. I did boot up and entered the repair section, I accessed the folder "drivers" and wrote "expand E:\i386\atapi.sy_" ("E" is my DVD-RW drive) and hit enter but then I got a message saying there was no cd on my drive. I rebooted and tried again but since then haven't been able to use my DVD-RW drive it doesn't read any cd i put on it (it doesn't boot from cd and when I try to access it by the windows explorer it does nothing).

The other one "Dldr.Agent.dfhk" Norton has blocked it but I don't think it had it removed. The file for this is at C:\WINDOWS\system32\umphyxji.dll.

My computer is running slow and on normal mode I could only run the DDS program. I tried several times to run GMER on normal mode but there were other processes that consumed a great amount of CPU process, so I ran it on safe mode. I hope there's no problem with the log file. I even tried to let it run over night but it was never finished that's why I decided to do it on safe mode.

Before running those programs I made a backup of all my data.

I almost forgot, Norton is taking a lot of time to start when I turn my pc on and I can't turn on Smart Firewall, Intrusion Prevention or Email Protection. I tried to enable my Windows Firewall but I couldn't.

Here's the log file for the DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Arabela at 19:24:53,26 on s†b 27/03/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2039.1128 [GMT -3:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\sm56hlpr.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\NBHGui.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Arquivos de programas\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Arquivos de programas\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\Arquivos de programas\IDT\3132009112756\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Arabela\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: : {3a63528d-6dc1-418a-b2f5-3b32ac2aab4b} - c:\windows\system32\jyttsax.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\arquivos de programas\norton internet security\engine\17.5.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\arquivos de programas\norton internet security\engine\17.5.0.127\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\arquiv~1\micros~2\office12\GRA8E1~1.DLL
BHO: Auxiliar de Conex„o do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\arquivos de programas\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\arquivos de programas\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540003} - c:\arquivos de programas\gbplugin\gbiehcef.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540007} - c:\arquiv~1\gbplugin\gbiehabn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\arquivos de programas\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\arquivos de programas\norton internet security\engine\17.5.0.127\coIEPlg.dll
uRun: [swg] "c:\arquivos de programas\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [YVIBBBHA8C] c:\docume~1\arabela\config~1\temp\Rs1.exe
uRun: [muiula] c:\documents and settings\arabela\muiula.exe
mRun: [Xfire32] usbhelp.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre6\bin\jusched.exe"
mRun: [Sony Ericsson PC Suite] "c:\arquivos de programas\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [SMSERIAL] c:\windows\sm56hlpr.exe
mRun: [SecurDisc] c:\arquivos de programas\nero\nero 7\incd\NBHGui.exe
mRun: [RemoteControl] "c:\arquivos de programas\cyberlink\powerdvd\PDVDServ.exe"
mRun: [raidhost] raidhost.exe
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\arquivos de programas\arquivos comuns\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "c:\arquivos de programas\cyberlink\powerdvd\language\Language.exe"
mRun: [ISUSScheduler] "c:\arquivos de programas\arquivos comuns\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\arquivos de programas\arquivos comuns\installshield\updateservice\isuspm.exe" -startup
mRun: [InCD] c:\arquivos de programas\nero\nero 7\incd\InCD.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [HP Software Update] c:\arquivos de programas\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [GrooveMonitor] "c:\arquivos de programas\microsoft office\office12\GrooveMonitor.exe"
mRun: [DeviceDiscovery] c:\arquivos de programas\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [ccApp] -
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\arquivos de programas\arquivos comuns\adobe\arm\1.0\AdobeARM.exe"
mRunServices: [Xfire32] usbhelp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\arabela\menuin~1\progra~1\inicia~1\adobeg~1.lnk - c:\arquivos de programas\arquivos comuns\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\arabela\menuin~1\progra~1\inicia~1\recort~1.lnk - c:\arquivos de programas\microsoft office\office12\ONENOTEM.EXE
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\arquivos de programas\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\arquiv~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\arquiv~1\micros~2\office12\GR99D3~1.DLL
Notify: GbPluginAbn - c:\arquiv~1\gbplugin\gbiehabn.dll
Notify: GbPluginCef - c:\arquivos de programas\gbplugin\gbiehCef.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\arquiv~1\micros~2\office12\GRA8E1~1.DLL
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399007} - c:\arquiv~1\gbplugin\gbiehabn.dll
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399003} - c:\arquivos de programas\gbplugin\gbiehcef.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\arabela\dadosd~1\mozilla\firefox\profiles\calunbpi.default\
FF - component: c:\documents and settings\all users\dados de aplicativos\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\dados de aplicativos\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\arabela\dados de aplicativos\mozilla\firefox\profiles\calunbpi.default\extensions\{87f8774f-b485-47e2-a755-a40a8a5e886c}\components\GbMzhBb.dll
FF - component: c:\documents and settings\arabela\dados de aplicativos\mozilla\firefox\profiles\calunbpi.default\extensions\{87f8774f-b485-47e2-a755-a40a8a5e8874}\components\GbMzhAbn.dll
FF - plugin: c:\arquivos de programas\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\arquivos de programas\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mknpzbsj;mknpzbsj;c:\windows\system32\drivers\mknpzbsj.sys [2004-8-12 23424]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1105000.07f\symds.sys [2010-3-26 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1105000.07f\symefa.sys [2010-3-26 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\dados de aplicativos\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1105000.07f\cchpx86.sys [2010-3-26 501888]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2009-9-7 33952]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1105000.07f\ironx86.sys [2010-3-26 116272]
R2 apfrfgyz;Sony Ericsson Device 089 USB WMC Device Management s (WDM)Controller;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-1-5 12672]
R2 GbpSv;Gbp Service;c:\arquiv~1\gbplugin\GbpSv.exe [2009-3-16 53800]
R2 NIS;Norton Internet Security;c:\arquivos de programas\norton internet security\engine\17.5.0.127\ccsvchst.exe [2010-3-26 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\arquivos de programas\arquivos comuns\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\dados de aplicativos\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100327.003\NAVENG.SYS [2010-3-27 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\dados de aplicativos\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20100327.003\NAVEX15.SYS [2010-3-27 1324720]
S?4 EraserSvc10923;Symantec Eraser Service;c:\arquivos de programas\norton internet security\engine\17.5.0.127\ccsvchst.exe [2010-3-26 126392]
S0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\GbpKm.sys [2009-4-20 30504]
S2 .norton2009Reset;Norton2009 Reset;c:\documents and settings\all users\dados de aplicativos\norton\Norton2009Reset.exe [2009-3-5 328259]
S2 gupdate1c9b5553b14e9e6;Google Update Service (gupdate1c9b5553b14e9e6);c:\arquivos de programas\google\update\GoogleUpdate.exe [2009-4-4 133104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\dados de aplicativos\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100326.001\IDSXpx86.sys [2010-3-26 329592]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2010-2-21 256512]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2010-2-21 398720]

=============== Created Last 30 ================

2010-03-27 14:26:11 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-03-26 23:23:44 0 d-----w- c:\windows\pss
2010-03-26 19:55:25 0 d-----w- c:\docume~1\arabela\dadosd~1\Tific
2010-03-26 19:25:17 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-26 19:25:17 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-26 19:25:17 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-26 19:25:17 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-26 19:24:29 0 d-----w- c:\windows\system32\drivers\NIS
2010-03-26 19:24:25 0 d-----w- c:\arquivos de programas\Norton Internet Security
2010-03-26 19:24:05 0 d-----w- c:\arquivos de programas\NortonInstaller
2010-03-26 19:12:51 17133 ----a-w- C:\[isoHunt] Norton_Internet_Security_2010_v17_360_days_with_renew.5306045.TPB.torrent
2010-03-26 15:46:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-26 15:42:26 0 dc-h--w- c:\docume~1\alluse~1\dadosd~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-25 18:16:09 114688 --sh--r- c:\documents and settings\arabela\weuuqa.exe
2010-03-25 18:13:54 114688 --sh--r- c:\documents and settings\arabela\vmfop.exe
2010-03-25 18:10:54 114688 --sh--r- c:\documents and settings\arabela\suucop.exe
2010-03-25 18:08:29 114688 --sh--r- c:\documents and settings\arabela\yzqiw.exe
2010-03-25 18:07:00 114688 --sh--r- c:\documents and settings\arabela\batas.exe
2010-03-25 17:18:15 114688 --sh--r- c:\documents and settings\arabela\yeeecak.exe
2010-03-21 11:24:36 76 ----a-w- c:\windows\1.0
2010-03-21 11:24:36 122880 ----a-w- c:\windows\system32\duninstall.exe
2010-03-21 11:24:36 0 d-----w- c:\arquivos de programas\Metodologia Cientifica

==================== Find3M ====================

2010-03-27 20:23:14 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-24 00:06:59 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-23 14:00:23 65848 ----a-w- c:\windows\fonts\TrajanPro-Bold.otf
2010-02-14 11:16:39 72156 ----a-w- c:\windows\system32\perfc016.dat
2010-02-14 11:16:39 437108 ----a-w- c:\windows\system32\perfh016.dat
2010-02-02 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-07-04 18:54:22 134000552 ----a-w- c:\arquivos de programas\BrOOo_3.1.0_Win32Intel_install_pt-BR.exe
2009-05-11 18:43:44 12154971 ----a-w- c:\arquivos de programas\IRPF2009win32v1.1.exe
2009-05-10 12:41:57 9301502 ----a-w- c:\arquivos de programas\RationalPlanM-trial-3.13.1.exe
2009-04-20 17:53:36 12118575 ----a-w- c:\arquivos de programas\IRPF2009win32v1.0.exe
2009-04-20 17:48:05 607640 ----a-w- c:\arquivos de programas\jre-6u13-windows-i586-p-iftw.exe
2009-04-09 19:32:46 3817014 ----a-w- c:\arquivos de programas\vdownloader.zip
2009-04-03 16:07:38 3840331 ----a-w- c:\arquivos de programas\vdownloader_setup.exe
2009-03-27 19:20:36 23596840 ----a-w- c:\arquivos de programas\SkypeSetupFull.exe

============= FINISH: 19:25:37,98 ===============

Thanks for any help,
Ronnie

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:02 PM

Posted 28 March 2010 - 09:49 AM

Hello my name is Sempai and welcome to Bleeping Computer. smile.gif

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



++++++++++++++++++


One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


~Semp


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 RonnieRP

RonnieRP
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 28 March 2010 - 11:17 AM

Hello Sempai,

Thank you for your reply.

I've decided that it would be best if I could reformat and reinstall the OS.
But for me to do that i should be able to use properly my DVD-RW drive but since the infection it hasn't reading any cd I put on it.

Could you help me make it work so I can boot from it?

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:02 PM

Posted 28 March 2010 - 11:26 AM

Hi Ronnie,

Did yo try using the DVD drive with a different CD?

Can you do system restore to a date when the DVD drive is still accessible.


~Semp

Edited by sempai, 28 March 2010 - 11:31 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 RonnieRP

RonnieRP
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 28 March 2010 - 11:51 AM

I tried a different cd but it still doesn't read and there are no restore points before the damage.



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:02 PM

Posted 28 March 2010 - 05:35 PM

Does your PC comes with built in system recovery? Is this an HP PC?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 RonnieRP

RonnieRP
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 29 March 2010 - 07:36 AM

The computer is not an HP PC.

I don't know of any recovery system other than Windows Restoration, wich doesn't show any restore points.

Do you want me to write more elaborate answers or so far so good?

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:02 PM

Posted 29 March 2010 - 07:51 AM

Some branded Desktop/Laptop have a "built-in system recovery" that restores the operating system to its original configuration or factory settings without the use of Windows installation disk. You can usually see this option during boot-up. The "key" to enter the configuration is depending on the model/brand of the PC.

Let me know if you don't have this option. Thanks.


~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 RonnieRP

RonnieRP
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 29 March 2010 - 02:01 PM

Hello Sempai,

Unfortunately I don't have it.
While booting the only keys I have are for choosing the boot device or enter on BIOS configuration.

I thought it could be on BIOS configuration so I've entered in there, but then again nothing.

Thank you for your help so far!

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:02 PM

Posted 31 March 2010 - 04:44 AM

Hi, can you please do the following:

Right click on my computer > manage > device manager > on the right side pane, please check if you can see any yellow question mark.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 RonnieRP

RonnieRP
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 03 April 2010 - 07:00 PM

Hi Sempai,

I'm sorry if I took too long to write this reply.
I did what you told me but there were no yellow question marks. I think it's a hardware malfunction that just happened at the same time as the infection.

I still haven't been able to use it, but I could reboot by a flash disk drive then I formatted the partition that was with Windows and installed it again.

All is fine, Norton is active and hasn't shown any other virus.

Do you think I should still be worried?

Thank you for your help!

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:02 PM

Posted 03 April 2010 - 09:43 PM

Hi RonnieRP,

If you did a clean installation of windows and that includes wiping put the entire infected drive then it should be fine.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:03:02 PM

Posted 06 April 2010 - 09:02 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users