pinguim
2008-06-12, 13:20
Hi
S&D caught virtumonde but wasn't able to remove it. I tried combofix and got this:
ComboFix 08-06-10.5 - goncalosantos 2008-06-12 10:20:43.1 - NTFSx86
Executando de: C:\Documents and Settings\goncalosantos.000\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc\25945.exe
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc\id
C:\WINDOWS\BM431aa31d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbKTwyxx.ini
C:\WINDOWS\system32\bbKTwyxx.ini2
C:\WINDOWS\system32\BdKmWvut.ini
C:\WINDOWS\system32\BdKmWvut.ini2
C:\WINDOWS\system32\byqoqsne.dll
C:\WINDOWS\system32\cdKUvyay.ini
C:\WINDOWS\system32\cdKUvyay.ini2
C:\WINDOWS\system32\ddcApmlI.dll
C:\WINDOWS\system32\ervyiyal.dll
C:\WINDOWS\system32\hnjtyvbg.ini
C:\WINDOWS\system32\kbtwceiu.ini
C:\WINDOWS\system32\khgnixrm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mejxidld.dll
C:\WINDOWS\system32\mmvbkihr.ini
C:\WINDOWS\system32\mwwugfgb.ini
C:\WINDOWS\system32\nfxdrdjd.dll
C:\WINDOWS\system32\ojkcspco.dll
C:\WINDOWS\system32\opnkjGWp.dll
C:\WINDOWS\system32\osatytbs.ini
C:\WINDOWS\system32\pekbsljg.dll
C:\WINDOWS\system32\pWGjknpo.ini
C:\WINDOWS\system32\pWGjknpo.ini2
C:\WINDOWS\system32\qmxcgepf.dll
C:\WINDOWS\system32\raracixx.dll
C:\WINDOWS\system32\rhikbvmm.dll
C:\WINDOWS\system32\sbtytaso.dll
C:\WINDOWS\system32\sltjyqbc.dll
C:\WINDOWS\system32\srvwewoq.dll
C:\WINDOWS\system32\tywxihyh.dll
C:\WINDOWS\system32\wcrljkin.ini
C:\WINDOWS\system32\xcmtrjea.ini
C:\WINDOWS\system32\xxicarar.ini
C:\WINDOWS\system32\ypfbvmhk.dll
----- BITS: Possible infected sites -----
hxxp://ad1lx
.
((((((((((((((((((((((( Ficheiros criados de 2008-05-12 to 2008-06-12 ))))))))))))))))))))))))))))))))
.
2008-06-11 15:07 . 2008-06-11 15:07 80,896 --a------ C:\WINDOWS\system32\gbvytjnh.dll
2008-06-11 10:35 . 2008-06-11 10:35 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-06-06 15:32 . 2008-06-06 15:32 <DIR> d-------- C:\Programas\Lavasoft
2008-06-06 15:32 . 2008-06-06 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 11:44 . 2008-06-06 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-05 15:09 . 2008-06-11 15:00 211 --a------ C:\WINDOWS\wininit.ini
2008-05-30 09:32 . 2008-05-30 09:32 <DIR> d-------- C:\Programas\Windows Live SkyDrive
2008-05-30 09:27 . 2008-05-30 10:11 <DIR> d-------- C:\temp\ACI Manual of Concrete Practice 2005
2008-05-20 11:52 . 2008-05-20 11:52 <DIR> d-------- C:\Programas\AnswerWorks 4.0
2008-05-20 11:26 . 2008-05-20 17:57 <DIR> d-------- C:\temp\DISK-1 (E)
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 15:41 . 2008-05-15 15:41 <DIR> d-------- C:\Programas\uTorrent
2008-05-15 15:41 . 2008-06-04 11:55 <DIR> d-------- C:\Documents and Settings\goncalosantos.000\Application Data\uTorrent
2008-05-14 11:02 . 2008-05-14 11:02 <DIR> d-------- C:\Programas\Bluetack
2008-05-13 14:45 . 2007-03-22 00:51 2,386,392 --a------ C:\Programas\adlmdll.dll
2008-05-13 14:45 . 2007-03-22 00:51 1,141,192 --a------ C:\Programas\lacadp.dll
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 17:03 --------- d-----w C:\Programas\Autodesk
2008-05-20 10:56 --------- d-----w C:\Programas\AutoCAD 2007
2008-05-20 10:52 --------- d-----w C:\Programas\Ficheiros comuns\Autodesk Shared
2008-05-09 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-08 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-08 15:13 --------- d-----w C:\Programas\Messenger Plus! Live
2008-05-08 14:13 --------- d-----w C:\Programas\Computers and Structures
2008-05-08 13:11 --------- d-----w C:\Programas\DAEMON Tools Lite
2008-05-08 10:43 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-08 10:42 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\DAEMON Tools
2008-05-05 10:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 08:17 --------- d-----w C:\Programas\Google
2008-04-28 15:38 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-04-28 15:38 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\InstallShield
2008-04-24 09:01 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\Autodesk
2008-04-23 13:34 --------- d-----w C:\Programas\Microsoft Silverlight
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44D9A8A5-FDC0-4389-8D54-1A1270A0746A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B001D79-7021-4F8A-9C77-21650EBEBD8D}]
C:\WINDOWS\system32\yayvUKdc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C9EAC29-54AC-476F-B890-5885D61A657B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8053AF4F-F35D-4EC6-A411-039EFB515CD8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F825EC3A-CECA-4679-AF43-9B93D281701A}]
C:\WINDOWS\system32\tuvWmKdB.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.exe" [2008-04-28 12:00 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-21 13:00 15360]
"DefenicoesIE"="C:\Definir_Proxy.vbs" [2006-04-10 16:08 1952]
"SpybotSD TeaTimer"="C:\Programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
"McAfeeUpdaterUI"="C:\Programas\McAfee\Common Framework\UdaterUI.exe" [2008-02-15 12:08 136512]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 17:44 126976]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 17:48 155648]
"CPQEASYACC"="C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 16:01 32768]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 28672 C:\WINDOWS\system32\nwtray.exe]
"pdfFactory Pro Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2004-08-25 13:33 442368]
"combofix"="C:\WINDOWS\system32\CF24590.exe" [2004-09-21 13:00 400384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-21 13:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-09-21 13:00 400384 C:\WINDOWS\system32\cmd.exe]
C:\Documents and Settings\goncalosantos\Menu Iniciar\Programas\Arranque\
Iniciar o Microsoft Office Outlook.lnk - C:\Programas\Microsoft Office\OFFICE11\OUTLOOK.EXE [2006-01-20 16:35:58 196296]
TPUCapture.lnk - C:\Documents and Settings\goncalosantos.000\Ambiente de trabalho\My Downloads\TPUCapture\TPUCapture.exe [2007-11-09 16:50:07 327680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcApmlI]
ddcApmlI.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4216198538-2617963860-369079589-1277\Scripts\Logon\0\0]
"Script"=\\ad1lx\SYSVOL\sousapedro.local\scripts\Defenicoes IE\DefenicoesIE.vbs
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Inicialização rápida do HP Image Zone.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Inicialização rápida do HP Image Zone.lnk
backup=C:\WINDOWS\pss\Inicialização rápida do HP Image Zone.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 16:49 49152 C:\Programas\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM431aa31d"=Rundll32.exe "C:\WINDOWS\system32\sltjyqbc.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programas\\uTorrent\\uTorrent.exe"=
R2 Servidor de pastilhas de rede;Servidor de pastilhas de rede;C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe []
S2 SSIPDDP;SSIPDDP Parallel port device driver;C:\WINDOWS\system32\DRIVERS\SSIPDDP.SYS [2000-05-17 17:24]
S3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []
.
Conte£do da pasta 'Tarefas Agendadas'
"2008-04-01 12:18:56 C:\WINDOWS\Tasks\Inventario.job"
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 10:45:18
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\MSN Messenger\1387396580\sqmnoopt00.sqm 244 bytes
Varredura completada com sucesso
Ficheiros ocultos: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NWSHLXNT.dll
-> C:\WINDOWS\system32\NLS\PORTUGUE\NWSHLXNR.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\DNTUS26.EXE
C:\Programas\McAfee\Common Framework\FrameworkService.exe
C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Programas\McAfee\Common Framework\naPrdMgr.exe
C:\Programas\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
C:\Programas\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Programas\McAfee\Common Framework\Mctray.exe
C:\compaq\eakdrv\EAUSBKBD.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-06-12 10:56:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 09:56:16
Pre-Run: 13,465,808,896 bytes livres
Post-Run: 13,823,107,072 bytes livres
210 --- E O F --- 2008-02-21 10:11:01
Also HJT gives me the following:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29, on 2008-06-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\Programas\McAfee\Common Framework\FrameworkService.exe
C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Programas\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Programas\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Programas\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Spybot - Search & Destroy\SpybotSD.exe
C:\Programas\WinRAR\WinRAR.exe
C:\DOCUME~1\GONCAL~1.000\DEFINI~1\Temp\Rar$EX00.734\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sousapedro.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.11:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B001D79-7021-4F8A-9C77-21650EBEBD8D} - C:\WINDOWS\system32\yayvUKdc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programas\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F825EC3A-CECA-4679-AF43-9B93D281701A} - C:\WINDOWS\system32\tuvWmKdB.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programas\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DefenicoesIE] C:\Definir_Proxy.vbs
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200395134429
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200395272534
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sousapedro.local
O17 - HKLM\Software\..\Telephony: DomainName = sousapedro.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sousapedro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sousapedro.local
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programas\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Servidor de pastilhas de rede - Unknown owner - C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe
--
End of file - 7929 bytes
Please help me this trojan is hard to remove...
S&D caught virtumonde but wasn't able to remove it. I tried combofix and got this:
ComboFix 08-06-10.5 - goncalosantos 2008-06-12 10:20:43.1 - NTFSx86
Executando de: C:\Documents and Settings\goncalosantos.000\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc\25945.exe
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc\id
C:\WINDOWS\BM431aa31d.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbKTwyxx.ini
C:\WINDOWS\system32\bbKTwyxx.ini2
C:\WINDOWS\system32\BdKmWvut.ini
C:\WINDOWS\system32\BdKmWvut.ini2
C:\WINDOWS\system32\byqoqsne.dll
C:\WINDOWS\system32\cdKUvyay.ini
C:\WINDOWS\system32\cdKUvyay.ini2
C:\WINDOWS\system32\ddcApmlI.dll
C:\WINDOWS\system32\ervyiyal.dll
C:\WINDOWS\system32\hnjtyvbg.ini
C:\WINDOWS\system32\kbtwceiu.ini
C:\WINDOWS\system32\khgnixrm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mejxidld.dll
C:\WINDOWS\system32\mmvbkihr.ini
C:\WINDOWS\system32\mwwugfgb.ini
C:\WINDOWS\system32\nfxdrdjd.dll
C:\WINDOWS\system32\ojkcspco.dll
C:\WINDOWS\system32\opnkjGWp.dll
C:\WINDOWS\system32\osatytbs.ini
C:\WINDOWS\system32\pekbsljg.dll
C:\WINDOWS\system32\pWGjknpo.ini
C:\WINDOWS\system32\pWGjknpo.ini2
C:\WINDOWS\system32\qmxcgepf.dll
C:\WINDOWS\system32\raracixx.dll
C:\WINDOWS\system32\rhikbvmm.dll
C:\WINDOWS\system32\sbtytaso.dll
C:\WINDOWS\system32\sltjyqbc.dll
C:\WINDOWS\system32\srvwewoq.dll
C:\WINDOWS\system32\tywxihyh.dll
C:\WINDOWS\system32\wcrljkin.ini
C:\WINDOWS\system32\xcmtrjea.ini
C:\WINDOWS\system32\xxicarar.ini
C:\WINDOWS\system32\ypfbvmhk.dll
----- BITS: Possible infected sites -----
hxxp://ad1lx
.
((((((((((((((((((((((( Ficheiros criados de 2008-05-12 to 2008-06-12 ))))))))))))))))))))))))))))))))
.
2008-06-11 15:07 . 2008-06-11 15:07 80,896 --a------ C:\WINDOWS\system32\gbvytjnh.dll
2008-06-11 10:35 . 2008-06-11 10:35 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-06-06 15:32 . 2008-06-06 15:32 <DIR> d-------- C:\Programas\Lavasoft
2008-06-06 15:32 . 2008-06-06 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 11:44 . 2008-06-06 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-05 15:09 . 2008-06-11 15:00 211 --a------ C:\WINDOWS\wininit.ini
2008-05-30 09:32 . 2008-05-30 09:32 <DIR> d-------- C:\Programas\Windows Live SkyDrive
2008-05-30 09:27 . 2008-05-30 10:11 <DIR> d-------- C:\temp\ACI Manual of Concrete Practice 2005
2008-05-20 11:52 . 2008-05-20 11:52 <DIR> d-------- C:\Programas\AnswerWorks 4.0
2008-05-20 11:26 . 2008-05-20 17:57 <DIR> d-------- C:\temp\DISK-1 (E)
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-15 15:41 . 2008-05-15 15:41 <DIR> d-------- C:\Programas\uTorrent
2008-05-15 15:41 . 2008-06-04 11:55 <DIR> d-------- C:\Documents and Settings\goncalosantos.000\Application Data\uTorrent
2008-05-14 11:02 . 2008-05-14 11:02 <DIR> d-------- C:\Programas\Bluetack
2008-05-13 14:45 . 2007-03-22 00:51 2,386,392 --a------ C:\Programas\adlmdll.dll
2008-05-13 14:45 . 2007-03-22 00:51 1,141,192 --a------ C:\Programas\lacadp.dll
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-20 17:03 --------- d-----w C:\Programas\Autodesk
2008-05-20 10:56 --------- d-----w C:\Programas\AutoCAD 2007
2008-05-20 10:52 --------- d-----w C:\Programas\Ficheiros comuns\Autodesk Shared
2008-05-09 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-08 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-08 15:13 --------- d-----w C:\Programas\Messenger Plus! Live
2008-05-08 14:13 --------- d-----w C:\Programas\Computers and Structures
2008-05-08 13:11 --------- d-----w C:\Programas\DAEMON Tools Lite
2008-05-08 10:43 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-08 10:42 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\DAEMON Tools
2008-05-05 10:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-29 08:17 --------- d-----w C:\Programas\Google
2008-04-28 15:38 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-04-28 15:38 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\InstallShield
2008-04-24 09:01 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\Autodesk
2008-04-23 13:34 --------- d-----w C:\Programas\Microsoft Silverlight
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44D9A8A5-FDC0-4389-8D54-1A1270A0746A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B001D79-7021-4F8A-9C77-21650EBEBD8D}]
C:\WINDOWS\system32\yayvUKdc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C9EAC29-54AC-476F-B890-5885D61A657B}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8053AF4F-F35D-4EC6-A411-039EFB515CD8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F825EC3A-CECA-4679-AF43-9B93D281701A}]
C:\WINDOWS\system32\tuvWmKdB.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.exe" [2008-04-28 12:00 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-21 13:00 15360]
"DefenicoesIE"="C:\Definir_Proxy.vbs" [2006-04-10 16:08 1952]
"SpybotSD TeaTimer"="C:\Programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
"McAfeeUpdaterUI"="C:\Programas\McAfee\Common Framework\UdaterUI.exe" [2008-02-15 12:08 136512]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 17:44 126976]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 17:48 155648]
"CPQEASYACC"="C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 16:01 32768]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 28672 C:\WINDOWS\system32\nwtray.exe]
"pdfFactory Pro Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2004-08-25 13:33 442368]
"combofix"="C:\WINDOWS\system32\CF24590.exe" [2004-09-21 13:00 400384]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-21 13:00 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="cmd.exe" [2004-09-21 13:00 400384 C:\WINDOWS\system32\cmd.exe]
C:\Documents and Settings\goncalosantos\Menu Iniciar\Programas\Arranque\
Iniciar o Microsoft Office Outlook.lnk - C:\Programas\Microsoft Office\OFFICE11\OUTLOOK.EXE [2006-01-20 16:35:58 196296]
TPUCapture.lnk - C:\Documents and Settings\goncalosantos.000\Ambiente de trabalho\My Downloads\TPUCapture\TPUCapture.exe [2007-11-09 16:50:07 327680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcApmlI]
ddcApmlI.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4216198538-2617963860-369079589-1277\Scripts\Logon\0\0]
"Script"=\\ad1lx\SYSVOL\sousapedro.local\scripts\Defenicoes IE\DefenicoesIE.vbs
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Inicialização rápida do HP Image Zone.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Inicialização rápida do HP Image Zone.lnk
backup=C:\WINDOWS\pss\Inicialização rápida do HP Image Zone.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 16:49 49152 C:\Programas\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM431aa31d"=Rundll32.exe "C:\WINDOWS\system32\sltjyqbc.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programas\\uTorrent\\uTorrent.exe"=
R2 Servidor de pastilhas de rede;Servidor de pastilhas de rede;C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe []
S2 SSIPDDP;SSIPDDP Parallel port device driver;C:\WINDOWS\system32\DRIVERS\SSIPDDP.SYS [2000-05-17 17:24]
S3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []
.
Conte£do da pasta 'Tarefas Agendadas'
"2008-04-01 12:18:56 C:\WINDOWS\Tasks\Inventario.job"
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-12 10:45:18
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\MSN Messenger\1387396580\sqmnoopt00.sqm 244 bytes
Varredura completada com sucesso
Ficheiros ocultos: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NWSHLXNT.dll
-> C:\WINDOWS\system32\NLS\PORTUGUE\NWSHLXNR.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\DNTUS26.EXE
C:\Programas\McAfee\Common Framework\FrameworkService.exe
C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Programas\McAfee\Common Framework\naPrdMgr.exe
C:\Programas\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
C:\Programas\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Programas\McAfee\Common Framework\Mctray.exe
C:\compaq\eakdrv\EAUSBKBD.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-06-12 10:56:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-12 09:56:16
Pre-Run: 13,465,808,896 bytes livres
Post-Run: 13,823,107,072 bytes livres
210 --- E O F --- 2008-02-21 10:11:01
Also HJT gives me the following:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29, on 2008-06-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\Programas\McAfee\Common Framework\FrameworkService.exe
C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Programas\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Programas\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Programas\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Spybot - Search & Destroy\SpybotSD.exe
C:\Programas\WinRAR\WinRAR.exe
C:\DOCUME~1\GONCAL~1.000\DEFINI~1\Temp\Rar$EX00.734\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sousapedro.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.11:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B001D79-7021-4F8A-9C77-21650EBEBD8D} - C:\WINDOWS\system32\yayvUKdc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programas\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {F825EC3A-CECA-4679-AF43-9B93D281701A} - C:\WINDOWS\system32\tuvWmKdB.dll (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programas\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DefenicoesIE] C:\Definir_Proxy.vbs
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200395134429
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200395272534
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sousapedro.local
O17 - HKLM\Software\..\Telephony: DomainName = sousapedro.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sousapedro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sousapedro.local
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programas\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Servidor de pastilhas de rede - Unknown owner - C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe
--
End of file - 7929 bytes
Please help me this trojan is hard to remove...