Results 1 to 4 of 4

Thread: Virtumonde infection

  1. #1
    Junior Member
    Join Date
    Jun 2008
    Posts
    2

    Default Virtumonde infection

    Hi

    S&D caught virtumonde but wasn't able to remove it. I tried combofix and got this:

    ComboFix 08-06-10.5 - goncalosantos 2008-06-12 10:20:43.1 - NTFSx86
    Executando de: C:\Documents and Settings\goncalosantos.000\Ambiente de trabalho\ComboFix.exe
    * Criado um novo ponto de restauro
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc
    C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc\25945.exe
    C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\dtsc\id
    C:\WINDOWS\BM431aa31d.xml
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\bbKTwyxx.ini
    C:\WINDOWS\system32\bbKTwyxx.ini2
    C:\WINDOWS\system32\BdKmWvut.ini
    C:\WINDOWS\system32\BdKmWvut.ini2
    C:\WINDOWS\system32\byqoqsne.dll
    C:\WINDOWS\system32\cdKUvyay.ini
    C:\WINDOWS\system32\cdKUvyay.ini2
    C:\WINDOWS\system32\ddcApmlI.dll
    C:\WINDOWS\system32\ervyiyal.dll
    C:\WINDOWS\system32\hnjtyvbg.ini
    C:\WINDOWS\system32\kbtwceiu.ini
    C:\WINDOWS\system32\khgnixrm.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\mejxidld.dll
    C:\WINDOWS\system32\mmvbkihr.ini
    C:\WINDOWS\system32\mwwugfgb.ini
    C:\WINDOWS\system32\nfxdrdjd.dll
    C:\WINDOWS\system32\ojkcspco.dll
    C:\WINDOWS\system32\opnkjGWp.dll
    C:\WINDOWS\system32\osatytbs.ini
    C:\WINDOWS\system32\pekbsljg.dll
    C:\WINDOWS\system32\pWGjknpo.ini
    C:\WINDOWS\system32\pWGjknpo.ini2
    C:\WINDOWS\system32\qmxcgepf.dll
    C:\WINDOWS\system32\raracixx.dll
    C:\WINDOWS\system32\rhikbvmm.dll
    C:\WINDOWS\system32\sbtytaso.dll
    C:\WINDOWS\system32\sltjyqbc.dll
    C:\WINDOWS\system32\srvwewoq.dll
    C:\WINDOWS\system32\tywxihyh.dll
    C:\WINDOWS\system32\wcrljkin.ini
    C:\WINDOWS\system32\xcmtrjea.ini
    C:\WINDOWS\system32\xxicarar.ini
    C:\WINDOWS\system32\ypfbvmhk.dll

    ----- BITS: Possible infected sites -----

    hxxp://ad1lx
    .
    ((((((((((((((((((((((( Ficheiros criados de 2008-05-12 to 2008-06-12 ))))))))))))))))))))))))))))))))
    .

    2008-06-11 15:07 . 2008-06-11 15:07 80,896 --a------ C:\WINDOWS\system32\gbvytjnh.dll
    2008-06-11 10:35 . 2008-06-11 10:35 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
    2008-06-06 15:32 . 2008-06-06 15:32 <DIR> d-------- C:\Programas\Lavasoft
    2008-06-06 15:32 . 2008-06-06 15:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-06 11:44 . 2008-06-06 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-06-05 15:09 . 2008-06-11 15:00 211 --a------ C:\WINDOWS\wininit.ini
    2008-05-30 09:32 . 2008-05-30 09:32 <DIR> d-------- C:\Programas\Windows Live SkyDrive
    2008-05-30 09:27 . 2008-05-30 10:11 <DIR> d-------- C:\temp\ACI Manual of Concrete Practice 2005
    2008-05-20 11:52 . 2008-05-20 11:52 <DIR> d-------- C:\Programas\AnswerWorks 4.0
    2008-05-20 11:26 . 2008-05-20 17:57 <DIR> d-------- C:\temp\DISK-1 (E)
    2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
    2008-05-15 15:41 . 2008-05-15 15:41 <DIR> d-------- C:\Programas\uTorrent
    2008-05-15 15:41 . 2008-06-04 11:55 <DIR> d-------- C:\Documents and Settings\goncalosantos.000\Application Data\uTorrent
    2008-05-14 11:02 . 2008-05-14 11:02 <DIR> d-------- C:\Programas\Bluetack
    2008-05-13 14:45 . 2007-03-22 00:51 2,386,392 --a------ C:\Programas\adlmdll.dll
    2008-05-13 14:45 . 2007-03-22 00:51 1,141,192 --a------ C:\Programas\lacadp.dll

    .
    ((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-06 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-20 17:03 --------- d-----w C:\Programas\Autodesk
    2008-05-20 10:56 --------- d-----w C:\Programas\AutoCAD 2007
    2008-05-20 10:52 --------- d-----w C:\Programas\Ficheiros comuns\Autodesk Shared
    2008-05-09 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
    2008-05-08 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
    2008-05-08 15:13 --------- d-----w C:\Programas\Messenger Plus! Live
    2008-05-08 14:13 --------- d-----w C:\Programas\Computers and Structures
    2008-05-08 13:11 --------- d-----w C:\Programas\DAEMON Tools Lite
    2008-05-08 10:43 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
    2008-05-08 10:42 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\DAEMON Tools
    2008-05-05 10:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
    2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
    2008-04-29 08:17 --------- d-----w C:\Programas\Google
    2008-04-28 15:38 --------- d--h--w C:\Programas\InstallShield Installation Information
    2008-04-28 15:38 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\InstallShield
    2008-04-24 09:01 --------- d-----w C:\Documents and Settings\goncalosantos.000\Application Data\Autodesk
    2008-04-23 13:34 --------- d-----w C:\Programas\Microsoft Silverlight
    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44D9A8A5-FDC0-4389-8D54-1A1270A0746A}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B001D79-7021-4F8A-9C77-21650EBEBD8D}]
    C:\WINDOWS\system32\yayvUKdc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C9EAC29-54AC-476F-B890-5885D61A657B}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8053AF4F-F35D-4EC6-A411-039EFB515CD8}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F825EC3A-CECA-4679-AF43-9B93D281701A}]
    C:\WINDOWS\system32\tuvWmKdB.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.exe" [2008-04-28 12:00 5724184]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-21 13:00 15360]
    "DefenicoesIE"="C:\Definir_Proxy.vbs" [2006-04-10 16:08 1952]
    "SpybotSD TeaTimer"="C:\Programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShStatEXE"="C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-10-16 21:50 111952]
    "McAfeeUpdaterUI"="C:\Programas\McAfee\Common Framework\UdaterUI.exe" [2008-02-15 12:08 136512]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 17:44 126976]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 17:48 155648]
    "CPQEASYACC"="C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe" [2001-12-14 16:01 32768]
    "SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
    "NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 28672 C:\WINDOWS\system32\nwtray.exe]
    "pdfFactory Pro Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2004-08-25 13:33 442368]
    "combofix"="C:\WINDOWS\system32\CF24590.exe" [2004-09-21 13:00 400384]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-21 13:00 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "TSClientMSIUninstaller"="cmd.exe" [2004-09-21 13:00 400384 C:\WINDOWS\system32\cmd.exe]

    C:\Documents and Settings\goncalosantos\Menu Iniciar\Programas\Arranque\
    Iniciar o Microsoft Office Outlook.lnk - C:\Programas\Microsoft Office\OFFICE11\OUTLOOK.EXE [2006-01-20 16:35:58 196296]
    TPUCapture.lnk - C:\Documents and Settings\goncalosantos.000\Ambiente de trabalho\My Downloads\TPUCapture\TPUCapture.exe [2007-11-09 16:50:07 327680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "CompatibleRUPSecurity"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcApmlI]
    ddcApmlI.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4216198538-2617963860-369079589-1277\Scripts\Logon\0\0]
    "Script"=\\ad1lx\SYSVOL\sousapedro.local\scripts\Defenicoes IE\DefenicoesIE.vbs

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^AutoCAD Startup Accelerator.lnk]
    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\AutoCAD Startup Accelerator.lnk
    backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Inicialização rápida do HP Image Zone.lnk]
    path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Inicialização rápida do HP Image Zone.lnk
    backup=C:\WINDOWS\pss\Inicialização rápida do HP Image Zone.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 23:16 39792 C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2004-09-13 16:49 49152 C:\Programas\HP\HP Software Update\HPWuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "BM431aa31d"=Rundll32.exe "C:\WINDOWS\system32\sltjyqbc.dll",s

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Programas\\McAfee\\Common Framework\\FrameworkService.exe"=
    "C:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\Programas\\uTorrent\\uTorrent.exe"=

    R2 Servidor de pastilhas de rede;Servidor de pastilhas de rede;C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe []
    S2 SSIPDDP;SSIPDDP Parallel port device driver;C:\WINDOWS\system32\DRIVERS\SSIPDDP.SYS [2000-05-17 17:24]
    S3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys []

    .
    Conte£do da pasta 'Tarefas Agendadas'
    "2008-04-01 12:18:56 C:\WINDOWS\Tasks\Inventario.job"
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-12 10:45:18
    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializ*veis ocultas ...

    Procurando ficheiros ocultos ...


    C:\Documents and Settings\goncalosantos.000\Application Data\Microsoft\MSN Messenger\1387396580\sqmnoopt00.sqm 244 bytes

    Varredura completada com sucesso
    Ficheiros ocultos: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NWSHLXNT.dll
    -> C:\WINDOWS\system32\NLS\PORTUGUE\NWSHLXNR.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\DNTUS26.EXE
    C:\Programas\McAfee\Common Framework\FrameworkService.exe
    C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Programas\McAfee\Common Framework\naPrdMgr.exe
    C:\Programas\COMPAQ\Easy Access Button Support\CpqEAKSystemTray.exe
    C:\Programas\COMPAQ\Easy Access Button Support\CPQEADM.exe
    C:\Programas\McAfee\Common Framework\Mctray.exe
    C:\compaq\eakdrv\EAUSBKBD.exe
    C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
    C:\WINDOWS\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Tempo para conclusÆo: 2008-06-12 10:56:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-12 09:56:16

    Pre-Run: 13,465,808,896 bytes livres
    Post-Run: 13,823,107,072 bytes livres

    210 --- E O F --- 2008-02-21 10:11:01




    Also HJT gives me the following:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:29, on 2008-06-12
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    C:\Programas\McAfee\Common Framework\FrameworkService.exe
    C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Programas\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
    C:\Programas\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\WINDOWS\system32\NWTRAY.EXE
    C:\Programas\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Programas\McAfee\Common Framework\McTray.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\explorer.exe
    C:\Programas\Mozilla Firefox\firefox.exe
    C:\Programas\Spybot - Search & Destroy\SpybotSD.exe
    C:\Programas\WinRAR\WinRAR.exe
    C:\DOCUME~1\GONCAL~1.000\DEFINI~1\Temp\Rar$EX00.734\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sousapedro.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.11:3128
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5B001D79-7021-4F8A-9C77-21650EBEBD8D} - C:\WINDOWS\system32\yayvUKdc.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programas\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {F825EC3A-CECA-4679-AF43-9B93D281701A} - C:\WINDOWS\system32\tuvWmKdB.dll (file missing)
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Programas\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programas\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [CPQEASYACC] "C:\Programas\COMPAQ\Easy Access Button Support\StartEAK.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DefenicoesIE] C:\Definir_Proxy.vbs
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200395134429
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1200395272534
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sousapedro.local
    O17 - HKLM\Software\..\Telephony: DomainName = sousapedro.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sousapedro.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sousapedro.local
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
    O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
    O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programas\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programas\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programas\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Servidor de pastilhas de rede - Unknown owner - C:\CYPE Ingenieros\Versão 2008.1\servipas\servcpas.exe

    --
    End of file - 7929 bytes



    Please help me this trojan is hard to remove...

  2. #2
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,296

    Default

    Hi

    I think you missed Do NOT run 'FIXES' before helpers have analyzed HJT log (ran ComboFix though it shouldn't be used without supervision)

    Did you read BEFORE you POST (READ this Procedure BEFORE Requesting Assistance) sticky and especially its post #5? Is this personal computer?
    Microsoft Windows Insider MVP 2016-2019
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Jun 2008
    Posts
    2

    Default

    yeah you're right i missed those posts, i was much in a hurry since it was my work computer...

    anyway combofix and another program i saw recommended in this forum did the job, apparently. At least there are no signs of infection on spybot or any other program i have tried so that's a good thing right?

    I did notice some changes in configuration, like file viewing definitions but nothing serious, and the pc looks faster than ever.

  4. #4
    Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,296

    Default

    Hi

    Since this is your work computer you should had asked permission for cleaning.
    Note:
    When the infected computer in question is a company machine in the workplace, and you are an employee.

    Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.

    More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

    Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.
    Your ComboFix log shows still some parts of infection which may not necessarily be active anymore.
    Microsoft Windows Insider MVP 2016-2019
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •