Results 1 to 6 of 6

Thread: Virtumonde Virus - Need Help

  1. #1
    Junior Member Mordep's Avatar
    Join Date
    Aug 2008
    Posts
    4

    Default Virtumonde Virus - Need Help

    Hello, I already try several times to remove it with the Spybot 1.60, with Ad-Aware and Norton 360 but didn't do anything.
    I read and i'm trying to follow the rules of "BEFORE you POST".
    I tried the VundoFix and didn't work. You are my last hope and I see that should be the first one.
    Everytime i try to run the Kaspersky Online Scanner the Firefox closes, like the process is killed. Please help me.Thanks!

    Here is the HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:44:15, on 22-08-2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
    E:\Programas\Lavasoft\Ad-Aware\aawservice.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Programas\Bonjour\mDNSResponder.exe
    D:\Programas\cFosSpeed\spd.exe
    D:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
    E:\Programas\Raxco\PerfectDisk2008\PD91Agent.exe
    D:\WINDOWS\system32\PnkBstrA.exe
    D:\WINDOWS\system32\PnkBstrB.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\WINDOWS\Explorer.EXE
    D:\Programas\Analog Devices\Core\smax4pnp.exe
    D:\Programas\Analog Devices\SoundMAX\Smax4.exe
    D:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
    D:\Programas\cFosSpeed\cFosSpeed.exe
    D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
    D:\Programas\Java\jre1.6.0_07\bin\jusched.exe
    D:\WINDOWS\system32\ctfmon.exe
    E:\Programas\System Explorer\SystemExplorer.exe
    E:\Programas\Wallpaper Master\Wallpaper.exe
    D:\Programas\Windows Live\Messenger\MsnMsgr.Exe
    D:\Programas\Ficheiros comuns\LightScribe\LightScribeControlPanel.exe
    E:\Programas\DAEMON Tools Lite\daemon.exe
    E:\Programas\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    E:\Programas\Logitech\SetPoint\SetPoint.exe
    E:\Programas\NARS\NETimetro\netimetro.exe
    E:\Programas\Stickies\stickies.exe
    D:\Programas\Ficheiros comuns\Logishrd\KHAL2\KHALMNPR.EXE
    D:\Programas\Windows Live\Messenger\usnsvc.exe
    D:\Programas\Mozilla Firefox\firefox.exe
    D:\WINDOWS\system32\rundll32.exe
    D:\WINDOWS\system32\rundll32.exe
    D:\Programas\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - D:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] D:\Programas\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [SoundMAX] "D:\Programas\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ccApp] "D:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "D:\Programas\Ficheiros comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "D:\Programas\Ficheiros comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [cFosSpeed] D:\Programas\cFosSpeed\cFosSpeed.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\Programas\Ficheiros comuns\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programas\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [f007915f] rundll32.exe "D:\WINDOWS\system32\qopxlxia.dll",b
    O4 - HKLM\..\Run: [BMd7f56a2e] Rundll32.exe "D:\WINDOWS\system32\wjtwktdk.dll",s
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SystemExplorer] "e:\Programas\System Explorer\SystemExplorer.exe" /TRAY
    O4 - HKCU\..\Run: [WallpaperChanger] e:\Programas\Wallpaper Master\Wallpaper.exe -startup
    O4 - HKCU\..\Run: [MsnMsgr] "D:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [LightScribe Control Panel] D:\Programas\Ficheiros comuns\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIÇO LOCAL')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Serviço de rede')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - S-1-5-18 Startup: Atalho para stickies.exe.lnk = E:\Programas\Stickies\stickies.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Atalho para stickies.exe.lnk = E:\Programas\Stickies\stickies.exe (User 'Default user')
    O4 - Startup: Atalho para stickies.exe.lnk = E:\Programas\Stickies\stickies.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Programas\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech SetPoint.lnk = E:\Programas\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: NETimetro.lnk = E:\Programas\NARS\NETimetro\netimetro.exe
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programas\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programas\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programas\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A2704E01-1C18-430A-AE3A-E8B99AB313C6}: NameServer = 195.23.129.126,194.79.69.222
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - e:\Programas\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: addfau.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Programas\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Programas\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
    O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - D:\Programas\cFosSpeed\spd.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - D:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - D:\Programas\Ficheiros comuns\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTServ.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - D:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - D:\Programas\Ficheiros comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: PD91Agent - Raxco Software, Inc. - E:\Programas\Raxco\PerfectDisk2008\PD91Agent.exe
    O23 - Service: PD91Engine - Raxco Software, Inc. - E:\Programas\Raxco\PerfectDisk2008\PD91Engine.exe
    O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Programas\WinPcap\rpcapd.exe
    O23 - Service: Symantec Core LC - Unknown owner - D:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 9987 bytes

    I forget to tell that in the security center of Windows appears that the auto-updates are disconnected but it's on and also appears the warning near the clock in the bar.
    Thanks in advance!

  2. #2
    Junior Member Mordep's Avatar
    Join Date
    Aug 2008
    Posts
    4

    Default

    I've seen so many posts about this and in the majority of them is asked to check the pc with ComboFix, i understand that it was a diagnostic program and i take the risk of running it myself trying to make things faster.
    Here is the log that was generated.
    Thanks again!


    ComboFix 08-08-21.02 - Mordep 2008-08-23 3:10:56.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.1390 [GMT 1:00]
    Executando de: D:\Documents and Settings\Mordep\Ambiente de trabalho\ComboFix.exe
    * Criado um novo ponto de restauro

    ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\WINDOWS\BMd7f56a2e.txt
    D:\WINDOWS\BMd7f56a2e.xml
    D:\WINDOWS\system32\addfau.dll
    D:\WINDOWS\system32\aixlxpoq.ini
    D:\WINDOWS\system32\AyIjknpo.ini
    D:\WINDOWS\system32\AyIjknpo.ini2
    D:\WINDOWS\system32\edgunh.dll
    D:\WINDOWS\system32\mcrh.tmp
    D:\WINDOWS\system32\ofyyjlij.dll
    D:\WINDOWS\system32\opnkjIyA.dll
    D:\WINDOWS\system32\qopxlxia.dll
    D:\WINDOWS\system32\SBIiQqru.ini
    D:\WINDOWS\system32\SBIiQqru.ini2
    D:\WINDOWS\system32\xkdbvdpu.exe
    D:\WINDOWS\system32\xxyvvSmJ.dll
    D:\WINDOWS\system32\yxmrvoat.exe
    E:\install.exe

    .
    ((((((((((((((((((((((( Ficheiros criados de 2008-07-23 to 2008-08-23 ))))))))))))))))))))))))))))))))
    .

    2008-08-23 03:16 . 2008-08-23 03:16 <DIR> d-------- D:\WINDOWS\system32\xircom
    2008-08-23 03:16 . 2008-08-23 03:16 <DIR> d-------- D:\Programas\microsoft frontpage
    2008-08-23 01:54 . 2008-08-23 01:54 <DIR> d-------- D:\WINDOWS\system32\xlive
    2008-08-22 21:41 . 2008-08-22 21:41 <DIR> d-------- D:\Programas\Trend Micro
    2008-08-22 18:04 . 2008-08-22 22:34 145 --a------ D:\WINDOWS\wininit.ini
    2008-08-22 17:29 . 2008-08-22 18:31 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-22 14:16 . 2008-08-22 14:16 <DIR> d-------- D:\WINDOWS\Sun
    2008-08-21 20:24 . 2001-03-02 11:41 634 --a------ D:\WINDOWS\system32\MAPISVC.INF
    2008-08-18 13:16 . 2008-08-18 13:16 107,888 --a------ D:\WINDOWS\system32\CmdLineExt.dll
    2008-08-17 23:19 . 2008-08-22 14:44 <DIR> d-------- D:\Programas\Ficheiros comuns\BioWare
    2008-08-17 23:06 . 2008-08-17 23:06 357,768 --a------ D:\Documents and Settings\Mordep\SymXPep2.dll
    2008-08-14 03:48 . 2008-04-11 20:05 691,712 --------- D:\WINDOWS\system32\dllcache\inetcomm.dll
    2008-08-14 03:48 . 2008-05-01 15:35 331,776 --------- D:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-13 14:48 . 2008-08-13 14:48 <DIR> d-------- D:\Documents and Settings\Laura\Application Data\Thunderbird
    2008-08-13 14:48 . 2008-08-13 14:48 <DIR> d-------- D:\Documents and Settings\Laura\Application Data\Talkback
    2008-08-06 19:29 . 2008-08-06 19:29 <DIR> d-------- D:\Documents and Settings\Laura\Application Data\Symantec
    2008-08-01 12:15 . 2008-08-01 12:15 <DIR> d-------- D:\Documents and Settings\Laura\Application Data\Windows Desktop Search
    2008-08-01 03:22 . 2008-08-01 03:22 <DIR> d--h----- D:\WINDOWS\PIF
    2008-08-01 03:21 . 2008-08-01 12:20 <DIR> d-------- D:\Programas\Windows Desktop Search
    2008-08-01 03:21 . 2008-08-01 03:21 <DIR> d-------- D:\Documents and Settings\Mordep\Application Data\Windows Search
    2008-08-01 03:20 . 2008-03-07 18:02 192,000 --------- D:\WINDOWS\system32\dllcache\offfilt.dll
    2008-08-01 03:20 . 2008-03-07 18:02 98,304 --------- D:\WINDOWS\system32\dllcache\nlhtml.dll
    2008-08-01 03:20 . 2008-03-07 18:02 29,696 --------- D:\WINDOWS\system32\dllcache\mimefilt.dll
    2008-08-01 03:16 . 2008-08-19 12:22 <DIR> d-------- D:\Programas\Microsoft Silverlight
    2008-07-29 13:19 . 2008-07-29 13:19 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\LogiShrd
    2008-07-29 12:32 . 2008-05-02 02:38 301,656 --a------ D:\WINDOWS\system32\BtCoreIf.dll
    2008-07-29 12:31 . 2008-07-29 12:32 <DIR> d-------- D:\Programas\Ficheiros comuns\Logishrd
    2008-07-29 12:31 . 2008-07-29 12:31 <DIR> d-------- D:\Documents and Settings\Mordep\Application Data\InstallShield
    2008-07-29 03:03 . 2008-07-29 03:03 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\NexonUS
    2008-07-28 22:35 . 2008-06-10 02:32 73,728 --a------ D:\WINDOWS\system32\javacpl.cpl
    2008-07-28 22:34 . 2008-07-28 22:35 <DIR> d-------- D:\Programas\Java
    2008-07-28 22:33 . 2008-07-28 22:33 <DIR> d-------- D:\Programas\Ficheiros comuns\Java
    2008-07-28 19:46 . 2008-07-28 19:46 <DIR> d-------- D:\Programas\OpenAL
    2008-07-28 19:46 . 2008-01-29 11:53 782,336 -ra------ D:\WINDOWS\system32\tmpE.tmp
    2008-07-28 19:46 . 2008-01-29 11:53 782,336 -ra------ D:\WINDOWS\system32\tmpD.tmp
    2008-07-28 19:46 . 2008-07-28 19:46 413,696 --a------ D:\WINDOWS\system32\wrap_oal.dll
    2008-07-28 19:46 . 2008-07-28 19:46 110,592 --a------ D:\WINDOWS\system32\OpenAL32.dll
    2008-07-24 23:03 . 2008-07-24 23:03 <DIR> d-------- D:\Documents and Settings\Laura\Application Data\vlc

    .
    ((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-23 02:17 --------- d-----w D:\Programas\cFosSpeed
    2008-08-23 02:10 --------- d-----w D:\Programas\Ficheiros comuns\Symantec Shared
    2008-08-23 02:09 --------- d-----w D:\Documents and Settings\Mordep\Application Data\stickies
    2008-08-22 23:43 --------- d-----w D:\Programas\Mozilla Thunderbird
    2008-08-22 20:22 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
    2008-08-22 14:08 --------- d-----w D:\Programas\Ficheiros comuns\Wise Installation Wizard
    2008-08-22 12:45 --------- d-----w D:\Programas\Norton 360
    2008-08-22 02:17 --------- d-----w D:\Documents and Settings\Mordep\Application Data\uTorrent
    2008-08-21 19:31 --------- d--h--w D:\Programas\InstallShield Installation Information
    2008-08-17 20:08 --------- d-----w D:\Programas\Ficheiros comuns\Nero
    2008-08-17 01:18 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Skype
    2008-08-17 00:50 --------- d-----w D:\Documents and Settings\Mordep\Application Data\skypePM
    2008-08-14 11:27 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-08-11 22:32 66,872 ----a-w D:\WINDOWS\system32\PnkBstrA.exe
    2008-08-11 22:32 22,328 ----a-w D:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-08-11 22:32 22,328 ----a-w D:\Documents and Settings\Mordep\Application Data\PnkBstrK.sys
    2008-08-11 22:32 103,736 ----a-w D:\WINDOWS\system32\PnkBstrB.exe
    2008-08-02 23:54 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Media Player Classic
    2008-07-30 19:13 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Notepad++
    2008-07-30 19:10 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Sports Interactive
    2008-07-30 16:42 23,888 ----a-w D:\WINDOWS\system32\drivers\COH_Mon.sys
    2008-07-30 16:28 706 ----a-w D:\WINDOWS\system32\drivers\COH_Mon.inf
    2008-07-30 16:28 10,537 ----a-w D:\WINDOWS\system32\drivers\COH_Mon.cat
    2008-07-30 12:43 --------- d-----w D:\Documents and Settings\Mordep\Application Data\VoipBuster
    2008-07-29 11:32 --------- d-----w D:\Programas\Ficheiros comuns\Logitech
    2008-07-25 08:34 81,920 ----a-w D:\WINDOWS\system32\dpl100.dll
    2008-07-25 08:34 683,520 ----a-w D:\WINDOWS\system32\divx.dll
    2008-07-23 16:50 3,596,288 ----a-w D:\WINDOWS\system32\qt-dx331.dll
    2008-07-18 21:10 94,920 ----a-w D:\WINDOWS\system32\cdm.dll
    2008-07-18 21:10 53,448 ----a-w D:\WINDOWS\system32\wuauclt.exe
    2008-07-18 21:10 45,768 -c--a-w D:\WINDOWS\system32\wups2.dll
    2008-07-18 21:10 36,552 ----a-w D:\WINDOWS\system32\wups.dll
    2008-07-18 21:09 563,912 ----a-w D:\WINDOWS\system32\wuapi.dll
    2008-07-18 21:09 325,832 ----a-w D:\WINDOWS\system32\wucltui.dll
    2008-07-18 21:09 205,000 ----a-w D:\WINDOWS\system32\wuweb.dll
    2008-07-18 21:09 1,811,656 ----a-w D:\WINDOWS\system32\wuaueng.dll
    2008-07-18 21:07 270,880 ----a-w D:\WINDOWS\system32\mucltui.dll
    2008-07-18 21:07 210,976 ----a-w D:\WINDOWS\system32\muweb.dll
    2008-07-16 19:16 2,337,865 ----a-w D:\WINDOWS\system32\pbsvc.exe
    2008-07-16 19:16 --------- d-----w D:\Documents and Settings\All Users\Application Data\Ubisoft
    2008-07-16 02:01 --------- d-----w D:\Programas\MSXML 4.0
    2008-07-15 16:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-07-15 15:41 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Symantec
    2008-07-15 00:30 --------- d-----w D:\Documents and Settings\Laura\Application Data\Logitech
    2008-07-14 23:49 --------- d-----w D:\Programas\Ficheiros comuns\Adobe
    2008-07-14 23:41 --------- d-----w D:\Programas\Bonjour
    2008-07-14 23:38 --------- d-----w D:\Programas\Ficheiros comuns\Macrovision Shared
    2008-07-14 23:31 --------- d-----w D:\Programas\Smart Panel
    2008-07-14 23:30 --------- d-----w D:\Programas\epson
    2008-07-14 23:12 --------- d-----w D:\Programas\Microsoft Works
    2008-07-14 23:11 --------- d-----w D:\Programas\Microsoft.NET
    2008-07-14 22:46 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Nero
    2008-07-14 22:44 --------- d-----w D:\Programas\NeroInstall.bak
    2008-07-14 22:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\Nero
    2008-07-14 22:31 --------- d-----w D:\Documents and Settings\All Users\Application Data\LightScribe
    2008-07-14 22:23 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Thunderbird
    2008-07-14 22:23 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Talkback
    2008-07-14 22:17 --------- d-----w D:\Documents and Settings\All Users\Application Data\Raxco
    2008-07-14 22:11 --------- d-----w D:\Programas\Google
    2008-07-14 22:01 72,748 ----a-w D:\WINDOWS\unins000.exe
    2008-07-14 21:58 --------- d-----w D:\Documents and Settings\All Users\Application Data\Azureus
    2008-07-14 21:56 --------- d-----w D:\Programas\Windows Live
    2008-07-14 21:55 --------- dcsh--w D:\Programas\Ficheiros comuns\WindowsLiveInstaller
    2008-07-14 21:55 --------- d-----w D:\Programas\Ficheiros comuns\LightScribe
    2008-07-14 21:55 --------- d-----w D:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-07-14 21:50 --------- d-----w D:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-07-14 21:43 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Lavasoft
    2008-07-14 21:30 --------- d-----w D:\Documents and Settings\Mordep\Application Data\vlc
    2008-07-14 21:24 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Wallpaper Master
    2008-07-14 21:18 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Winamp
    2008-07-14 21:16 127,034 ------r D:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
    2008-07-14 21:16 --------- d-----w D:\Documents and Settings\Mordep\Application Data\Logitech
    2008-07-14 21:16 --------- d-----w D:\Documents and Settings\All Users\Application Data\Wallpaper Master
    2008-07-14 21:15 0 ---ha-w D:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
    2008-07-14 21:15 0 ---ha-w D:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
    2008-07-14 21:15 0 ---ha-w D:\WINDOWS\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
    2008-07-14 21:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Logitech
    2008-07-14 21:00 --------- d-----w D:\Programas\Skype
    2008-07-14 21:00 --------- d-----w D:\Programas\Ficheiros comuns\Skype
    2008-07-14 21:00 --------- d-----w D:\Documents and Settings\All Users\Application Data\Skype
    2008-07-14 20:49 --------- d-----w D:\Documents and Settings\All Users\Application Data\SystemExplorer
    2008-07-14 20:37 --------- d-----w D:\Programas\WinPcap
    2008-07-14 20:19 805 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.INF
    2008-07-14 20:19 60,800 ----a-w D:\WINDOWS\system32\S32EVNT1.DLL
    2008-07-14 20:19 123,952 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2008-07-14 20:19 10,671 ----a-w D:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2008-07-14 20:19 --------- d-----w D:\Programas\Symantec
    2008-07-14 19:40 717,296 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
    2008-07-14 19:40 --------- d-----w D:\Documents and Settings\Mordep\Application Data\DAEMON Tools
    2008-07-14 19:27 --------- d-----w D:\Programas\ASUS
    2008-07-14 19:25 --------- d-----w D:\Programas\Marvell
    2008-07-14 19:25 --------- d-----w D:\Programas\Ficheiros comuns\InstallShield
    2008-07-14 19:25 --------- d-----w D:\Documents and Settings\Mordep\Application Data\TMP
    2008-07-14 19:19 --------- d-----w D:\Programas\Analog Devices
    2008-07-14 19:12 --------- d-----w D:\Programas\Intel
    2008-07-14 17:51 --------- d-----w D:\Programas\7-Zip
    2008-07-14 17:50 --------- d-----w D:\Programas\Reference Assemblies
    2008-07-14 17:50 --------- d-----w D:\Programas\MSXML 6.0
    2008-07-14 17:50 --------- d-----w D:\Programas\MSBuild
    2008-07-14 17:44 --------- d-----w D:\WINDOWS\system32\config\systemprofile\Application Data\Notepad2
    .

    ------- Sigcheck -------

    2008-05-10 13:21 1036800 f908bd968ab83183c48f2886adf63d0e D:\WINDOWS\explorer.exe
    .
    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2008-04-14 21:39 15360]
    "SystemExplorer"="e:\Programas\System Explorer\SystemExplorer.exe" [2008-03-06 21:01 1338880]
    "WallpaperChanger"="e:\Programas\Wallpaper Master\Wallpaper.exe" [2005-12-01 23:05 531571]
    "MsnMsgr"="D:\Programas\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
    "LightScribe Control Panel"="D:\Programas\Ficheiros comuns\LightScribe\LightScribeControlPanel.exe" [2008-06-09 10:16 2363392]
    "DAEMON Tools Lite"="E:\Programas\DAEMON Tools Lite\daemon.exe" [2008-07-24 16:02 490952]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="D:\Programas\Analog Devices\Core\smax4pnp.exe" [2007-10-08 21:02 1036288]
    "ccApp"="D:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
    "Symantec PIF AlertEng"="D:\Programas\Ficheiros comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
    "cFosSpeed"="D:\Programas\cFosSpeed\cFosSpeed.exe" [2008-05-02 18:30 863448]
    "NeroFilterCheck"="D:\Programas\Ficheiros comuns\Nero\Lib\NeroCheck.exe" [2008-06-19 09:53 570664]
    "EPSON Stylus CX3600 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" [2004-03-04 04:00 98304]
    "SunJavaUpdateSched"="D:\Programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

    D:\Documents and Settings\Mordep\Menu Iniciar\Programas\Arranque\
    Atalho para stickies.exe.lnk - E:\Programas\Stickies\stickies.exe [2008-01-16 22:39:45 757760]

    D:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
    Logitech Desktop Messenger.lnk - E:\Programas\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-07-14 22:16:41 67128]
    Logitech SetPoint.lnk - E:\Programas\Logitech\SetPoint\SetPoint.exe [2008-07-29 12:32:15 805392]
    NETimetro.lnk - E:\Programas\NARS\NETimetro\netimetro.exe [2008-05-14 16:30:16 391680]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2008-05-02 02:42 72208 d:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=addfau.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.YV12"= yv12vfw.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    --a------ 2008-06-24 16:06 1840424 D:\Programas\Ficheiros comuns\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "NMIndexingService"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "E:\\Programas\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "E:\\Programas\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
    "D:\\Programas\\Windows Live\\Messenger\\msnmsgr.exe"=
    "D:\\Programas\\Windows Live\\Messenger\\livecall.exe"=
    "E:\\Jogos\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
    "D:\\Programas\\Bonjour\\mDNSResponder.exe"=
    "D:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "D:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "D:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "C:\\Joguhos\\Call.of.Duty.4.Modern.Warfare.Full.Rip-Skullptura.[JACKPOT]\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
    "D:\\Programas\\Skype\\Phone\\Skype.exe"=
    "E:\\Jogos\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"=

    R2 PD91Agent;PD91Agent;E:\Programas\Raxco\PerfectDisk2008\PD91Agent.exe [2008-01-16 09:52]
    S3 NPF;NetGroup Packet Filter Driver;D:\WINDOWS\system32\drivers\npf.sys [2007-11-06 21:22]
    S3 PD91Engine;PD91Engine;E:\Programas\Raxco\PerfectDisk2008\PD91Engine.exe [2008-01-16 09:52]

    *Newly Created Service* - COMHOST

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    "D:\Programas\Ficheiros comuns\LightScribe\LSRunOnce.exe"
    .
    - - - - ORFAOS REMOVIDOS - - - -

    BHO-{2C34C431-B9E7-4474-89E5-B82CD7ABAE47} - D:\WINDOWS\system32\urqQiIBS.dll
    HKLM-Run-f007915f - D:\WINDOWS\system32\qopxlxia.dll


    .
    ------- Ccan Suplementar -------
    .
    FireFox -: Profile - D:\Documents and Settings\Mordep\Application Data\Mozilla\Firefox\Profiles\32yxqday.mordep\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.pt/ig?hl=pt-PT
    FF -: plugin - D:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF -: plugin - D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    FF -: plugin - e:\Programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF -: plugin - e:\Programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF -: plugin - e:\Programas\VideoLAN\VLC\npvlc.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-23 03:16:54
    Windows 5.1.2600 Service Pack 3 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializ*veis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso
    Ficheiros ocultos: 0

    **************************************************************************
    .
    ------------------------ Outros Processos em Execu‡Æo ------------------------
    .
    D:\WINDOWS\system32\ati2evxx.exe
    D:\WINDOWS\system32\ati2evxx.exe
    D:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
    E:\Programas\Lavasoft\Ad-Aware\aawservice.exe
    D:\Programas\Bonjour\mDNSResponder.exe
    D:\Programas\cFosSpeed\spd.exe
    D:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
    D:\WINDOWS\system32\PnkBstrA.exe
    D:\WINDOWS\system32\PnkBstrB.exe
    D:\WINDOWS\system32\verclsid.exe
    .
    **************************************************************************
    .
    Tempo para conclusÆo: 2008-08-23 3:18:41 - Maquina reiniciou
    ComboFix-quarantined-files.txt 2008-08-23 02:18:35

    Pre-Run: 26,803,355,648 bytes livres
    Post-Run: 26,722,258,944 bytes livres

    291 --- E O F --- 2008-08-19 11:23:00

  3. #3
    Junior Member Mordep's Avatar
    Join Date
    Aug 2008
    Posts
    4

    Default

    i did a scan with SpyBot today and it shows that i didn't have any threat now but i want to know if that is true. The only things i've done is scanning with the combofix.
    Thanks!!

    --------------------------------------------------------------------

    Do NOT run 'FIXES' before helpers have analyzed HJT log

    File Sharing, otherwise known as Peer To Peer. (P2P)
    Particularly post #4, http://forums.spybot.info/showpost.p...03&postcount=4

    Also, adding posts to your topic has removed a zero response, which is what helpers look for.
    Last edited by tashi; 2008-08-23 at 18:34. Reason: added link

  4. #4
    Junior Member Mordep's Avatar
    Join Date
    Aug 2008
    Posts
    4

    Default

    Ok I didn't know that, the add post's thing.
    Can I be sure that doesn't have any problem now?
    Thanks for the help!

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    If you still want someone to look at this, read the directions first and then do this.

    Download Malwarebytes' Anti-Malware to your Desktop
    http://www.besttechie.net/tools/mbam-setup.exe

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    * Please post contents of that file & a new HJT log in your next reply.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Due to the lack of feedback this Topic is closed.

    If you need this topic reopened, please request this by sending the moderating team
    a PM with the address of the thread. This applies only to the original topic starter.

    If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

    Everyone else please begin a New Topic.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •