PDA

View Full Version : Virtumondo and Smitfraud-C.



Wardo
2007-10-25, 17:15
Hello, some time ago my IE6.0 started being redirected to advertisement websites. I remember running SpyBot, Avast and I think Adaware back then. It solved the problem for a while, but then it returned and started getting increasingly worse untill I could no longer use IE at all and had to install FireFox. However, besides from redirecting, apparently a bunch of trash started being downloaded, eventually rendering the PC unusable and forcing me to exclude a bunch of system files with Avast, which in turn forced me to repair my installation of Windows XP. After repairing I booted in safe-mode and ran SpyBot. It found:

Smitfraud-C.
Win32.Agent.bid
Xorpix.a
Virtumonde

I rebooted a few times in safe-mode and ran SpyBot and VundoFix each time. Smitfraud-C. and Virtumonde persisted, Virtu more than Smit, while the other two seem to have disappeared since the first SpyBot scan. I have now booted normally and ran SpyBot twice, finding Virtumonde both times, despite SpyBot attempting to remove it (no sign of Smit). ESET Online Scanner found and removed 45 threats, mostly TryMedia installers (they're adware?) and Trainers among real menacing stuff like:

Win32/Nuwar worm (csrss.exe on a temp folder)
Win32/SpamTool.Agent.NAJtrojan (a temp file on c:\)
Two unknown NewHeur_PE virus (temp files on the Doc and Settings`s temp folder)
Win32/Hoax.Renos application (doc and settings\me\app data\microsoft\IE\Desktop.htt)
a variant of Win32/Nulprot trojan (deskcfg.tmp on c:\windows)
Win32/Nuwar.Gen worm (spooldr.exe on c:\Windows)
Win32/PSW.LdPinch.NEL trojan (msdnc0.exe on c:\windows\system32)
a variant of Win32/TrojanDownloader.Nurech.NBG (msdnc1.exe on windows\system32)
Win32/Nuwar.AO worm (spooldr.sys)
Win32/Agent.QT trojan (winrvc32.dll on windows\system32)
Win32/SpamTool.Agent.NAJ (protect.sys on windows\system32\drivers)
a variant of Win32/Nulprot trojan (hdF.tmp on windows\temp)

Now for the required logs. Kaspersky`s log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 25, 2007 3:02:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/10/2007
Kaspersky Anti-Virus database records: 446163
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 117348
Number of viruses found: 20
Number of infected objects: 77
Number of suspicious objects: 0
Duration of the scan process: 00:46:31

Infected Object Name / Virus Name / Last Action
C:\Arquivos de programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SearchCentrix.zip/spoolsvv.exe Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SearchCentrix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/v6xdt4.game Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/v5xd2.g3ame Infected: Trojan-Downloader.Win32.Agent.coq skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip/vedxga3me2.exe Infected: Trojan-Downloader.Win32.Agent.coq skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/v4xd3.ga2me Infected: Trojan-Downloader.Win32.Small.fox skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip/vedxga4me1.exe Infected: Trojan-Proxy.Win32.Xorpix.bo skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC12.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC13.zip/v3xd1.g22me Infected: Trojan-Proxy.Win32.Xorpix.bo skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC13.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip/v5xd4.ga2me Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC14.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip/dllh8jkd1q7.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC16.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip/dllh8jkd1q6.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC17.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip/dllh8jkd1q5.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC19.zip/dllh8jkd1q2.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC19.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/v4xd6.gam5e Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip/dllh8jkd1q1.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC20.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip/kernelwind32.exe Infected: Email-Worm.Win32.Zhelatin.in skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC21.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip/vedxg6ame4.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC24.zip/desktop.html Infected: not-virus:Hoax.Win32.Renos.cy skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC24.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/7.dllb Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip/6.dllb Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/5.dllb Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip/1.dllb Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip/ma1x1dd1v.game Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.i skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip/vedxg4am1et2.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip/vedxga4m1et4.exe Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SpySheriff.zip/vx3dt2.game Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SpySheriff.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SpySheriff1.zip/vx1dt3.game Infected: Email-Worm.Win32.Zhelatin.id skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SpySheriff1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SpySheriff2.zip/vx1dt1.game Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\SpySheriff2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\Virtumonde3.zip/home.exe.exe Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\Virtumonde3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinAgentbid3.zip/DefLib.sys Infected: Trojan.Win32.Agent.asu skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinAgentbid3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinAgentbid6.zip/winlogon.exe Infected: Trojan-Proxy.Win32.Small.fz skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinAgentbid6.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu27.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinSmallls.zip/svshost.dll Infected: Backdoor.Win32.Small.ta skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\WinSmallls.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\Xorpixa.zip/bot.dll~ Infected: Trojan-Proxy.Win32.Xorpix.bk skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\Xorpixa.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\Xorpixa2.zip/bot.dll Infected: Trojan-Proxy.Win32.Xorpix.bk skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\Xorpixa2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Arede\Configurações locais\Dados de aplicativos\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Arede\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Arede\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Arede\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arede\Configurações locais\Histórico\History.IE5\MSHist012007102520071026\index.dat Object is locked skipped
C:\Documents and Settings\Arede\Configurações locais\Temp\1806.tmp Infected: Trojan.Win32.Inject.er skipped
C:\Documents and Settings\Arede\Configurações locais\Temp\2.dllb Infected: Packed.Win32.Tibs.bs skipped
C:\Documents and Settings\Arede\Configurações locais\Temporary Internet Files\Content.IE5\EFYHI12L\microsoft_forefront_piratas_468x300[1].swf Object is locked skipped
C:\Documents and Settings\Arede\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Arede\Configurações locais\Temporary Internet Files\Content.IE5\YDWJ234N\xc60[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Arede\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Arede\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Arede\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temp\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\fwdrv.sys Infected: SpamTool.Win32.Agent.bd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1640B4F5-E673-48CC-B15F-51E9D834993E}\RP0\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\87354753411123211122534452667798.data Object is locked skipped
C:\WINDOWS\system32\87354753411123211122534452667798.log Object is locked skipped
C:\WINDOWS\system32\Bcxnstb.dll Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ccccbeaffddfca.dll Object is locked skipped
C:\WINDOWS\system32\config\47781774.Evt Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dfcabcdf.dll Object is locked skipped
C:\WINDOWS\system32\dfcdbaffbcadba.dll Object is locked skipped
C:\WINDOWS\system32\gln.dll Infected: Trojan.Win32.BHO.dm skipped
C:\WINDOWS\system32\gln.exe Infected: Trojan-Downloader.Win32.Delf.byk skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_598.dat Object is locked skipped
C:\WINDOWS\Temp\win1026.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win119F.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win1820.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000003-00000000-00000003-00001102-00000004-00511102}.CDF Object is locked skipped

Scan process completed.

HijackThis (exe renamed to helpme.exe) log on the following post.

Wardo
2007-10-25, 17:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:27, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Trend Micro\HijackThis\helpme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Arquivos de programas\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: GLN - {B4E7CAAB-6535-4243-99BD-F12350B584A2} - C:\WINDOWS\system32\gln.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Arquivos de programas\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Arquivos de programas\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WebCam Go Plus Sti Service Application] Wcgopsvc
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Arquivos de programas\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Baixar com NetXfer - C:\Arquivos de programas\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Baixar todos com NetXfer - C:\Arquivos de programas\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193265855625
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: Bcxnstb - C:\WINDOWS\SYSTEM32\bcxnstb.dll
O20 - Winlogon Notify: ccccbeaffddfca - C:\WINDOWS\system32\ccccbeaffddfca.dll
O20 - Winlogon Notify: dfcabcdf - C:\WINDOWS\system32\dfcabcdf.dll
O20 - Winlogon Notify: dfcdbaffbcadba - C:\WINDOWS\system32\dfcdbaffbcadba.dll
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\clk.dll (file missing)
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O21 - SSODL: SysRun - {D7FFD784-5276-42D1-887B-00267870A4C7} - (no file)
O22 - SharedTaskScheduler: (no name) - {AF0BE91A-D92D-44F5-9581-64F629762E5A} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Arquivos de programas\Intel\Intel(R) Active Monitor\imonnt.exe

--
End of file - 7671 bytes

Mr_JAk3
2007-10-28, 15:11
Hello and welcome to the Forums :)

You're infected.

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

Remove any existing versions of ComboFix (if you've used the tool before)

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

tashi
2007-11-06, 23:02
This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.