Help, virus in my computer

**madok** · 28-06-2006

they help me, I found one virus that it walks here in my computer calls dl.exe I already made one scan with hijack and here is log

Logfile of HijackThis v1.99.1
Scan saved at 14:13:29, on 28/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\bpk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\MaDoK\Desktop\HijackThis.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F21E55E-A3A5-40C9-B5B9-1EBC60E03DD6} - C:\WINDOWS\System32\dmime32.dll
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Arquivos de programas\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Atualizador - Puxa Rápido] C:\Arquivos de programas\Puxa Rápido\Atualiza.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Arquivos de programas\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Arquivos de programas\Free Download Manager\fdm.exe -autorun
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {197F8FE3-8DF6-4755-B925-B94A1FF2F58E} (OSAKit2.OSA_Kit) - http://www.newstarsoccer.com/OSAKit2.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resourc...scbase3401.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD571BE-9FE3-4D5F-BBB2-9D4AD32B62C5}: NameServer = 200.222.0.34 200.202.193.75
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Arquivos de programas\RXToolBar\sfcont.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Serviço de proteção automática do Norton AntiVirus (navapsvc) - Unknown owner - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: SAVScan - Unknown owner - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)

please help me

**Neal** · 29-06-2006

Welcome to DAL,

Scan with Ewido Security Suite

Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

Download the Ewido installer to you Desktop. Find the icon on your desktop and double click on it to install.
Let Ewido open once it is installed. The first thing you need to do is update the detection definition files.
From the main ewido screen, click on UPDATE in the top menu, then click the Start Update link.
After the update finishes (the status bar near the top will inform you of progress), click on the Scanner button in the top menu, then click on the Settings tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Click on the Scan tab. Then click on Complete System Scan. This scan will take a while, please be patient.
Once the scan is complete, you will be prompted if any items are found that need attention. Select Apply all actions. This will take a moment or two.
When Ewido reports All Actions Have been Applied you can close Ewido. The report was automatically saved if the settings were set as instructed. The report will be located at C:\Program Files\ewido anti-spyware 4.0\Reports\

Then...

Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..

**madok** · 01-07-2006

//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 01/07/2006 15:50:57
//
//-----------------------------------------------------------------

Statistics

Scan path : A:\
C:\
D:\
Folders : 2240
Files : 120780
Archives : 682
Packed files : 10132
Identified viruses : 2
Infected files : 19
Warnings : 0
Suspect files : 0
Disinfected files : 17
Deleted files : 0
Copied files : 0
Moved files : 2
Renamed files : 0
I/O errors : 106
Scan time : 00:35:10
Scan speed (files/sec) : 57

Virus definitions : 402483
Scan plugins : 13
Archive plugins : 39
Unpack plugins : 5
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\Arquivos de programas\ESET\Instalar\setup.exe Infected Win32.Gael.3666
C:\Arquivos de programas\ESET\Instalar\setup.exe Disinfected
C:\Arquivos de programas\ESET\Setup\setup.exe Infected Win32.Gael.3666
C:\Arquivos de programas\ESET\Setup\setup.exe Disinfected
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE Infected Win32.Gael.3666
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE Disinfected
C:\Arquivos de programas\Jetico\Jetico Personal Firewall\fwsrv.exe Infected Win32.Gael.3666
C:\Arquivos de programas\Jetico\Jetico Personal Firewall\fwsrv.exe Disinfection failed
C:\Arquivos de programas\Jetico\Jetico Personal Firewall\fwsrv.exe Moved
C:\Arquivos de programas\Mozilla Firefox\firefox.exe Infected Win32.Gael.3666
C:\Arquivos de programas\Mozilla Firefox\firefox.exe Disinfected
C:\Documents and Settings\MaDoK.MARCO-UV05L5TB2\Desktop\nentptst.exe Infected Win32.Gael.3666
C:\Documents and Settings\MaDoK.MARCO-UV05L5TB2\Desktop\nentptst.exe Disinfected
C:\Program Files\HijackThis\HijackThis.exe Infected Win32.Gael.3666
C:\Program Files\HijackThis\HijackThis.exe Disinfected
C:\WINDOWS\BCUnInstall.exe Infected Win32.Gael.3666
C:\WINDOWS\BCUnInstall.exe Disinfected
C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe Infected Win32.Gael.3666
C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe Disinfected
C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe Infected Win32.Gael.3666
C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe Disinfected
C:\WINDOWS\system32\wuauclt.exe Infected Win32.Gael.3666
C:\WINDOWS\system32\wuauclt.exe Disinfection failed
C:\WINDOWS\system32\wuauclt.exe Moved
C:\WINDOWS\system32\wuauclt1.exe Infected Win32.Gael.3666
C:\WINDOWS\system32\wuauclt1.exe Disinfected
D:\System Volume Information\_restore{B6BF4F70-8CCB-49F6-A14D-C18126EB383E}\RP1\A0004829.exe Infected Win32.Gael.3666
D:\System Volume Information\_restore{B6BF4F70-8CCB-49F6-A14D-C18126EB383E}\RP1\A0004829.exe Disinfected
D:\System Volume Information\_restore{B6BF4F70-8CCB-49F6-A14D-C18126EB383E}\RP1\A0004830.exe Infected Win32.Gael.3666
D:\System Volume Information\_restore{B6BF4F70-8CCB-49F6-A14D-C18126EB383E}\RP1\A0004830.exe Disinfected
D:\System Volume Information\_restore{B6BF4F70-8CCB-49F6-A14D-C18126EB383E}\RP2\A0005959.exe Infected Win32.Gael.3666
D:\System Volume Information\_restore{B6BF4F70-8CCB-49F6-A14D-C18126EB383E}\RP2\A0005959.exe Disinfected
D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe(R) Photoshop(R) CS2\instmsia.exe Infected Win32.Gael.3666
D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe(R) Photoshop(R) CS2\instmsia.exe Disinfected
D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe(R) Photoshop(R) CS2\instmsiw.exe Infected Win32.Gael.3666
D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe(R) Photoshop(R) CS2\instmsiw.exe Disinfected
D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe(R) Photoshop(R) CS2\setup.exe Infected Win32.Gael.3666
D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe(R) Photoshop(R) CS2\setup.exe Disinfected
D:\Adobe[1].PhotoShop.CS2.KeyGen\keygen.exe Infected Win32.Gael.3666
D:\Adobe[1].PhotoShop.CS2.KeyGen\keygen.exe Disinfected

this is my log of bit defender

and now???

**Neal** · 01-07-2006

Ewido scan log please.

Help, virus in my computer

Help, virus in my computer

Similar Threads

Computer Virus

Re:Computer virus help!!?

Computer gone slow, not virus

is there a virus on my computer

virus, worm? Something is in my computer...