Help! bndmss.exe and many others!

helpbak · 06-05-2009, 01:51 AM

Hello!

My computer has been showing signs that it is infected with viruses the last few days. Norton seems to have been deactivated for some reason and I didn't even notice! I have been getting error "explorer.exe" and "bndmss.exe" error messages, and a few advertisement popups, asides from the fact that the computer is very slow and I can't sync my iPod anymore, acctually all the songs were deleted from the iPod (although they're still in my iTunes library).

Now I don't know what to do! A friend's son told me this forum might help me out, and to wait for all the viruses to be removed before "backing up" my files.

I have ran the required programs and am posting the resulting logs, along with the specified attachment.

Thank you very much to all!

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrador at 13:45:17,65 on ter 02/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1023.513 [GMT -3:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bndmss.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\ARQUIV~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\ARQUIV~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrador\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.uol.com.br/
mWinlogon: Taskman=c:\recycler\s-1-5-21-9615457240-3612855822-129022670-2410\winmap32.exe
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\arquivos de programas\norton systemworks\norton antivirus\NavShExt.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\arquiv~1\textware\quickf~1\plugins\IEHelp.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\arquivos de programas\norton systemworks\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [12CFG914-K641-26SF-N32P] c:\recycler\s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
mRun: [Smapp] c:\arquivos de programas\analog devices\soundmax\SMTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\arquivos de programas\arquivos comuns\symantec shared\ccApp.exe"
mRun: [<NO NAME>]
mRun: [Norton Ghost 9.0] c:\arquivos de programas\norton systemworks\norton ghost\agent\GhostTray.exe
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre1.6.0_01\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\arquivos de programas\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BigDogPath] c:\windows\VM_STI.EXE D-Link DSB-C320
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\arquivos de programas\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {0FC41652-71B3-4531-8E46-0436FD819D16} = 200.204.0.10 200.204.0.138
TCP: {69068BDA-85F6-4F4B-BD1C-F625EC936964} = 200.204.0.10,200.204.0.138
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\arquivos de programas\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\dadosd~1\mozilla\firefox\profiles\q4yspto3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br
FF - plugin: c:\documents and settings\administrador\dados de aplicativos\mozilla\firefox\profiles\q4yspto3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-8-2 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-8-2 46779]
R1 SAVRTPEL;SAVRTPEL;c:\arquivos de programas\norton systemworks\norton antivirus\Savrtpel.sys [2004-7-23 49808]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-7-7 394192]
R2 Agendador do LiveUpdate automático;Agendador do LiveUpdate automático;c:\arquivos de programas\symantec\liveupdate\AluSchedulerSvc.exe [2007-4-27 100032]
R2 BNDMSS;Windows Network Data Management System Service;c:\windows\system32\bndmss.exe [2009-5-15 30720]
R2 ccEvtMgr;Symantec Event Manager;c:\arquivos de programas\arquivos comuns\symantec shared\ccEvtMgr.exe [2004-9-14 197752]
R2 ccSetMgr;Symantec Settings Manager;c:\arquivos de programas\arquivos comuns\symantec shared\ccSetMgr.exe [2004-9-14 164984]
R2 navapsvc;Serviço do Auto-Protect do Norton AntiVirus;c:\arquivos de programas\norton systemworks\norton antivirus\navapsvc.exe [2004-8-31 177280]
R2 NProtectService;Norton Unerase Protection;c:\arquiv~1\norton~1\norton~1\NPROTECT.EXE [2004-9-16 99432]
R2 Symantec Core LC;Symantec Core LC;c:\arquivos de programas\arquivos comuns\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-26 819352]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 NAVENG;NAVENG;c:\arquiv~1\arquiv~1\symant~1\virusd~1\20080423.025\NAVENG.Sys [2008-4-23 82256]
R3 NAVEX15;NAVEX15;c:\arquiv~1\arquiv~1\symant~1\virusd~1\20080423.025\NavEx15.Sys [2008-4-23 895408]
R3 SAVRT;SAVRT;c:\arquivos de programas\norton systemworks\norton antivirus\savrt.sys [2004-7-23 335504]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 SBService;ScriptBlocking Service;c:\arquiv~1\arquiv~1\symant~1\script~1\SBServ.exe [2004-8-31 66688]
S3 ccPwdSvc;Symantec Password Validation;c:\arquivos de programas\arquivos comuns\symantec shared\ccPwdSvc.exe [2004-9-14 78968]
S3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [2007-4-26 13324]
S3 SAVScan;SAVScan;c:\arquivos de programas\norton systemworks\norton antivirus\SAVScan.exe [2004-7-23 197864]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [2007-4-26 49920]
S3 ZSMC302;D-Link DSB-C320;c:\windows\system32\drivers\usbvm302.sys [2008-9-13 195263]

=============== Created Last 30 ================

2009-05-19 11:22 34,164 a------- c:\documents and settings\administrador\lis32.exe
2009-05-16 17:06 30,720 a------- c:\documents and settings\administrador\wsk32.exe
2009-05-15 10:52 30,720 -------- c:\windows\system32\bndmss.exe
2009-05-07 12:44 72,704 a------- c:\documents and settings\administrador\wiit32.exe
2009-05-05 16:00 72,704 a------- c:\documents and settings\administrador\winit32.exe

==================== Find3M ====================

2009-05-02 20:39 347,294 a------- c:\windows\system32\perfh016.dat
2009-05-02 20:39 49,586 a------- c:\windows\system32\perfc016.dat
2009-03-06 11:46 285,696 a------- c:\windows\system32\pdh.dll
2008-02-23 12:25 0 a------- c:\documents and settings\administrador\Emails.dat
2008-02-23 13:08 2 a--shrot c:\windows\winstart.bat

============= FINISH: 13:45:50,95 ===============

CatByte · 06-05-2009, 07:33 AM

Hello, and welcome to TSF.
I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread.
Make sure it is set to Instant Notification, then click Subscribe.
Please be patient with me during this time.

CatByte · 06-05-2009, 11:14 AM

Hi,

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.
Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

If you wish to have me attempt to clean this machine I will be happy to do so but I cannot guarantee that even after cleaning, your machine will be completely trustworthy again.
The only way to be certain is to do a complete reformat and reinstall of your operating system.

Please let me know what you decide to do, in the meantime I will proceed with cleaning the machine.

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

helpbak · 06-06-2009, 02:13 AM

Hello!

First of all, thank you very much for your help!

I understand the implications involved with such dangerous and deep rooted infections. I do pretend to reformat the machine, but would like to backup my files beforehand. Is there any chance of me doing that without infecting my means of backup (CD/DVD/pen drive)? I mean, can we clean the machine up to the point it is safe to do a backup?

About the higher security risks I am exposed to, I have long since been paying my bills from another computer, and went to the bank to change my account password. I have read the article you linked, but would like to know regarding this delicate matter, even with these precautions I have taken, do I need to take the described further actions? Am I still running some sort of risk?

Things like my e-mail account, and this forum though, amongst other things, I have continued to acess by means of the infected machine (this machine). Am I running a risk with these also? If so, can you tell me when we get the machine clean enough for me to change my passwords for all of these internet accounts?

Oh, and I forgot to mention I live in Brazil, so my Windows XP runs in portuguese. It seems combofix also chose my system's language and the log it produced is also in portuguese. If you need me to translate the log, please tell me and I will do so with the utmost pleasure.

Here is the combofix log:

ComboFix 09-06-05.07 - Administrador 06/06/2009 4:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1023.661 [GMT -3:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrador\winit32.exe
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini
c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe
c:\recycler\S-1-5-21-9615457240-3612855822-129022670-2410\winmap32.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\bndmss.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BNDMSS
-------\Service_BNDMSS

(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-06 to 2009-06-06 ))))))))))))))))))))))))))))
.

2009-05-19 14:22 . 2009-05-20 13:00 34164 ----a-w- c:\documents and settings\Administrador\lis32.exe
2009-05-16 20:06 . 2009-06-06 07:14 30720 ----a-w- c:\documents and settings\Administrador\wsk32.exe
2009-05-07 15:44 . 2009-05-10 14:56 72704 ----a-w- c:\documents and settings\Administrador\wiit32.exe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 07:21 . 2007-04-26 22:50 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symantec Shared
2009-05-02 23:39 . 2009-05-02 23:39 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\MailFrontier
2009-05-02 23:39 . 2001-10-28 15:07 49586 ----a-w- c:\windows\system32\perfc016.dat
2009-05-02 23:39 . 2001-10-28 15:07 347294 ----a-w- c:\windows\system32\perfh016.dat
2009-03-11 03:38 . 2007-10-27 13:34 14045165 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-03-09 05:38 . 2009-03-09 13:36 1874432 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-03-09 05:38 . 2009-03-09 13:36 2644480 ----a-w- c:\windows\Internet Logs\xDB19.tmp
2008-02-23 16:08 . 2008-02-23 16:08 2 --shatr- c:\windows\winstart.bat
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"ccApp"="c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2004-09-14 58488]
"Norton Ghost 9.0"="c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-08-02 1122304]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]
"ZoneAlarm Client"="c:\arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 159744]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"="c:\recycler\S-1-5-21-9615457240-3612855822-129022670-2410\winmap32.exe"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Arquivos de programas\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=
"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Administrador\\wsk32.exe"=wsk32.exe
"wsk32.exe"= wsk32.exe:BNDMSS
"c:\\Documents and Settings\\Administrador\\lis32.exe"=lis32.exe
"lis32.exe"= lis32.exe:BNDMSS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2/8/2004 17:04 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2/8/2004 17:23 46779]
R2 Agendador do LiveUpdate automático;Agendador do LiveUpdate automático;c:\arquivos de programas\Symantec\LiveUpdate\AluSchedulerSvc.exe [27/4/2007 14:33 100032]
R2 NProtectService;Norton Unerase Protection;c:\arquiv~1\NORTON~1\NORTON~1\NPROTECT.EXE [16/9/2004 14:50 99432]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [26/4/2007 19:43 13324]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [26/4/2007 19:41 49920]
S3 ZSMC302;D-Link DSB-C320;c:\windows\system32\drivers\usbvm302.sys [13/9/2008 14:38 195263]
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-06-06 c:\windows\Tasks\HP Usg Daily.job
- c:\arquivos de programas\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 19:03]

2009-06-05 c:\windows\Tasks\Norton AntiVirus - Verificar o meu computador - Administrador.job
- c:\arquiv~1\NORTON~1\NORTON~3\Navw32.exe [2004-08-31 16:06]

2009-06-01 c:\windows\Tasks\One Button Checkup do Norton SystemWorks.job
- c:\arquivos de programas\Norton SystemWorks\OBC.exe [2004-09-16 18:22]

2009-06-05 c:\windows\Tasks\Symantec Drmc.job
- c:\arquivos de programas\Arquivos comuns\Symantec Shared\SymDrmc.exe [2004-08-31 03:40]

2009-06-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 01:18]
.
- - - - ORFÃOS REMOVIDOS - - - -

SafeBoot-procexp90.Sys

.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.uol.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0FC41652-71B3-4531-8E46-0436FD819D16} = 200.204.0.10 200.204.0.138
TCP: {69068BDA-85F6-4F4B-BD1C-F625EC936964} = 200.204.0.10,200.204.0.138
FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br
FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 04:32
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(3816)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\arquivos de programas\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\nvsvc32.exe
c:\arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
c:\arquiv~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-06-06 4:52 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-06-06 07:52

Pré-execução: 15 pasta(s) 27.051.200.512 bytes disponíveis
Pós execução: 15 pasta(s) 27.166.842.880 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

185 --- E O F --- 2009-04-29 00:33

CatByte · 06-06-2009, 09:11 AM

Hi,

Most of the infections have already been removed by Combofix, we have just a little more work to do to remove the rest.

It is always a good idea to back up your important documents etc.
Here is a guide on backing up your data;

As I said, it's hard to know if there is further risk once the infections have been cleaned off the machine, there is no way of being 100% certain, that is why we recommend you change your passwords. Just use another machine, that you know is clean, to change all your passwords. It's good practice to change passwords every once in a while anyway.

Please do the following:

We will run ComboFix again. This time it will be slightly different from the initial run.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.

Open notepad (Start>Run>"notepad") and copy/paste ALL the text in the codebox below into it: (MAKE SURE YOU DON'T MISS ANYTHING OR CHANGE ANYTHING IN THE CODE BOX BELOW). Do not copy the word "code".

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/382602-help-bndmss-exe-many-others.html#post2175013

KillAll::

Collect::
c:\documents and settings\Administrador\lis32.exe
c:\documents and settings\Administrador\wsk32.exe
c:\documents and settings\Administrador\wiit32.exe

File::
c:\windows\Internet Logs\xDB1A.tmp
c:\windows\Internet Logs\xDB19.tmp
c:\windows\winstart.bat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Administrador\\wsk32.exe"=-
"wsk32.exe"=-
"c:\\Documents and Settings\\Administrador\\lis32.exe"=-
"lis32.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt"

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.

Important: Ensure you are connected to the internet before clicking OK on the message box.
A blue-screen would appear auto-uploading the zipped file I requested.
After the uploading is done you should see a message near the bottom saying "Upload was Successful".

NEXT

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply I need:

ComboFix Log
Kasprsky report

helpbak · 06-06-2009, 11:53 PM

Hello!

So, I did as you asked, but when combofix finished running and showed me the log, it did not show me a window asking to upload the files. And I’m positive that I followed your instructions correctly, so I don’t know why things didn’t go as planned. Like last time, when combofix was running it restarted my computer, and I only got the log after it was powered up and combofix resumed it’s procedures. Don’t know if that’s how it’s supposed to work.

I haven’t had the time to read the link regarding backups yet, but will soon. The thing is that I wanted to post this quickly because something else has happened now. One of the viruses, be it a new one, or one that reacted upon removal, has messed up my firefox. Now everything I type, comes out in scrambled letters. And I can’t select any text within the browser. Even the address bar is affected by this!

For example, here’s my attempt at writing “This virus is scrambling everything I type” is the “quick reply” box.

“epyt I gnihtyreve gnilbmarcs si suriv sihT”

Clearly it mirowed the letter’s positions.

Now when I try to write the same phrase in the gmail e-mail box, results are even more bizarre:

“sslirepyt I gnihtyeve gnbmarcc si suriv ihT”

Anyway, you get the picture…

I can still write from other programs such as Microsoft Word though (what I’m using now, actually).

Oh, one more thing, for some reason It seems the combofix log didn’t save correctly. It might have mistaken this new report with the old one since both would have the same name, but I thought I’d saved it. I’m sorry for this, either way. Anyway, I know combofix is a powerfull tool and am afraid of running if with the CFScript again without you telling me to. How should I proceed?

Thank you, again!

Kaspersky report follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, June 06, 2009 22:16:05
Records in database: 2320030
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
P:\

Scan statistics:
Files scanned: 66203
Threat name: 9
Infected objects: 93
Suspicious objects: 0
Duration of the scan: 02:22:00

File name / Threat name / Threats count
C:\Documents and Settings\Administrador\Desktop\Music\Pretenders - Message of love.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\winit32.exe.vir Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe.vir Infected: Trojan.Win32.Pakes.jwk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\bndmss.exe.vir Infected: Backdoor.Win32.Agent.afoj 1
C:\Qoobox\Quarantine\[4]-Submit_2009-06-06_17.23.48.zip Infected: P2P-Worm.Win32.Palevo.dmo 1
C:\Qoobox\Quarantine\[4]-Submit_2009-06-06_17.23.48.zip Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP672\A0443023.exe Infected: P2P-Worm.Win32.Palevo.dmo 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP673\A0445040.exe Infected: P2P-Worm.Win32.Palevo.dmo 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP674\A0445397.exe Infected: P2P-Worm.Win32.Palevo.dmo 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0446591.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0447786.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0447807.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0448001.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449032.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449036.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449139.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449162.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449182.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449186.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449214.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449215.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0451240.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0452242.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0452347.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0453604.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP679\A0453772.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0454892.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456166.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456167.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456528.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456530.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456629.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456630.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0457688.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0457784.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458863.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458864.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461183.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461190.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462509.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462511.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463004.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463005.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463309.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463310.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463357.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463358.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464357.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464382.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464403.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465892.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465893.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466021.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466022.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467246.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467384.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469609.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469715.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472618.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472631.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0472654.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473595.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473598.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474646.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474809.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474906.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474960.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474962.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP693\A0475218.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475866.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475867.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477358.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477518.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0478876.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0479003.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480102.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480103.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481510.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481511.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481589.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481644.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481646.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482650.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482651.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483941.exe Infected: Backdoor.Win32.Agent.ahgv 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483942.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484036.exe Infected: Trojan.Win32.Pakes.jwk 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484037.exe Infected: Backdoor.Win32.Agent.afoj 1
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484057.exe Infected: P2P-Worm.Win32.Palevo.dlr 1
D:\Programs\Games\Full Games\gta_sa_window.rar Infected: Trojan.Win32.Genome.quk 1
D:\Programs\Programs Leftover\Games\GTA San Andreas\gta_sa_window.zip Infected: Trojan.Win32.Genome.quk 1
D:\Programs\Programs Leftover\beta_soft_start\UltraVNC-100-RC203-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1

The selected area was scanned.

CatByte · 06-07-2009, 08:49 AM

Quote:

when combofix was running it restarted my computer, and I only got the log after it was powered up and combofix resumed it’s procedures. Don’t know if that’s how it’s supposed to work.

Yes, that is how it proceeds.

~~~~~~~~~~~~~~~~~~~

Please visit this site and copy paste the following bolded text into the 'browse to file to submit' box:

C:\Qoobox\Quarantine\[4]-Submit_2009-06-06_17.23.48.zip

Click 'Send File'

Please advise me once that has been completed.

~~~~~~~~~~~~~~~~~~~

For the jumbled letters - Try rebooting a couple of times - the jumbling of letters is a temporary glitch, that should correct itself on reboot.

~~~~~~~~~~~~~~~~~~~

Most of what Kaspersky found is either in quarantine or old restore points, which we will clean up shortly.

There are just a couple of infected files left to delete.

By using windows explorer (windows key + E) navigate to the following files and delete them. (Right click and select 'Delete')

C:\Documents and Settings\Administrador\Desktop\Music\Pretenders - Message of love.mp3
D:\Programs\Games\Full Games\gta_sa_window.rar
D:\Programs\Programs Leftover\Games\GTA San Andreas\gta_sa_window.zip
D:\Programs\Programs Leftover\beta_soft_start\UltraVNC-100-RC203-Setup.exe

~~~~~~~~~~~~~~~~~~~

NEXT

Please run DDS one more time and post the resulting log.

Please advise if rebooting does not resolve the jumbled text issue and advise of any other issues you may be having.

helpbak · 06-07-2009, 02:21 PM

Hello!

The jumbled text issue is gone after a reboot, thank you!

I have also deleted what you asked, and submited the requested file.

Since I couldn't provide the ComboFix log last time, do we need to run it again? Or was the log valid only at that time? I'm sorry for asking, I know you know what you're doing, just hoping to learn a thing or two and be educated on this matter, you know, get something good out of this whole experience!

Attach.txt is atached to the post, and DDS.txt follows:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrador at 17:11:40,93 on dom 07/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1023.651 [GMT -3:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\ARQUIV~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\ARQUIV~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrador\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.uol.com.br/
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\arquivos de programas\norton systemworks\norton antivirus\NavShExt.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\arquiv~1\textware\quickf~1\plugins\IEHelp.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\arquivos de programas\norton systemworks\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Smapp] c:\arquivos de programas\analog devices\soundmax\SMTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\arquivos de programas\arquivos comuns\symantec shared\ccApp.exe"
mRun: [Norton Ghost 9.0] c:\arquivos de programas\norton systemworks\norton ghost\agent\GhostTray.exe
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre1.6.0_01\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ZoneAlarm Client] "c:\arquivos de programas\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [BigDogPath] c:\windows\VM_STI.EXE D-Link DSB-C320
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\arquivos de programas\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {0FC41652-71B3-4531-8E46-0436FD819D16} = 200.204.0.10 200.204.0.138
TCP: {69068BDA-85F6-4F4B-BD1C-F625EC936964} = 200.204.0.10,200.204.0.138
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\arquivos de programas\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\dadosd~1\mozilla\firefox\profiles\q4yspto3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br
FF - plugin: c:\documents and settings\administrador\dados de aplicativos\mozilla\firefox\profiles\q4yspto3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-8-2 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-8-2 46779]
R1 SAVRTPEL;SAVRTPEL;c:\arquivos de programas\norton systemworks\norton antivirus\Savrtpel.sys [2004-7-23 49808]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-7-7 394192]
R2 Agendador do LiveUpdate automático;Agendador do LiveUpdate automático;c:\arquivos de programas\symantec\liveupdate\AluSchedulerSvc.exe [2007-4-27 100032]
R2 ccEvtMgr;Symantec Event Manager;c:\arquivos de programas\arquivos comuns\symantec shared\ccEvtMgr.exe [2004-9-14 197752]
R2 ccSetMgr;Symantec Settings Manager;c:\arquivos de programas\arquivos comuns\symantec shared\ccSetMgr.exe [2004-9-14 164984]
R2 navapsvc;Serviço do Auto-Protect do Norton AntiVirus;c:\arquivos de programas\norton systemworks\norton antivirus\navapsvc.exe [2004-8-31 177280]
R2 NProtectService;Norton Unerase Protection;c:\arquiv~1\norton~1\norton~1\NPROTECT.EXE [2004-9-16 99432]
R2 Symantec Core LC;Symantec Core LC;c:\arquivos de programas\arquivos comuns\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-26 819352]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 NAVENG;NAVENG;c:\arquiv~1\arquiv~1\symant~1\virusd~1\20080423.025\NAVENG.Sys [2008-4-23 82256]
R3 NAVEX15;NAVEX15;c:\arquiv~1\arquiv~1\symant~1\virusd~1\20080423.025\NavEx15.Sys [2008-4-23 895408]
R3 SAVRT;SAVRT;c:\arquivos de programas\norton systemworks\norton antivirus\savrt.sys [2004-7-23 335504]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 SBService;ScriptBlocking Service;c:\arquiv~1\arquiv~1\symant~1\script~1\SBServ.exe [2004-8-31 66688]
S3 ccPwdSvc;Symantec Password Validation;c:\arquivos de programas\arquivos comuns\symantec shared\ccPwdSvc.exe [2004-9-14 78968]
S3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [2007-4-26 13324]
S3 SAVScan;SAVScan;c:\arquivos de programas\norton systemworks\norton antivirus\SAVScan.exe [2004-7-23 197864]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [2007-4-26 49920]
S3 ZSMC302;D-Link DSB-C320;c:\windows\system32\drivers\usbvm302.sys [2008-9-13 195263]

=============== Created Last 30 ================

2009-06-06 04:25 <DIR> a-dshr-- C:\cmdcons
2009-06-06 04:23 161,792 a------- c:\windows\SWREG.exe
2009-06-06 04:23 154,624 a------- c:\windows\PEV.exe
2009-06-06 04:23 98,816 a------- c:\windows\sed.exe

==================== Find3M ====================

2009-05-02 20:39 347,294 a------- c:\windows\system32\perfh016.dat
2009-05-02 20:39 49,586 a------- c:\windows\system32\perfc016.dat
2008-02-23 12:25 0 a------- c:\documents and settings\administrador\Emails.dat

============= FINISH: 17:12:08,07 ===============

helpbak · 06-07-2009, 06:27 PM

Oh, good news, I found the previous missing ComboFix log!

Here it is:

ComboFix 09-06-05.07 - Administrador 06/06/2009 17:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1023.662 [GMT -3:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\Internet Logs\xDB19.tmp"
"c:\windows\Internet Logs\xDB1A.tmp"
"c:\windows\winstart.bat"

file zipped: c:\documents and settings\Administrador\lis32.exe
file zipped: c:\documents and settings\Administrador\wiit32.exe
file zipped: c:\documents and settings\Administrador\wsk32.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrador\lis32.exe
c:\documents and settings\Administrador\wiit32.exe
c:\documents and settings\Administrador\wsk32.exe
c:\windows\Internet Logs\xDB19.tmp
c:\windows\Internet Logs\xDB1A.tmp
c:\windows\winstart.bat

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-06 to 2009-06-06 ))))))))))))))))))))))))))))
.

Nenhum ficheiro/arquivo criado durante este período

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 20:22 . 2007-04-26 22:50 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symantec Shared
2009-05-02 23:39 . 2009-05-02 23:39 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\MailFrontier
2009-05-02 23:39 . 2001-10-28 15:07 49586 ----a-w- c:\windows\system32\perfc016.dat
2009-05-02 23:39 . 2001-10-28 15:07 347294 ----a-w- c:\windows\system32\perfh016.dat
2009-03-11 03:38 . 2007-10-27 13:34 14045165 ----a-w- c:\windows\Internet Logs\tvDebug.zip
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"ccApp"="c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2004-09-14 58488]
"Norton Ghost 9.0"="c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-08-02 1122304]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]
"ZoneAlarm Client"="c:\arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Arquivos de programas\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"c:\\Arquivos de programas\\iTunes\\iTunes.exe"=
"c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2/8/2004 17:04 138780]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2/8/2004 17:23 46779]
R2 Agendador do LiveUpdate automático;Agendador do LiveUpdate automático;c:\arquivos de programas\Symantec\LiveUpdate\AluSchedulerSvc.exe [27/4/2007 14:33 100032]
R2 NProtectService;Norton Unerase Protection;c:\arquiv~1\NORTON~1\NORTON~1\NPROTECT.EXE [16/9/2004 14:50 99432]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [26/4/2007 19:43 13324]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [26/4/2007 19:41 49920]
S3 ZSMC302;D-Link DSB-C320;c:\windows\system32\drivers\usbvm302.sys [13/9/2008 14:38 195263]
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]

2009-06-06 c:\windows\Tasks\HP Usg Daily.job
- c:\arquivos de programas\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 19:03]

2009-06-05 c:\windows\Tasks\Norton AntiVirus - Verificar o meu computador - Administrador.job
- c:\arquiv~1\NORTON~1\NORTON~3\Navw32.exe [2004-08-31 16:06]

2009-06-01 c:\windows\Tasks\One Button Checkup do Norton SystemWorks.job
- c:\arquivos de programas\Norton SystemWorks\OBC.exe [2004-09-16 18:22]

2009-06-05 c:\windows\Tasks\Symantec Drmc.job
- c:\arquivos de programas\Arquivos comuns\Symantec Shared\SymDrmc.exe [2004-08-31 03:40]

2009-06-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 01:18]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.uol.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {0FC41652-71B3-4531-8E46-0436FD819D16} = 200.204.0.10 200.204.0.138
TCP: {69068BDA-85F6-4F4B-BD1C-F625EC936964} = 200.204.0.10,200.204.0.138
FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br
FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-06 17:33
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(6516)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\arquivos de programas\Bonjour\mDNSResponder.exe
c:\windows\system32\gearsec.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\nvsvc32.exe
c:\arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
c:\arquiv~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
c:\arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-06-06 17:38 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-06-06 20:38
ComboFix2.txt 2009-06-06 07:52

Pré-execução: 15 pasta(s) 26.906.046.464 bytes disponíveis
Pós execução: 15 pasta(s) 26.943.602.688 bytes disponíveis

165 --- E O F --- 2009-04-29 00:33

CatByte · 06-07-2009, 07:16 PM

Hi,

As mentioned in our pre-posting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

Uninstall the following via Add or Remove Programs in Control Panel:

p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software Limewire installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

NEXT

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 14. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and AppletsTrace and Log Files
- Click OK on Delete Temporary Files Window
  
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

NEXT

Visit ADOBEand download the latest version of Acrobat Reader (version 9.1)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

If you choose to use Firefox, I highly recommend these add-ons to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
- McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention.
PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

helpbak · 06-09-2009, 09:29 PM

Hello!

I haven't had the time to follow all the instructions of your last post yet as this week has proven to be a very busy one.

I ask that you please bear with me a few more days, as I know that if you don't hear from me the thread will be closed.

Thank you very much, yet again!

helpbak · 06-12-2009, 06:06 PM

Hello!

I followed the instructions of your last post, and following recomendation given to other people on these forums, I have installed Avira's AV since, like I said in my first post, my Norton seemed to have stopped working leaving me completely unprotected. I ran Full System Scan with Avira, twice.

I know you didn't ask for that to be done, but Avira detected one hundred something detections on it's first run and just 1 detection on it's second. Anyway, I'm posting the log for the first scan here in case you should think it worthy taking a look.

Thank you so much for all your help and patience!

Avira AntiVir Personal
Report file date: sexta-feira, 12 de junho de 2009 19:11

Scanning for 1464231 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : Administrador
Computer name : CLAUDIAWS

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 3/6/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 12/6/2009 22:09:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 27/2/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 20/2/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 27/2/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 11/2/2009 00:33:26
ANTIVIR2.VDF : 7.1.4.87 2982912 Bytes 12/6/2009 22:09:47
ANTIVIR3.VDF : 7.1.4.88 2048 Bytes 12/6/2009 22:09:47
Engineversion : 8.2.0.187
AEVDF.DLL : 8.1.1.1 106868 Bytes 12/6/2009 22:09:47
AESCRIPT.DLL : 8.1.2.6 409978 Bytes 12/6/2009 22:09:47
AESCN.DLL : 8.1.2.3 127347 Bytes 12/6/2009 22:09:47
AERDL.DLL : 8.1.1.3 438645 Bytes 29/10/2008 22:24:41
AEPACK.DLL : 8.1.3.18 401783 Bytes 12/6/2009 22:09:47
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 27/2/2009 00:01:56
AEHEUR.DLL : 8.1.0.131 1786232 Bytes 12/6/2009 22:09:47
AEHELP.DLL : 8.1.3.6 205174 Bytes 12/6/2009 22:09:47
AEGEN.DLL : 8.1.1.45 348532 Bytes 12/6/2009 22:09:47
AEEMU.DLL : 8.1.0.9 393588 Bytes 9/10/2008 18:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 12/6/2009 22:09:47
AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 5/12/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 20/1/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 5/12/2008 14:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 24/3/2009 19:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 30/1/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 28/1/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 5/12/2008 14:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 12/6/2009 22:09:47
RCTEXT.DLL : 9.0.37.0 86785 Bytes 17/4/2009 14:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\arquivos de programas\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: sexta-feira, 12 de junho de 2009 19:11

Starting search for hidden objects.
'40297' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'VM_STI.EXE' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '0' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'SMTray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '50' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Administrador\Desktop\Personal Folder\185.85_desktop_winxp_32bit_english_whql.exe.part
[0] Archive type: CAB SFX (self extracting)
--> \data1.hdr
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Administrador\Desktop\Personal Folder\NSW.2k5.Premier.Keygen.exe
[DETECTION] Is the TR/Agent.15296.A Trojan
C:\Qoobox\Quarantine\[4]-Submit_2009-06-06_17.23.48.zip
[0] Archive type: ZIP
--> lis32.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
--> wiit32.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
--> wsk32.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\lis32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\wiit32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\winit32.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\wsk32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe.vir
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe.vir
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-9615457240-3612855822-129022670-2410\winmap32.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\bndmss.exe.vir
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP670\A0440601.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP672\A0443023.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP673\A0445040.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP674\A0445397.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP674\A0445558.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0446591.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0447786.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0447807.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0448001.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449032.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449036.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449139.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449162.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449182.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449186.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449214.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449215.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0451240.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0452242.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0452347.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0453604.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP679\A0453772.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0454892.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456166.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456167.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456528.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456530.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456629.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456630.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0457688.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0457784.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458863.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458864.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461183.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461190.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462509.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462511.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463004.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463005.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463309.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463310.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463357.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463358.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464357.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464382.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464403.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465892.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465893.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466021.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466022.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467246.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467384.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469609.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469715.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472618.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472631.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0472654.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473595.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473598.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474646.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474809.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474906.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474960.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474962.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP693\A0475218.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475866.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475867.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477358.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477518.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0478876.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0479003.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480102.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480103.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481510.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481511.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481610.exe
[DETECTION] Is the TR/Dldr.Agent.1274031 Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481644.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481646.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482650.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482651.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483941.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483942.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484036.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484037.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484057.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484086.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484349.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484350.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484351.exe
[DETECTION] Is the TR/Trash.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\Administrador\Desktop\Personal Folder\NSW.2k5.Premier.Keygen.exe
[DETECTION] Is the TR/Agent.15296.A Trojan
[NOTE] The file was moved to '4a89dd10.qua'!
C:\Qoobox\Quarantine\[4]-Submit_2009-06-06_17.23.48.zip
[NOTE] The file was moved to '4a8fdcf1.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\lis32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4aa5dd26.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\wiit32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a9bdd26.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\winit32.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4aa0dd26.qua'!
C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\wsk32.exe.vir
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a9ddd30.qua'!
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe.vir
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4a97dd30.qua'!
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe.vir
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '4a97dd35.qua'!
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-9615457240-3612855822-129022670-2410\winmap32.exe.vir
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '498a3e97.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bndmss.exe.vir
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4a96dd2b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP670\A0440601.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a66dced.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP672\A0443023.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b03668e.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP673\A0445040.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '494a270e.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP674\A0445397.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4948df46.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP674\A0445558.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4949d79e.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0446591.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4956cfd6.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0447786.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4957c7ee.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0447807.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4954fe26.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0448001.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4a66dcee.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449032.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4952eeb7.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449036.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4953e6cf.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449139.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '49509d07.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449162.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4951955f.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449182.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '495e8d97.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449186.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '495f85af.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449214.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '495cbde7.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449215.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '495db43f.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0451240.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '495aac77.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0452242.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4a66dcef.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0452347.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4931c248.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0453604.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '493efa70.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP679\A0453772.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '493ff2b8.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0454892.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '493ceae0.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456166.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '493de128.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456167.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4a66dcf0.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456528.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '493b9199.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456530.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '493889c1.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456629.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '49398009.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456630.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4906b831.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0457688.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4907b079.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0457784.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4904a8a1.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458863.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4905a0e9.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458864.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '49025f11.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461183.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '49035759.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461190.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '49004f81.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462509.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '490147c9.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462511.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '490e7ff1.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463004.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '490f7639.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463005.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '490c6e61.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463309.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '490d66a9.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463310.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '490a1ed1.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463357.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '490b1519.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463358.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4a66dcf1.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464357.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4909058a.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464382.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '49163db2.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464403.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '491735fa.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465892.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '49142c22.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465893.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4915246a.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466021.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4913dc92.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466022.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4910d4da.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467246.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4911d302.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467384.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '491ecb4a.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469609.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '491fc372.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469715.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '491cfbba.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472618.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '491df3e2.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472631.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '491aea2a.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0472654.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '491be252.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473595.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '49189a9a.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473598.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '491992c2.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474646.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '49e4a692.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474809.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '490c3f6a.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474906.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '490d3792.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474960.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '490a2fda.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474962.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '490b2602.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP693\A0475218.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4a66dcf2.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475866.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4916d673.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475867.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4917cebb.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477358.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4914c6e3.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477518.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4915fd2b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0478876.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4912f553.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0479003.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4913ed9b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480102.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4910e5c3.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480103.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '49119c0b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481510.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '491e9433.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481511.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '491f8c7b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481610.exe
[DETECTION] Is the TR/Dldr.Agent.1274031 Trojan
[NOTE] The file was moved to '491c84a3.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481644.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '491bb35b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481646.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4b001edb.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482650.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '491dbceb.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482651.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '4918ab83.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483941.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '4919a3cb.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483942.exe
[DETECTION] Is the TR/Hijacker.Gen Trojan
[NOTE] The file was moved to '49e65bf3.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484036.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to '49e7523b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484037.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to '49e44a63.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484057.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '49e542ab.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484086.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '49e27ad3.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484349.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49e3711b.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484350.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49e06943.qua'!
C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484351.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49e1618b.qua'!

End of the scan: sexta-feira, 12 de junho de 2009 19:54
Used time: 38:28 Minute(s)

The scan has been done completely.

5628 Scanned directories
270705 Files were scanned
101 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
99 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
270603 Files not concerned
1606 Archives were scanned
3 Warnings
100 Notes
40297 Objects were scanned with rootkit scan
0 Hidden objects were found

CatByte · 06-12-2009, 06:20 PM

Hi,

Everything except one file was in quarantine or old system restore points which would have been cleaned with the Combofix /u command

have you done that?

except for this file:

C:\Documents and Settings\Administrador\Desktop\Personal Folder\NSW.2k5.Premier.Keygen.exe

which should be proof enough of the perils of peer2peer file sharing....

i suggest you locate and delete this file now if it wasn't taken care of by Avira.

Please advise how your computer is running now or if there are any outstanding issues?

helpbak · 06-12-2009, 09:17 PM

Hello!

Acctually I installed and ran Avira before following your instructions. Then after seeing the virus detections, the only instruction I jumped was the combofix /u one, because I thought "if I still have infections, I might still need it, so why bother unninstalling it now". I am sorry if this has caused some sort of fallback as you didn't tell me to install avira, nor to run a scan. I was just afraid of something happening again since Norton wasn't protecting my computer, and I only have that and Zonealarm -which from what I understand works only as a very secure firewall.

Should I still go ahead and do the Combofix /u? Even after avira aparrently moved the files?

Anyway, yes that NSW.2K5 file. My techguy installed the copy for Norton 2005 "free of charge" back in 2007. I found it strange, but didn't question him much about it, he'd already charged a hefty price anyway. Then about a year back I learned what a keygen was, moreover that there were websites for such things. I've never had a program I didn't buy, but since it was already installed, seemingly working fine, I didn't bother getting another. Acctually, I hadn't even remembered all of that up till the moment you asked of the file. Could it be the reason Norton ceased to work?

Anyway, Norton is unninstalled now, replaced by avira. How should I proceed?

Thank you!

CatByte · 06-12-2009, 09:53 PM

Please do all the clean up as I posted. That will set a new restore point and clean out the remainder of the quarantined files...then you should be fine

helpbak · 06-13-2009, 10:13 AM

Hello!

I have done as instructed. The computer seems to be running fine now. I will back up my files and reformat it.

Thank you so much for your help!

CatByte · 06-13-2009, 10:18 AM

You are quite welcome

stay safe

CB

06-05-2009, 07:33 AM	#2 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,163 OS: XP sp3	Re: Help! bndmss.exe and many others! Hello, and welcome to TSF. I am currently reviewing your log. I will be back with a fix for your problem as soon as possible. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please be patient with me during this time. __________________ ASAP & UNITE Member

06-05-2009, 11:14 AM	#3 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,163 OS: XP sp3	Re: Help! bndmss.exe and many others! Hi, One or more of the identified infections is a backdoor trojan. This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable. It would also be wise to contact those same financial institutions to appraise them of your situation. Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud? If you wish to have me attempt to clean this machine I will be happy to do so but I cannot guarantee that even after cleaning, your machine will be completely trustworthy again. The only way to be certain is to do a complete reformat and reinstall of your operating system. Please let me know what you decide to do, in the meantime I will proceed with cleaning the machine. Please do the following: Download ComboFix from one of these locations: Link 1 Link 2 Link 3 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now** __________________ ASAP & UNITE Member

06-06-2009, 02:13 AM	#4 (permalink)
helpbak Registered User Join Date: Jun 2009 Posts: 9 OS: Windows XP	Re: Help! bndmss.exe and many others! Hello! First of all, thank you very much for your help! I understand the implications involved with such dangerous and deep rooted infections. I do pretend to reformat the machine, but would like to backup my files beforehand. Is there any chance of me doing that without infecting my means of backup (CD/DVD/pen drive)? I mean, can we clean the machine up to the point it is safe to do a backup? About the higher security risks I am exposed to, I have long since been paying my bills from another computer, and went to the bank to change my account password. I have read the article you linked, but would like to know regarding this delicate matter, even with these precautions I have taken, do I need to take the described further actions? Am I still running some sort of risk? Things like my e-mail account, and this forum though, amongst other things, I have continued to acess by means of the infected machine (this machine). Am I running a risk with these also? If so, can you tell me when we get the machine clean enough for me to change my passwords for all of these internet accounts? Oh, and I forgot to mention I live in Brazil, so my Windows XP runs in portuguese. It seems combofix also chose my system's language and the log it produced is also in portuguese. If you need me to translate the log, please tell me and I will do so with the utmost pleasure. Here is the combofix log: ComboFix 09-06-05.07 - Administrador 06/06/2009 4:26.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1023.661 [GMT -3:00] Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe AV: Norton AntiVirus On-access scanning enabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection enabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrador\winit32.exe c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851 c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini c:\recycler\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013 c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe c:\recycler\S-1-5-21-9615457240-3612855822-129022670-2410\winmap32.exe c:\windows\IE4 Error Log.txt c:\windows\system32\bndmss.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Serviços ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BNDMSS -------\Service_BNDMSS (((((((((((((((( Arquivos/Ficheiros criados de 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))) . 2009-05-19 14:22 . 2009-05-20 13:00 34164 ----a-w- c:\documents and settings\Administrador\lis32.exe 2009-05-16 20:06 . 2009-06-06 07:14 30720 ----a-w- c:\documents and settings\Administrador\wsk32.exe 2009-05-07 15:44 . 2009-05-10 14:56 72704 ----a-w- c:\documents and settings\Administrador\wiit32.exe . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-06 07:21 . 2007-04-26 22:50 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symantec Shared 2009-05-02 23:39 . 2009-05-02 23:39 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\MailFrontier 2009-05-02 23:39 . 2001-10-28 15:07 49586 ----a-w- c:\windows\system32\perfc016.dat 2009-05-02 23:39 . 2001-10-28 15:07 347294 ----a-w- c:\windows\system32\perfh016.dat 2009-03-11 03:38 . 2007-10-27 13:34 14045165 ----a-w- c:\windows\Internet Logs\tvDebug.zip 2009-03-09 05:38 . 2009-03-09 13:36 1874432 ----a-w- c:\windows\Internet Logs\xDB1A.tmp 2009-03-09 05:38 . 2009-03-09 13:36 2644480 ----a-w- c:\windows\Internet Logs\xDB19.tmp 2008-02-23 16:08 . 2008-02-23 16:08 2 --shatr- c:\windows\winstart.bat . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . Nota entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Smapp"="c:\arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656] "ccApp"="c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2004-09-14 58488] "Norton Ghost 9.0"="c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-08-02 1122304] "SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016] "ZoneAlarm Client"="c:\arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280] "Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 159744] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Taskman"="c:\recycler\S-1-5-21-9615457240-3612855822-129022670-2410\winmap32.exe" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Arquivos de programas\\Messenger\\msmsgs.exe"= "c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"= "c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"= "c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"= "c:\\Arquivos de programas\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"= "c:\\Arquivos de programas\\iTunes\\iTunes.exe"= "c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"= "c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"= "c:\\Documents and Settings\\Administrador\\wsk32.exe"=wsk32.exe "wsk32.exe"= wsk32.exe:BNDMSS "c:\\Documents and Settings\\Administrador\\lis32.exe"=lis32.exe "lis32.exe"= lis32.exe:BNDMSS [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2/8/2004 17:04 138780] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2/8/2004 17:23 46779] R2 Agendador do LiveUpdate automático;Agendador do LiveUpdate automático;c:\arquivos de programas\Symantec\LiveUpdate\AluSchedulerSvc.exe [27/4/2007 14:33 100032] R2 NProtectService;Norton Unerase Protection;c:\arquiv~1\NORTON~1\NORTON~1\NPROTECT.EXE [16/9/2004 14:50 99432] S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?] S3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [26/4/2007 19:43 13324] S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [26/4/2007 19:41 49920] S3 ZSMC302;D-Link DSB-C320;c:\windows\system32\drivers\usbvm302.sys [13/9/2008 14:38 195263] . Conteúdo da pasta 'Tarefas Agendadas' 2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34] 2009-06-06 c:\windows\Tasks\HP Usg Daily.job - c:\arquivos de programas\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 19:03] 2009-06-05 c:\windows\Tasks\Norton AntiVirus - Verificar o meu computador - Administrador.job - c:\arquiv~1\NORTON~1\NORTON~3\Navw32.exe [2004-08-31 16:06] 2009-06-01 c:\windows\Tasks\One Button Checkup do Norton SystemWorks.job - c:\arquivos de programas\Norton SystemWorks\OBC.exe [2004-09-16 18:22] 2009-06-05 c:\windows\Tasks\Symantec Drmc.job - c:\arquivos de programas\Arquivos comuns\Symantec Shared\SymDrmc.exe [2004-08-31 03:40] 2009-06-06 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 01:18] . - - - - ORFÃOS REMOVIDOS - - - - SafeBoot-procexp90.Sys . ------- Scan Suplementar ------- . uStart Page = hxxp://www.uol.com.br/ IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {0FC41652-71B3-4531-8E46-0436FD819D16} = 200.204.0.10 200.204.0.138 TCP: {69068BDA-85F6-4F4B-BD1C-F625EC936964} = 200.204.0.10,200.204.0.138 FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll ---- FIREFOX POLICIES ---- c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-06 04:32 Windows 5.1.2600 Service Pack 2 NTFS Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ********************************************************************** . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- - - - - - - - > 'explorer.exe'(3816) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Outros Processos em Execução ------------------------ . c:\windows\system32\ZoneLabs\vsmon.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\arquivos de programas\Bonjour\mDNSResponder.exe c:\windows\system32\gearsec.exe c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe c:\windows\system32\nvsvc32.exe c:\arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe c:\arquiv~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\system32\WgaTray.exe c:\windows\system32\rundll32.exe . ************************************************************************ . Tempo para conclusão: 2009-06-06 4:52 - Máquina reiniciou ComboFix-quarantined-files.txt 2009-06-06 07:52 Pré-execução: 15 pasta(s) 27.051.200.512 bytes disponíveis Pós execução: 15 pasta(s) 27.166.842.880 bytes disponíveis WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 185 --- E O F --- 2009-04-29 00:33 Last edited by helpbak; 06-06-2009 at 02:18 AM.

06-06-2009, 09:11 AM	#5 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,163 OS: XP sp3	Re: Help! bndmss.exe and many others! Hi, Most of the infections have already been removed by Combofix, we have just a little more work to do to remove the rest. It is always a good idea to back up your important documents etc. Here is a guide on backing up your data; As I said, it's hard to know if there is further risk once the infections have been cleaned off the machine, there is no way of being 100% certain, that is why we recommend you change your passwords. Just use another machine, that you know is clean, to change all your passwords. It's good practice to change passwords every once in a while anyway. Please do the following: We will run ComboFix again. This time it will be slightly different from the initial run. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how. Open notepad (Start>Run>"notepad") and copy/paste ALL the text in the codebox below into it: (MAKE SURE YOU DON'T MISS ANYTHING OR CHANGE ANYTHING IN THE CODE BOX BELOW). Do not copy the word "code". Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/382602-help-bndmss-exe-many-others.html#post2175013 KillAll:: Collect:: c:\documents and settings\Administrador\lis32.exe c:\documents and settings\Administrador\wsk32.exe c:\documents and settings\Administrador\wiit32.exe File:: c:\windows\Internet Logs\xDB1A.tmp c:\windows\Internet Logs\xDB19.tmp c:\windows\winstart.bat Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Taskman"=- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Documents and Settings\\Administrador\\wsk32.exe"=- "wsk32.exe"=- "c:\\Documents and Settings\\Administrador\\lis32.exe"=- "lis32.exe"=- Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.) Refering to the picture above, drag CFScript into ComboFix.exe. When finished, it shall produce a log for you at "C:\ComboFix.txt" Upload Samples by ComboFix When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis. Important: Ensure you are connected to the internet before clicking OK on the message box. A blue-screen would appear auto-uploading the zipped file I requested. After the uploading is done you should see a message near the bottom saying "Upload was Successful". NEXT Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply In your next reply I need: ComboFix Log Kasprsky report __________________ ASAP & UNITE Member

06-06-2009, 11:53 PM	#6 (permalink)
helpbak Registered User Join Date: Jun 2009 Posts: 9 OS: Windows XP	Re: Help! bndmss.exe and many others! Hello! So, I did as you asked, but when combofix finished running and showed me the log, it did not show me a window asking to upload the files. And I’m positive that I followed your instructions correctly, so I don’t know why things didn’t go as planned. Like last time, when combofix was running it restarted my computer, and I only got the log after it was powered up and combofix resumed it’s procedures. Don’t know if that’s how it’s supposed to work. I haven’t had the time to read the link regarding backups yet, but will soon. The thing is that I wanted to post this quickly because something else has happened now. One of the viruses, be it a new one, or one that reacted upon removal, has messed up my firefox. Now everything I type, comes out in scrambled letters. And I can’t select any text within the browser. Even the address bar is affected by this! For example, here’s my attempt at writing “This virus is scrambling everything I type” is the “quick reply” box. “epyt I gnihtyreve gnilbmarcs si suriv sihT” Clearly it mirowed the letter’s positions. Now when I try to write the same phrase in the gmail e-mail box, results are even more bizarre: “sslirepyt I gnihtyeve gnbmarcc si suriv ihT” Anyway, you get the picture… I can still write from other programs such as Microsoft Word though (what I’m using now, actually). Oh, one more thing, for some reason It seems the combofix log didn’t save correctly. It might have mistaken this new report with the old one since both would have the same name, but I thought I’d saved it. I’m sorry for this, either way. Anyway, I know combofix is a powerfull tool and am afraid of running if with the CFScript again without you telling me to. How should I proceed? Thank you, again! Kaspersky report follows: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Sunday, June 7, 2009 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Saturday, June 06, 2009 22:16:05 Records in database: 2320030 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ P:\ Scan statistics: Files scanned: 66203 Threat name: 9 Infected objects: 93 Suspicious objects: 0 Duration of the scan: 02:22:00 File name / Threat name / Threats count C:\Documents and Settings\Administrador\Desktop\Music\Pretenders - Message of love.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Qoobox\Quarantine\C\Documents and Settings\Administrador\winit32.exe.vir Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\exe32.exe.vir Infected: Trojan.Win32.Pakes.jwk 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\bndmss.exe.vir Infected: Backdoor.Win32.Agent.afoj 1 C:\Qoobox\Quarantine\[4]-Submit_2009-06-06_17.23.48.zip Infected: P2P-Worm.Win32.Palevo.dmo 1 C:\Qoobox\Quarantine\[4]-Submit_2009-06-06_17.23.48.zip Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP672\A0443023.exe Infected: P2P-Worm.Win32.Palevo.dmo 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP673\A0445040.exe Infected: P2P-Worm.Win32.Palevo.dmo 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP674\A0445397.exe Infected: P2P-Worm.Win32.Palevo.dmo 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0446591.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP675\A0447786.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0447807.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0448001.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449032.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP676\A0449036.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449139.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449162.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449182.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449186.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449214.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0449215.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0451240.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP677\A0452242.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0452347.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP678\A0453604.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP679\A0453772.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0454892.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456166.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP680\A0456167.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456528.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP681\A0456530.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456629.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0456630.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP682\A0457688.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0457784.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458863.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP683\A0458864.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461183.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP684\A0461190.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462509.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP685\A0462511.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463004.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463005.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463309.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP686\A0463310.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463357.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0463358.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464357.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464382.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP687\A0464403.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465892.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP688\A0465893.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466021.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0466022.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467246.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP689\A0467384.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469609.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0469715.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472618.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP690\A0472631.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0472654.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473595.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0473598.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474646.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP691\A0474809.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474906.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474960.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP692\A0474962.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP693\A0475218.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475866.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP694\A0475867.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477358.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP695\A0477518.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0478876.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP696\A0479003.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480102.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP697\A0480103.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481510.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481511.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481589.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481644.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0481646.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482650.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP698\A0482651.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483941.exe Infected: Backdoor.Win32.Agent.ahgv 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0483942.exe Infected: Trojan-GameThief.Win32.OnLineGames.bktw 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484036.exe Infected: Trojan.Win32.Pakes.jwk 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484037.exe Infected: Backdoor.Win32.Agent.afoj 1 C:\System Volume Information\_restore{293336BA-1780-4C0C-9CFE-418BDB2948E2}\RP699\A0484057.exe Infected: P2P-Worm.Win32.Palevo.dlr 1 D:\Programs\Games\Full Games\gta_sa_window.rar Infected: Trojan.Win32.Genome.quk 1 D:\Programs\Programs Leftover\Games\GTA San Andreas\gta_sa_window.zip Infected: Trojan.Win32.Genome.quk 1 D:\Programs\Programs Leftover\beta_soft_start\UltraVNC-100-RC203-Setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1 The selected area was scanned.

06-07-2009, 06:27 PM	#9 (permalink)
helpbak Registered User Join Date: Jun 2009 Posts: 9 OS: Windows XP	Re: Help! bndmss.exe and many others! Oh, good news, I found the previous missing ComboFix log! Here it is: ComboFix 09-06-05.07 - Administrador 06/06/2009 17:24.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.1023.662 [GMT -3:00] Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt AV: Norton AntiVirus On-access scanning enabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Worm Protection enabled {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FW: ZoneAlarm Firewall enabled {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\windows\Internet Logs\xDB19.tmp" "c:\windows\Internet Logs\xDB1A.tmp" "c:\windows\winstart.bat" file zipped: c:\documents and settings\Administrador\lis32.exe file zipped: c:\documents and settings\Administrador\wiit32.exe file zipped: c:\documents and settings\Administrador\wsk32.exe . ((((((((((((((((((((((((((((((((((((( Outras Exclusões ))))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrador\lis32.exe c:\documents and settings\Administrador\wiit32.exe c:\documents and settings\Administrador\wsk32.exe c:\windows\Internet Logs\xDB19.tmp c:\windows\Internet Logs\xDB1A.tmp c:\windows\winstart.bat . (((((((((((((((( Arquivos/Ficheiros criados de 2009-05-06 to 2009-06-06 )))))))))))))))))))))))))))) . Nenhum ficheiro/arquivo criado durante este período . ((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-06 20:22 . 2007-04-26 22:50 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symantec Shared 2009-05-02 23:39 . 2009-05-02 23:39 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\MailFrontier 2009-05-02 23:39 . 2001-10-28 15:07 49586 ----a-w- c:\windows\system32\perfc016.dat 2009-05-02 23:39 . 2001-10-28 15:07 347294 ----a-w- c:\windows\system32\perfh016.dat 2009-03-11 03:38 . 2007-10-27 13:34 14045165 ----a-w- c:\windows\Internet Logs\tvDebug.zip . (((((((((((((((((((((((((( Pontos de Carregamento do Registro ))))))))))))))))))))))))))))))))))))))) . . Nota entradas vazias e legítimas por defeito não são mostradas. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Smapp"="c:\arquivos de programas\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656] "ccApp"="c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2004-09-14 58488] "Norton Ghost 9.0"="c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [2004-08-02 1122304] "SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016] "ZoneAlarm Client"="c:\arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 919280] "Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Arquivos de programas\\Messenger\\msmsgs.exe"= "c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"= "c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"= "c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"= "c:\\Arquivos de programas\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"= "c:\\Arquivos de programas\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"= "c:\\Arquivos de programas\\iTunes\\iTunes.exe"= "c:\\Arquivos de programas\\LimeWire\\LimeWire.exe"= "c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2/8/2004 17:04 138780] R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2/8/2004 17:23 46779] R2 Agendador do LiveUpdate automático;Agendador do LiveUpdate automático;c:\arquivos de programas\Symantec\LiveUpdate\AluSchedulerSvc.exe [27/4/2007 14:33 100032] R2 NProtectService;Norton Unerase Protection;c:\arquiv~1\NORTON~1\NORTON~1\NPROTECT.EXE [16/9/2004 14:50 99432] S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?] S3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [26/4/2007 19:43 13324] S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [26/4/2007 19:41 49920] S3 ZSMC302;D-Link DSB-C320;c:\windows\system32\drivers\usbvm302.sys [13/9/2008 14:38 195263] . Conteúdo da pasta 'Tarefas Agendadas' 2009-03-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34] 2009-06-06 c:\windows\Tasks\HP Usg Daily.job - c:\arquivos de programas\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-04-01 19:03] 2009-06-05 c:\windows\Tasks\Norton AntiVirus - Verificar o meu computador - Administrador.job - c:\arquiv~1\NORTON~1\NORTON~3\Navw32.exe [2004-08-31 16:06] 2009-06-01 c:\windows\Tasks\One Button Checkup do Norton SystemWorks.job - c:\arquivos de programas\Norton SystemWorks\OBC.exe [2004-09-16 18:22] 2009-06-05 c:\windows\Tasks\Symantec Drmc.job - c:\arquivos de programas\Arquivos comuns\Symantec Shared\SymDrmc.exe [2004-08-31 03:40] 2009-06-06 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 01:18] . . ------- Scan Suplementar ------- . uStart Page = hxxp://www.uol.com.br/ IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: {0FC41652-71B3-4531-8E46-0436FD819D16} = 200.204.0.10 200.204.0.138 TCP: {69068BDA-85F6-4F4B-BD1C-F625EC936964} = 200.204.0.10,200.204.0.138 FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.uol.com.br FF - component: c:\arquivos de programas\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\q4yspto3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll ---- FIREFOX POLICIES ---- c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br"); . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-06 17:33 Windows 5.1.2600 Service Pack 2 NTFS Procurando processos ocultos ... Procurando entradas auto inicializáveis ocultas ... Procurando ficheiros/arquivos ocultos ... Varredura completada com sucesso arquivos/ficheiros ocultos: 0 ********************************************************************** . --------------------- DLLs Carregadas Sob os Processos em Execução --------------------- - - - - - - - > 'explorer.exe'(6516) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Outros Processos em Execução ------------------------ . c:\windows\system32\ZoneLabs\vsmon.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe c:\arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\arquivos de programas\Bonjour\mDNSResponder.exe c:\windows\system32\gearsec.exe c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe c:\arquivos de programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe c:\arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe c:\windows\system32\nvsvc32.exe c:\arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe c:\arquiv~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe c:\arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe c:\windows\system32\WgaTray.exe c:\windows\system32\rundll32.exe . ************************************************************************ . Tempo para conclusão: 2009-06-06 17:38 - Máquina reiniciou ComboFix-quarantined-files.txt 2009-06-06 20:38 ComboFix2.txt 2009-06-06 07:52 Pré-execução: 15 pasta(s) 26.906.046.464 bytes disponíveis Pós execução: 15 pasta(s) 26.943.602.688 bytes disponíveis 165 --- E O F --- 2009-04-29 00:33

06-09-2009, 09:29 PM	#11 (permalink)
helpbak Registered User Join Date: Jun 2009 Posts: 9 OS: Windows XP	Re: Help! bndmss.exe and many others! Hello! I haven't had the time to follow all the instructions of your last post yet as this week has proven to be a very busy one. I ask that you please bear with me a few more days, as I know that if you don't hear from me the thread will be closed. Thank you very much, yet again!

06-12-2009, 06:20 PM	#13 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,163 OS: XP sp3	Re: Help! bndmss.exe and many others! Hi, Everything except one file was in quarantine or old system restore points which would have been cleaned with the Combofix /u command have you done that? except for this file: C:\Documents and Settings\Administrador\Desktop\Personal Folder\NSW.2k5.Premier.Keygen.exe which should be proof enough of the perils of peer2peer file sharing.... i suggest you locate and delete this file now if it wasn't taken care of by Avira. Please advise how your computer is running now or if there are any outstanding issues? __________________ ASAP & UNITE Member

06-12-2009, 09:17 PM	#14 (permalink)
helpbak Registered User Join Date: Jun 2009 Posts: 9 OS: Windows XP	Re: Help! bndmss.exe and many others! Hello! Acctually I installed and ran Avira before following your instructions. Then after seeing the virus detections, the only instruction I jumped was the combofix /u one, because I thought "if I still have infections, I might still need it, so why bother unninstalling it now". I am sorry if this has caused some sort of fallback as you didn't tell me to install avira, nor to run a scan. I was just afraid of something happening again since Norton wasn't protecting my computer, and I only have that and Zonealarm -which from what I understand works only as a very secure firewall. Should I still go ahead and do the Combofix /u? Even after avira aparrently moved the files? Anyway, yes that NSW.2K5 file. My techguy installed the copy for Norton 2005 "free of charge" back in 2007. I found it strange, but didn't question him much about it, he'd already charged a hefty price anyway. Then about a year back I learned what a keygen was, moreover that there were websites for such things. I've never had a program I didn't buy, but since it was already installed, seemingly working fine, I didn't bother getting another. Acctually, I hadn't even remembered all of that up till the moment you asked of the file. Could it be the reason Norton ceased to work? Anyway, Norton is unninstalled now, replaced by avira. How should I proceed? Thank you!

06-12-2009, 09:53 PM	#15 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,163 OS: XP sp3	Re: Help! bndmss.exe and many others! Please do all the clean up as I posted. That will set a new restore point and clean out the remainder of the quarantined files...then you should be fine __________________ ASAP & UNITE Member

06-13-2009, 10:13 AM	#16 (permalink)
helpbak Registered User Join Date: Jun 2009 Posts: 9 OS: Windows XP	Re: Help! bndmss.exe and many others! Hello! I have done as instructed. The computer seems to be running fine now. I will back up my files and reformat it. Thank you so much for your help!

06-13-2009, 10:18 AM	#17 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,163 OS: XP sp3	Re: Help! bndmss.exe and many others! You are quite welcome stay safe CB __________________ ASAP & UNITE Member