Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Backdoor-bdd win XP


  • Please log in to reply
16 replies to this topic

#1 rbirtel

rbirtel

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 30 December 2004 - 08:10 PM

Guys,

I`m one more infected with backdoor-bdd and could not find yet how to remove it. Pls, your help! I`m attaching below my HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 23:09:28, on 30/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\ARQUIV~1\iGv6\sysbrand.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
c:\arquiv~1\mcafee.com\vso\mcvsftsn.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {118BA3A3-204B-60CC-DF7A-B655B766277D} - C:\WINDOWS\system32\addfz.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eDonkey2000] C:\Arquivos de programas\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [5B.tmp] C:\DOCUME~1\Amendola\CONFIG~1\Temp\5B.tmp.exe 0 10001
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [u04C
}z[8C:\Arquivos de programas\ISTsvc\istsvc.exe] C:\WINDOWS\bwiomtyx.exe
O4 - HKLM\..\Run: [u04C
}zigC:\Arquivos de programas\ISTsvc\istsvc.exe] C:\WINDOWS\bwiomtyx.exe
O4 - HKLM\..\Run: [YCv9m"igY] C:\WINDOWS\bwiomtyx.exe
O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 31 December 2004 - 04:15 PM

Download the attached zip file and unzip it to your desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#3 rbirtel

rbirtel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 01 January 2005 - 02:02 AM

Grinler,

I`ve done your steps and here is the current log:

Logfile of HijackThis v1.99.0
Scan saved at 05:01:09, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\ARQUIV~1\iGv6\sysbrand.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
c:\arquiv~1\mcafee.com\vso\mcvsftsn.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {118BA3A3-204B-60CC-DF7A-B655B766277D} - C:\WINDOWS\system32\addfz.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eDonkey2000] C:\Arquivos de programas\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [5B.tmp] C:\DOCUME~1\Amendola\CONFIG~1\Temp\5B.tmp.exe 0 10001
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [u04C
}z[8C:\Arquivos de programas\ISTsvc\istsvc.exe] C:\WINDOWS\bwiomtyx.exe
O4 - HKLM\..\Run: [u04C
}zigC:\Arquivos de programas\ISTsvc\istsvc.exe] C:\WINDOWS\bwiomtyx.exe
O4 - HKLM\..\Run: [YCv9m"igY] C:\WINDOWS\bwiomtyx.exe
O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 01 January 2005 - 12:38 PM

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

IST SVC
Admilli Service

Reboot your computer into Safe Mode

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {118BA3A3-204B-60CC-DF7A-B655B766277D} - C:\WINDOWS\system32\addfz.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [eDonkey2000] C:\Arquivos de programas\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [5B.tmp] C:\DOCUME~1\Amendola\CONFIG~1\Temp\5B.tmp.exe 0 10001
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [u04C
}z[8C:\Arquivos de programas\ISTsvc\istsvc.exe] C:\WINDOWS\bwiomtyx.exe
O4 - HKLM\..\Run: [u04C
}zigC:\Arquivos de programas\ISTsvc\istsvc.exe] C:\WINDOWS\bwiomtyx.exe
O4 - HKLM\..\Run: [YCv9m"igY] C:\WINDOWS\bwiomtyx.exe
O4 - HKCU\..\Run: [SysBrand] C:\ARQUIV~1\iGv6\sysbrand.exe


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\system32\addfz.dll
C:\DOCUMENTS AND SETTINGS\Amendola\CONFIG~1\Temp\5B.tmp.exe 0 10001
C:\Program Files\Admilli Service\
O4 - HKLM\..\Run: [u04C
C:\WINDOWS\bwiomtyx.exe
C:\WINDOWS\bwiomtyx.exe

Reboot your computer to go back to normal mode and post a new log.

#5 rbirtel

rbirtel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 01 January 2005 - 05:04 PM

Grinler,

Here is the new log after last steps:

Logfile of HijackThis v1.99.0
Scan saved at 20:03:15, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\fmkkn.dll/sp.html#12345
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 01 January 2005 - 05:39 PM

Run Cwshredder, reboot, run cwshredder again, reboot and post a new log

#7 rbirtel

rbirtel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 01 January 2005 - 08:33 PM

Grinler,

Here is it:

Logfile of HijackThis v1.99.0
Scan saved at 23:18:56, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Arquivos de programas\Arquivos comuns\CMEII\CMESys.exe
C:\Arquivos de programas\Arquivos comuns\GMT\GMT.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [CMESys] "C:\Arquivos de programas\Arquivos comuns\CMEII\CMESys.exe"
O4 - Global Startup: GStartup.lnk = C:\Arquivos de programas\Arquivos comuns\GMT\GMT.exe
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 01 January 2005 - 11:39 PM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [CMESys] "C:\Arquivos de programas\Arquivos comuns\CMEII\CMESys.exe"
O4 - Global Startup: GStartup.lnk = C:\Arquivos de programas\Arquivos comuns\GMT\GMT.exe

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\P2P Networking\
C:\Arquivos de programas\Arquivos comuns\CMEII\
C:\Arquivos de programas\Arquivos comuns\GMT\

Reboot your computer to go back to normal mode and post a new log.

#9 rbirtel

rbirtel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 02 January 2005 - 07:19 PM

Grinler,

Here is it the new log. (the virus is already removed)

Logfile of HijackThis v1.99.0
Scan saved at 22:18:26, on 2/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 03 January 2005 - 02:17 PM

Lets restore files that were deleted by this infection:
  • This infection deletes the windows file, shell.dll.

    If you are using XP,2000, or NT please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system32
    %windir%\system

    If you are using Windows 98 please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system

    If you are using Windows ME please download shell.dll from here: shell-dll98.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations (%windir% being the windows or winnt directory):

    %windir%\system

  • Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

  • If you have Spybot S&D installed you will also need to replace one file. Go here: SDHelper.zip and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

  • If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
Run an online antivirus scan at:

http://housecall.antivirus.com/

Reboot and post a last log

#11 rbirtel

rbirtel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 10 January 2005 - 08:55 PM

Grinler,

Sorry for delay, I was without access to my PC.

I did your last steps and here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 23:53:58, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 11 January 2005 - 12:04 AM

Go into your add/remove programs and remove the following program:

DeskAd Service

Then reboot and fix the following entry in hijackthis:

O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe


Reboot again and delete C:\Program Files\DeskAd Service\ and post a new log

#13 rbirtel

rbirtel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 11 January 2005 - 05:01 PM

Here is it Grinler:

Logfile of HijackThis v1.99.0
Scan saved at 20:01:29, on 11/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\CMEII\CMESys.exe
C:\Arquivos de programas\Arquivos comuns\GMT\GMT.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CMESys] "C:\Arquivos de programas\Arquivos comuns\CMEII\CMESys.exe"
O4 - Global Startup: GStartup.lnk = C:\Arquivos de programas\Arquivos comuns\GMT\GMT.exe
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 11 January 2005 - 06:37 PM

Fix these lines in hijackthis:

O4 - HKLM\..\Run: [CMESys] "C:\Arquivos de programas\Arquivos comuns\CMEII\CMESys.exe"
O4 - Global Startup: GStartup.lnk = C:\Arquivos de programas\Arquivos comuns\GMT\GMT.exe

Reboot and delete:

C:\Arquivos de programas\Arquivos comuns\CMEII\
C:\Arquivos de programas\Arquivos comuns\GMT\

Reboot and post a new log

#15 rbirtel

rbirtel
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:50 PM

Posted 11 January 2005 - 08:12 PM

Grinler, here is it:

Logfile of HijackThis v1.99.0
Scan saved at 23:11:59, on 11/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
c:\arquiv~1\mcafee.com\vso\mcvsescn.exe
C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe
C:\ARQUIV~1\Telemar\Velox\app\enternet.exe
c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\arquiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARQUIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARQUIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\ARQUIV~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARQUIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol.com.br/discadorUOL/lig...tiveInstall.cab
O23 - Service: McAfee.com McShield - Unknown - c:\ARQUIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\ARQUIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARQUIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service - Unknown - C:\ARQUIV~1\Telemar\Velox\app\pppoeservice.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users