PDA

View Full Version : I'm infected


nunosga
2007-10-26, 15:08
Hello, I've just run Kospersky online and found I'm infected. Before I only knew that I had a threat that Spybot could not remove (even on startup).
According to this forum reccomendations, here's my Kaspersky log:

Thanks for any help.

nuno gouveia, from Portugal

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 26, 2007 1:51:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/10/2007
Kaspersky Anti-Virus database records: 446557
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 74840
Number of viruses found: 5
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:14:59

Infected Object Name / Virus Name / Last Action
C:\fraudfix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\fraudfix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\fraudfix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7b8.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_628.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\rofs154.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs107.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\xlavra3.exe Infected: Trojan-Downloader.Win32.Wixud.b skipped
C:\WINDOWS\rofs194.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs168.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs105.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs123.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs103.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs120.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs179.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs124.exe Infected: Trojan.Win32.Agent.cht skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10152007-233012.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nuno\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\nuno\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Temp\~DF41B1.tmp Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Temp\~DF41BE.tmp Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Microsoft\Windows Defender\FileTracker\{2D28F7C8-F23B-4537-A894-2B1253DBF8AF} Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\PNED.dbx Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\nuno\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-1f584ec3.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-14fdec45-4ba76897.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\index2.dat Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\user16384.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chat8192.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\user1024.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\profile16384.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\call256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\callmember256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\transfer512.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chat512.dbb Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\master.mdf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\mastlog.ldf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\model.mdf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\modellog.ldf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\tempdb.mdf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\templog.ldf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\_restore{5EFCC9D3-93AA-4DE1-9772-4B828D10CDD1}\RP445\A0069306.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\!KillBox\vtr.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
D:\System Volume Information\_restore{5EFCC9D3-93AA-4DE1-9772-4B828D10CDD1}\RP460\change.log Object is locked skipped
D:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
D:\System Volume Information\catalog.wci\00010001.ci Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
D:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped

Scan process completed.
nunosga
2007-10-26, 15:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09:24, on 26-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Skype\Phone\Skype.exe
C:\Programas\Logitech\MouseWare\system\em_exec.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Bricsys\Bricscad\bricscad.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.publico.clix.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3786 bytes
Mr_JAk3
2007-10-28, 14:21
Hello nunosga and welcome to the Forums :)

You're infected...

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
tashi
2007-11-06, 22:01
This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.