Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Hello, i need help, huge infection in 3 computers!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Hello, i need help, huge infection in 3 computers!

Unread postby huguini » August 21st, 2008, 7:46 pm

Hello, i have all my pen drives (5 of them) with fun.xls.exe and knight.exe and my 3 computers are also infected. The computers are also infected with msfun80.exe and for now i will post the log form my main computer. should i create a topic for each one of them or should i use the next replies to post the other two logs from hijackthis?

I also tried to delete stuff from the registry that add the virus name, maybe i shouldn't have done it...

Thank you in advance!!

Here goes the log from the "main computer".

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:44:49, on 22-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Intel\Wireless\Bin\EvtEng.exe
C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\eBoostr\EBstrSvc.exe
C:\Programas\FolderSize\FolderSizeSvc.exe
C:\Programas\CDBurnerXP\NMSAccessU.exe
C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
C:\Programas\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\UPHClean\uphclean.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Programas\TightVNC\WinVNC.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\Programas\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\AnalogX\NetStat Live\nsl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\PhraseExpress\PhraseExpress.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\Unlocker\UnlockerAssistant.exe
C:\Programas\Notebook Hardware Control\nhc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\algsrvs.exe
C:\Programas\Task Killer\taskkiller.exe
C:\Programas\Windows Live\Messenger\msnmsgr.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\ClamWin\bin\ClamTray.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\Launchy\Launchy.exe
C:\Programas\eBoostr\eBoostrCP.exe
C:\Programas\FileBX\FileBX.exe
C:\Programas\ProcessTamer\ProcessTamerTray.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\FirefoxPortableTest\App\firefox\firefox.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\foobar2000\foobar2000.exe
C:\Programas\Last.fm\LastFM.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programas\DiskTrix\UltimateDefrag\UDefrag.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programas\Winamp Toolbar\winamptb.dll
O2 - BHO: Google Update Helper - {25D596E9-BD03-4D4A-8310-5DF3B31E8D26} - C:\Programas\Google\Update\1.2.121.17\GoopdateBho.dll
O2 - BHO: IEHelperObject - {4DC16316-5372-4476-9CA5-88B2786B838F} - C:\Programas\humyo.com Client\HrfsDownloader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programas\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programas\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programas\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NetStat Live] "C:\Programas\AnalogX\NetStat Live\nsl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PhraseExpress] C:\Programas\PhraseExpress\PhraseExpress.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ClickZap] //~
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programas\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Programas\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [WinVNC] //~c:\programas\tightvnc\winvnc.exe -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Task Killer] C:\Programas\Task Killer\taskkiller.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClamWin] "C:\Programas\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FileBox eXtender.lnk = C:\Programas\FileBX\FileBX.exe
O4 - Startup: ProcessTamer.lnk = C:\Programas\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: Launchy.lnk = C:\Programas\Launchy\Launchy.exe
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Programas\eBoostr\eBoostrCP.exe
O4 - Global Startup: humyo.com Client.lnk.disabled
O4 - Global Startup: Desktop Media.lnk = C:\Programas\Desktop Media\mediadetect.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Save Image To humyo.com - C:\Programas\humyo.com Client\download.html
O8 - Extra context menu item: Save Target To humyo.com - C:\Programas\humyo.com Client\download.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programas\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programas\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d ... o-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C05E44A6-2D94-4EF4-A587-EEC36BA6F9EC}: NameServer = 195.22.0.33,195.22.0.136
O17 - HKLM\System\CCS\Services\Tcpip\..\{F477614E-D24E-42C3-A7C3-5FA4423ED187}: NameServer = 172.20.200.10
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - Unknown owner - C:\Programas\eBoostr\EBstrSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Programas\FolderSize\FolderSizeSvc.exe
O23 - Service: Gerenciador do Google Desktop 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c89a832d6895e2) (gupdate1c89a832d6895e2) - Google Inc. - C:\Programas\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Programas\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programas\CDBurnerXP\NMSAccessU.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Slawdog Smart Shutdown - Slawdog E-Solutions, Inc. - C:\Programas\Slawdog\Smart Shutdown\Smart Shutdown.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Programas\TightVNC\WinVNC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programas\RealVNC\VNC4\WinVNC4.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe

--
End of file - 12549 bytes
huguini
Active Member
 
Posts: 2
Joined: August 21st, 2008, 7:35 pm
Top
Advertisement
Register to Remove

Re: Hello, i need help, huge infection in 3 computers!

Unread postby suebaby41 » August 28th, 2008, 12:54 pm

Welcome to the Malware removal Forums. Since it has been a few days since you scanned your computer with HijackThis, please post a new HijackThis Log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm
Top

Re: Hello, i need help, huge infection in 3 computers!

Unread postby huguini » August 30th, 2008, 5:22 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:25, on 30-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Intel\Wireless\Bin\EvtEng.exe
C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\Programas\eBoostr\EBstrSvc.exe
C:\Programas\FolderSize\FolderSizeSvc.exe
C:\Programas\CDBurnerXP\NMSAccessU.exe
C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
C:\Programas\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\UPHClean\uphclean.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Programas\TightVNC\WinVNC.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\Programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\AnalogX\NetStat Live\nsl.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\PhraseExpress\PhraseExpress.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\Unlocker\UnlockerAssistant.exe
C:\Programas\Notebook Hardware Control\nhc.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Task Killer\taskkiller.exe
C:\WINDOWS\system32\algsrvs.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programas\Launchy\Launchy.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\eBoostr\eBoostrCP.exe
C:\Programas\FileBX\FileBX.exe
C:\Programas\ProcessTamer\ProcessTamerTray.exe
C:\Programas\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Google\Update\GoogleUpdate.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Programas\FirefoxPortableTest\App\firefox\firefox.exe
C:\Documents and Settings\Administrator\Os meus documentos\My Videos\Veoh\VeohSetup-3.9.8.1077.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programas\Winamp Toolbar\winamptb.dll
O2 - BHO: IEHelperObject - {4DC16316-5372-4476-9CA5-88B2786B838F} - C:\Programas\humyo.com Client\HrfsDownloader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Update Helper - {77D7E795-33C5-4323-974D-A2A49AB75517} - C:\Programas\Google\Update\1.2.131.11\GoopdateBho.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programas\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programas\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programas\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NetStat Live] "C:\Programas\AnalogX\NetStat Live\nsl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PhraseExpress] C:\Programas\PhraseExpress\PhraseExpress.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ClickZap] //~
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programas\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Programas\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [WinVNC] //~c:\programas\tightvnc\winvnc.exe -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Task Killer] C:\Programas\Task Killer\taskkiller.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClamWin] "C:\Programas\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [Pando] "C:\Programas\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FileBox eXtender.lnk = C:\Programas\FileBX\FileBX.exe
O4 - Startup: ProcessTamer.lnk = C:\Programas\ProcessTamer\ProcessTamerTray.exe
O4 - Global Startup: Launchy.lnk = C:\Programas\Launchy\Launchy.exe
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Programas\eBoostr\eBoostrCP.exe
O4 - Global Startup: humyo.com Client.lnk.disabled
O4 - Global Startup: Desktop Media.lnk = C:\Programas\Desktop Media\mediadetect.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Save Image To humyo.com - C:\Programas\humyo.com Client\download.html
O8 - Extra context menu item: Save Target To humyo.com - C:\Programas\humyo.com Client\download.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programas\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll
O9 - Extra 'Tools' menuitem: &Definições do Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programas\Google\Google Gears\Internet Explorer\0.4.15.0\gears.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d ... o-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C05E44A6-2D94-4EF4-A587-EEC36BA6F9EC}: NameServer = 195.22.0.33,195.22.0.136
O17 - HKLM\System\CCS\Services\Tcpip\..\{F477614E-D24E-42C3-A7C3-5FA4423ED187}: NameServer = 172.20.200.10
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - Unknown owner - C:\Programas\eBoostr\EBstrSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Programas\FolderSize\FolderSizeSvc.exe
O23 - Service: Gerenciador do Google Desktop 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c89a832d6895e2) (gupdate1c89a832d6895e2) - Google Inc. - C:\Programas\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Programas\Hotspot Shield\bin\openvpnas.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programas\CDBurnerXP\NMSAccessU.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Slawdog Smart Shutdown - Slawdog E-Solutions, Inc. - C:\Programas\Slawdog\Smart Shutdown\Smart Shutdown.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Programas\TightVNC\WinVNC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programas\RealVNC\VNC4\WinVNC4.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe

--
End of file - 12957 bytes
huguini
Active Member
 
Posts: 2
Joined: August 21st, 2008, 7:35 pm
Top

Re: Hello, i need help, huge infection in 3 computers!

Unread postby suebaby41 » August 31st, 2008, 11:00 pm

Step 1

Hello, i have all my pen drives (5 of them) with fun.xls.exe and knight.exe and my 3 computers are also infected. The computers are also infected with msfun80.exe and for now i will post the log form my main computer. should i create a topic for each one of them or should i use the next replies to post the other two logs from hijackthis?

I also tried to delete stuff from the registry that add the virus name, maybe i shouldn't have done it...

Please post only one log for one computer. Having more than one log and dealing with more than one computer is too confusing. After we clean this computer, we can deal with the other logs.

Step 2

TrendMicro's Sysclean is an extensive antivirus tool which has the advantage that it does not need to be installed. It requires two parts - the scanning engine and the virus pattern files. Delete all Temporary and Temporary Internet Files before running the program.

  1. Please download Sysclean Package and save it to your desktop.
    • Create a new folder on drive C:\ and name it Sysclean - (C:\Sysclean).
    • Place the SYSCLEAN.COM inside that folder.
    • Download the latest Official Pattern Release for windows - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number.)
    • Extract (unzip) the lptxxx.zip pattern file into the Sysclean (C:\Sysclean) folder where you put SYSCLEAN.COM.
      1. Right-click on the lptxxx.zip file and select the Extract All... menu option.
      2. Press the Next button.
      3. At this next screen, enter C:\Sysclean
      4. Press the Next button.
      5. If you want to see the extracted files, leave the check mark in place, otherwise uncheck the box labeled Show extracted files.
      6. DO NOT scan yet.
    • Reboot your computer in SAFE MODE using the F8 method. To do this:
      • Restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly.
      • A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.
    • Please disconnect from the Internet. Please close ALL browser windows (including this one). Some antivirus programs such as Avast will alert you to a virus attack when running "Sysclean" so disable them before going to the next step.
    • Scan with Sysclean as follows:
      • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
      • Put a check mark on the Automatically clean or delete infected files option by clicking in the check box.
      • Click the Advanced >> button.
      • The scan options appear. Select the Scan all local fixed drives.
      • Click the Scan button on the Trend Micro System Cleaner console.
      • It will take some time to complete. Be patient and let it clean whatever it finds.
      • Another MS-DOS window will appear containing the log file generated in the Trend Micro System Cleaner folder.
      • To view the log, click the View button on the Trend Micro System Cleaner console. The Trend Micro System Cleaner Log window appears.
        • The Files Detected section shows the viruses that were detected by Sysclean
        • The Files Clean section shows the viruses that were cleaned.
        • The Clean Fail section shows the viruses that were not cleaned.
      • This fix tool generates the log file, SYSCLEAN.LOG, in its current folder.
      • When the scan is finished, open your Sysclean folder and copy and paste the contents of sysclean.log in your next reply.
      • Exit when done, reboot normally and enable your antivirus program.
      This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using 'Sysclean", it is best to "use the Administrator's account" or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.
    • If needed, see Instructions With Screenshots.
    • Please post a new HijackThis log and the contents of the sysclean.log.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm
Top

Re: Hello, i need help, huge infection in 3 computers!

Unread postby NonSuch » September 6th, 2008, 5:11 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 529 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index