SFonseca

Dear Friends,

I am regular reader of techsupportforum but this is the very first time I post...and for the worst reasons...

I believe my computer has been infected with a trojan/virus. My Task Manager doesn't work (has been disabled) and the same happens for regedit and anti-vir. Spyware terminator detects a backdoor.backdoor.gen but the file can't be deleted. I tried to kill it on "safe mode" but it is not working too. Once in while a message pops up saying that the NT Authority will shutdown the computer in 60 seconds and to save your work.

As I run out of ideas (and skills) to remove this "little *******" I decided that was a time to ask for expert help.

Any kind of help will be highly welcome. It will be much appreciated.


Virus/Trojan/Spyware Removal Help


DDS (Ver_09-06-26.01) - NTFSx86
Run by Sergio Fonseca at 18:37:01,50 on 06-07-2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.1022.478 [GMT 8:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {BADB0D00-FFA4-00FC-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-00FC-0D24-347CA8A3377C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Programas\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Programas\AntiVir PersonalEdition Classic\sched.exe
C:\Programas\Ficheiros comuns\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Apoint2K\Apoint.exe
C:\Programas\Java\jre1.5.0_04\bin\jusched.exe
C:\Programas\Hp\HP Software Update\HPWuSchd2.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programas\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programas\Skype\Phone\Skype.exe
C:\Programas\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programas\3M\PSNLite\PsnLite.exe
C:\Programas\Apoint2K\Apntex.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Messenger\msmsgs.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winfscc.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winwkfsk.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winxjlgip.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winnoml.exe
C:\Programas\iPod\bin\iPodService.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\winiivx.exe
C:\DOCUME~1\SERGIO~1\DEFINI~1\Temp\windqkg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sergio Fonseca\Ambiente de trabalho\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sportmotores.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
uInternet Connection Wizard,ShellNext = "c:\programas\outlook express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60341
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programas\ficheiros comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Solid Converter PDF: {259f616c-a300-44f5-b04a-ed001a26c85c} - c:\programas\soliddocuments\solidconverterpdf\scpdf\ExploreExtPDF.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Programa Auxiliar de Início de Sessão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\programas\ficheiros comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\programas\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\programas\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\programas\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programas\google\google toolbar\GoogleToolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\progra~1\micros~4\wcescomm.exe"
uRun: [VodafoneUSBPP.exe] c:\programas\huawei technologies\vodafone internet connect box\VodafoneUSBPP.exe windows
uRun: [swg] c:\programas\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\programas\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpywareTerminatorUpdate] "c:\programas\spyware terminator\SpywareTerminatorUpdate.exe"
uRun: [Uninstall_CToolbar] "c:\docume~1\sergio~1\defini~1\temp\CUninst.exe" "/remove"
mRun: [ATIPTA] c:\programas\ati technologies\ati control panel\atiptaxx.exe
mRun: [SoundMAXPnP] c:\programas\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\programas\analog devices\soundmax\Smax4.exe /tray
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\programas\apoint2k\Apoint.exe
mRun: [SunJavaUpdateSched] c:\programas\java\jre1.5.0_04\bin\jusched.exe
mRun: [hpWirelessAssistant] c:\programas\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\programas\hp\hp software update\HPWuSchd2.exe
mRun: [iTunesHelper] c:\programas\itunes\iTunesHelper.exe
mRun: [QuickTime Task] "c:\programas\quicktime\qttask.exe" -atboottime
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [eabconfg.cpl] c:\programas\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\programas\hpq\default settings\cpqset.exe
mRun: [TkBellExe] "c:\programas\ficheiros comuns\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\programas\antivir personaledition classic\avgnt.exe" /min
mRun: [Windows Defender] "c:\programas\windows defender\MSASCui.exe" -hide
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\programas\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SpywareTerminator] "c:\programas\spyware terminator\SpywareTerminatorShield.exe"
mRun: [Ad-Watch] c:\programas\lavasoft\ad-aware\AAWTray.exe
mRun: [RRT-Auto] c:\docume~1\sergio~1\defini~1\temp\rar$ex00.360\RRT.exe auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\fichei~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\arranque\acroba~1.lnk - c:\programas\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\arranque\post-i~1.lnk - c:\programas\3m\psnlite\PsnLite.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programas\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\programas\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} - hxxp://www.mediazone.com/channel/a1gp/MZ_Player.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://fiaetcc.com/edit/gallery/modules/gallery/UploadImm/xupload.ocx
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\programas\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichei~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-5 64160]
R1 avgio;avgio;c:\programas\antivir personaledition classic\avgio.sys [2006-11-11 11840]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-7-5 142592]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\programas\antivir personaledition classic\sched.exe [2006-11-11 57896]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programas\lavasoft\ad-aware\AAWService.exe [2009-3-10 951632]
R2 U3sHlpDr;U3sHlpDr;c:\windows\system32\drivers\U3sHlpDr.sys [2006-8-13 7551]
R2 WinDefend;Windows Defender;c:\programas\windows defender\MsMpEng.exe [2006-11-4 13592]
R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\irqers.sys --> c:\windows\system32\drivers\irqers.sys [?]
S2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\programas\antivir personaledition classic\avguard.exe [2006-11-11 282664]
S2 F3E81574;F3E81574;c:\windows\system32\872ddd50.exe -k --> c:\windows\system32\872DDD50.EXE -k [?]
S2 TrkNetsSvcs;Distributed Link Tracking Servers;c:\windows\svchost.exe -netsvcs --> c:\windows\svchost.exe -netsvcs [?]
S3 avgntflt;avgntflt;c:\programas\antivir personaledition classic\avgntflt.sys [2006-11-11 48704]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys --> c:\windows\system32\drivers\ewusbmdm.sys [?]
S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;c:\windows\system32\drivers\ewusbapp.sys [2006-8-24 65152]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [2006-8-24 65152]
S3 TSClient;Tatara Protocol Driver;c:\windows\system32\drivers\tsclient.sys [2005-10-4 27264]

=============== Created Last 30 ================

2009-07-05 22:54 16,244 a------- c:\windows\system32\rrt_is.wav
2009-07-05 22:54 7,302 a------- c:\windows\system32\rrt_vf.wav
2009-07-05 22:54 7,148 a------- c:\windows\system32\rrt_tv.wav
2009-07-05 22:54 6,282 a------- c:\windows\system32\rrt_tn.wav
2009-07-05 22:29 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-05 22:17 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-05 22:16 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-05 22:16 <DIR> --d----- c:\programas\Lavasoft
2009-07-05 21:45 <DIR> --d----- c:\programas\Crawler
2009-07-05 21:45 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-05 21:45 <DIR> --d----- c:\docume~1\sergio~1\applic~1\Spyware Terminator
2009-07-05 21:45 <DIR> --d----- c:\programas\Spyware Terminator
2009-07-05 21:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-06-12 09:19 3,556 a------- c:\windows\system32\wbem\Outlook_01c9eafbd83d1a46.mof
2009-06-11 07:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 07:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 07:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-11 07:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll

==================== Find3M ====================

2009-07-05 23:02 146,432 a------- c:\windows\regedit.exe
2009-06-12 09:19 457,744 a------- c:\windows\system32\perfh016.dat
2009-06-12 09:19 76,352 a------- c:\windows\system32\perfc016.dat
2009-05-13 13:04 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 13:04 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 13:04 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 23:43 346,624 a------- c:\windows\system32\localspl.dll
2009-05-07 23:43 346,624 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-01 05:14 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-05-01 05:14 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-05-01 05:14 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 19:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-20 04:09 1,846,784 a------- c:\windows\system32\win32k.sys
2009-04-20 04:09 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 23:17 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 23:17 584,192 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-09 10:02 224 a------- c:\docume~1\sergio~1\applic~1\wklnhst.dat
2007-06-19 18:38 88 ---shr-- c:\windows\system32\0C83F82A2A.sys
2007-06-19 18:38 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:37:45,14 ===============

Attached Files

Attach.zip (3.4 KB, 0 views)

SFonseca

I don't know if it is useful but I attached my Combofix scan result...

Thank you,

Attached Files

ComboFix.rar (4.7 KB, 3 views)

SFonseca

"Bump Up!"