Thread: Trojan/Virus on Task Manager, Regedit & others
View Single Post
Old 07-06-2009, 07:45 AM   #1 (permalink)
SFonseca
Registered User
 
Join Date: Jul 2009
Posts: 3
OS: xp


Post Trojan/Virus on Task Manager, Regedit & others
Dear Friends,

I am regular reader of techsupportforum but this is the very first time I post...and for the worst reasons...

I believe my computer has been infected with a trojan/virus. My Task Manager doesn't work (has been disabled) and the same happens for regedit and anti-vir. Spyware terminator detects a backdoor.backdoor.gen but the file can't be deleted. I tried to kill it on "safe mode" but it is not working too. Once in while a message pops up saying that the NT Authority will shutdown the computer in 60 seconds and to save your work.

As I run out of ideas (and skills) to remove this "little *******" I decided that was a time to ask for expert help.

Any kind of help will be highly welcome. It will be much appreciated.


Virus/Trojan/Spyware Removal Help


DDS (Ver_09-06-26.01) - NTFSx86
Run by Sergio Fonseca at 18:37:01,50 on 06-07-2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.1022.478 [GMT 8:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {BADB0D00-FFA4-00FC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00FC-0D24-347CA8A3377C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Programas\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\Java\jre1.5.0_04\bin\jusched.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programas\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programas\Skype\Phone\Skype.exe
C:\Programas\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programas\3M\PSNLite\PsnLite.exe
C:\Programas\Apoint2K\Apntex.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Messenger\msmsgs.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winfscc.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winwkfsk.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winxjlgip.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winnoml.exe
C:\Programas\iPod\bin\iPodService.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winiivx.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\windqkg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sergio Fonseca\Ambiente de trabalho\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sportmotores.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
uInternet Connection Wizard,ShellNext = "c:\programas\outlook express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60341
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programas\ficheiros comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Solid Converter PDF: {259f616c-a300-44f5-b04a-ed001a26c85c} - c:\programas\soliddocuments\solidconverterpdf\scpdf\ExploreExtPDF.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Programa Auxiliar de Início de Sessão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programas\ficheiros comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programas\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programas\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programas\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programas\google\google toolbar\GoogleToolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\progra~1\micros~4\wcescomm.exe"
uRun: [VodafoneUSBPP.exe] c:\programas\huawei technologies\vodafone internet connect box\VodafoneUSBPP.exe windows
uRun: [swg] c:\programas\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\programas\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpywareTerminatorUpdate] "c:\programas\spyware terminator\SpywareTerminatorUpdate.exe"
uRun: [Uninstall_CToolbar] "c:\docume~1\sergio~1\defini~1\temp\CUninst.exe" "/remove"
mRun: [ATIPTA] c:\programas\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\programas\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\programas\analog devices\soundmax\Smax4.exe /tray
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\programas\apoint2k\Apoint.exe
mRun: [SunJavaUpdateSched] c:\programas\java\jre1.5.0_04\bin\jusched.exe
mRun: [hpWirelessAssistant] c:\programas\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\programas\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] c:\programas\itunes\iTunesHelper.exe
mRun: [QuickTime Task] "c:\programas\quicktime\qttask.exe" -atboottime
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\programas\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\programas\hpq\default settings\cpqset.exe
mRun: [TkBellExe] "c:\programas\ficheiros comuns\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\programas\antivir personaledition classic\avgnt.exe" /min
mRun: [Windows Defender] "c:\programas\windows defender\MSASCui.exe" -hide
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\programas\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SpywareTerminator] "c:\programas\spyware terminator\SpywareTerminatorShield.exe"
mRun: [Ad-Watch] c:\programas\lavasoft\ad-aware\AAWTray.exe
mRun: [RRT-Auto] c:\docume~1\sergio~1\defini~1\temp\rar$ex00.360\RRT.exe auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\fichei~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\arranque\acroba~1.lnk - c:\programas\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\arranque\post-i~1.lnk - c:\programas\3m\psnlite\PsnLite.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programas\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\programas\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} - hxxp://www.mediazone.com/channel/a1gp/MZ_Player.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://fiaetcc.com/edit/gallery/modules/gallery/UploadImm/xupload.ocx
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\programas\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichei~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-5 64160]
R1 avgio;avgio;c:\programas\antivir personaledition classic\avgio.sys [2006-11-11 11840]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-7-5 142592]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\programas\antivir personaledition classic\sched.exe [2006-11-11 57896]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programas\lavasoft\ad-aware\AAWService.exe [2009-3-10 951632]
R2 U3sHlpDr;U3sHlpDr;c:\windows\system32\drivers\U3sHlpDr.sys [2006-8-13 7551]
R2 WinDefend;Windows Defender;c:\programas\windows defender\MsMpEng.exe [2006-11-4 13592]
R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\irqers.sys --> c:\windows\system32\drivers\irqers.sys [?]
S2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\programas\antivir personaledition classic\avguard.exe [2006-11-11 282664]
S2 F3E81574;F3E81574;c:\windows\system32\872ddd50.exe -k --> c:\windows\system32\872DDD50.EXE -k [?]
S2 TrkNetsSvcs;Distributed Link Tracking Servers;c:\windows\svchost.exe -netsvcs --> c:\windows\svchost.exe -netsvcs [?]
S3 avgntflt;avgntflt;c:\programas\antivir personaledition classic\avgntflt.sys [2006-11-11 48704]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys --> c:\windows\system32\drivers\ewusbmdm.sys [?]
S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;c:\windows\system32\drivers\ewusbapp.sys [2006-8-24 65152]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [2006-8-24 65152]
S3 TSClient;Tatara Protocol Driver;c:\windows\system32\drivers\tsclient.sys [2005-10-4 27264]

=============== Created Last 30 ================

2009-07-05 22:54 16,244 a------- c:\windows\system32\rrt_is.wav
2009-07-05 22:54 7,302 a------- c:\windows\system32\rrt_vf.wav
2009-07-05 22:54 7,148 a------- c:\windows\system32\rrt_tv.wav
2009-07-05 22:54 6,282 a------- c:\windows\system32\rrt_tn.wav
2009-07-05 22:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-05 22:17 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-05 22:16 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-05 22:16 <DIR> --d----- c:\programas\Lavasoft
2009-07-05 21:45 <DIR> --d----- c:\programas\Crawler
2009-07-05 21:45 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-05 21:45 <DIR> --d----- c:\docume~1\sergio~1\applic~1\Spyware Terminator
2009-07-05 21:45 <DIR> --d----- c:\programas\Spyware Terminator
2009-07-05 21:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-06-12 09:19 3,556 a------- c:\windows\system32\wbem\Outlook_01c9eafbd83d1a46.mof
2009-06-11 07:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 07:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 07:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-11 07:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll

==================== Find3M ====================

2009-07-05 23:02 146,432 a------- c:\windows\regedit.exe
2009-06-12 09:19 457,744 a------- c:\windows\system32\perfh016.dat
2009-06-12 09:19 76,352 a------- c:\windows\system32\perfc016.dat
2009-05-13 13:04 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 13:04 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 13:04 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 23:43 346,624 a------- c:\windows\system32\localspl.dll
2009-05-07 23:43 346,624 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 05:14 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-05-01 05:14 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-05-01 05:14 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 19:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-20 04:09 1,846,784 a------- c:\windows\system32\win32k.sys
2009-04-20 04:09 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 23:17 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 23:17 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-09 10:02 224 a------- c:\docume~1\sergio~1\applic~1\wklnhst.dat
2007-06-19 18:38 88 ---shr-- c:\windows\system32\0C83F82A2A.sys
2007-06-19 18:38 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:37:45,14 ===============
Attached Files
File Type: zip Attach.zip (3.4 KB, 0 views)
SFonseca is offline   Reply With Quote
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here