I'm infected

N

nunosga

New member
Hello, I've just run Kospersky online and found I'm infected. Before I only knew that I had a threat that Spybot could not remove (even on startup).
According to this forum reccomendations, here's my Kaspersky log:

Thanks for any help.

nuno gouveia, from Portugal

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 26, 2007 1:51:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/10/2007
Kaspersky Anti-Virus database records: 446557
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 74840
Number of viruses found: 5
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:14:59

Infected Object Name / Virus Name / Last Action
C:\fraudfix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\fraudfix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\fraudfix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7b8.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_628.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\rofs154.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs107.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\xlavra3.exe Infected: Trojan-Downloader.Win32.Wixud.b skipped
C:\WINDOWS\rofs194.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs168.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs105.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs123.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs103.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs120.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs179.exe Infected: Trojan.Win32.Agent.cht skipped
C:\WINDOWS\rofs124.exe Infected: Trojan.Win32.Agent.cht skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10152007-233012.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nuno\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\nuno\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Temp\~DF41B1.tmp Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Temp\~DF41BE.tmp Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Microsoft\Windows Defender\FileTracker\{2D28F7C8-F23B-4537-A894-2B1253DBF8AF} Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\PNED.dbx Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\nuno\Definições locais\Application Data\Identities\{995F6BF6-A7C4-4CD8-B836-70940A10BC00}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\nuno\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-352f55f0-1f584ec3.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\nuno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-14fdec45-4ba76897.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\index2.dat Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\user16384.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chat8192.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\user1024.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\profile16384.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\call256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\callmember256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\transfer512.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\nuno\Application Data\Skype\goununo\chat512.dbb Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\master.mdf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\mastlog.ldf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\model.mdf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\modellog.ldf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\tempdb.mdf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Data\templog.ldf Object is locked skipped
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\_restore{5EFCC9D3-93AA-4DE1-9772-4B828D10CDD1}\RP445\A0069306.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\!KillBox\vtr.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
D:\System Volume Information\_restore{5EFCC9D3-93AA-4DE1-9772-4B828D10CDD1}\RP460\change.log Object is locked skipped
D:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
D:\System Volume Information\catalog.wci\00010001.ci Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
D:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped

Scan process completed.
 
and here's my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09:24, on 26-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programas\Microsoft SQL Server\MSSQL$PRIEXPRESS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Skype\Phone\Skype.exe
C:\Programas\Logitech\MouseWare\system\em_exec.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Bricsys\Bricscad\bricscad.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.publico.clix.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 3786 bytes
 
Hello nunosga and welcome to the Forums :)

You're infected...

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Spybot S&D Teatimer.
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu select "Advanced Mode"
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.
 
You must log in or register to reply here.
Back
Top