Answers to your tech questions
Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

 
 Closed TopicStart new topic
> [Resolved] Removing Tavo.exe and Kavo.exe
abcdefGARY
post Mar 19 2008, 05:12 PM
Post #1


New Member
*

Group: New Member
Posts: 8
Joined: 19-March 08
Member No.: 77,719
Operating System: Mac OS X 10.5
Hello. I found this forum through a search on Google about how to remove the Tavo.exe and Kavo.exe errors that popup whenever I start Windows XP Professional. I am also trying to get rid of an "i8.com" error message popping up for no reason. This is happening on my Dad's computer, as I am using OS X, but I am trying to help him fix it.

I had found a similar problem, which was resolved, found here. I followed all the necessary steps. And here is everything that I have done so far:

1.) Downloaded HijackThis and removed the following:

CODE
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe


2.) I have done a Kaspersky Online Scan and these were the results:

CODE
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 2:51:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/03/2008
Kaspersky Anti-Virus database records: 641323
-------------------------------------------------------------------------------

Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

Scan Statistics:
    Total number of scanned objects: 27051
    Number of viruses found: 2
    Number of infected objects: 27
    Number of suspicious objects: 0
    Duration of the scan process: 01:26:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\2F22478D.TMP    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log    Object is locked    skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log    Object is locked    skipped
C:\Documents and Settings\Frank\Application Data\Skype\[My Skype Username]\contactgroup256.dbb    Object is locked    skipped
C:\Documents and Settings\Frank\Application Data\Skype\[My Skype Username]\dyncontent\bundle.dat    Object is locked    skipped
C:\Documents and Settings\Frank\Application Data\Skype\[My Skype Username]\index2.dat    Object is locked    skipped
C:\Documents and Settings\Frank\Application Data\Skype\[My Skype Username]\profile4096.dbb    Object is locked    skipped
C:\Documents and Settings\Frank\Application Data\Skype\[My Skype Username]\user1024.dbb    Object is locked    skipped
C:\Documents and Settings\Frank\Application Data\Skype\[My Skype Username]\user256.dbb    Object is locked    skipped
C:\Documents and Settings\Frank\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Messenger\[My Email Address]\SharingMetadata\Logs\Dfsr00004.log    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Messenger\[My Email Address]\SharingMetadata\pending.dat    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Messenger\[My Email Address]\SharingMetadata\Working\database_26F4_6BE7_F46B_B827\dfsr.db    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Messenger\[My Email Address]\SharingMetadata\Working\database_26F4_6BE7_F46B_B827\fsr.log    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Messenger\[My Email Address]\SharingMetadata\Working\database_26F4_6BE7_F46B_B827\fsrtmp.log    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Messenger\[My Email Address]\SharingMetadata\Working\database_26F4_6BE7_F46B_B827\tmp.edb    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows Live Contacts\[My Email Address]\real\members.stg    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows Live Contacts\[My Email Address]\shadow\members.stg    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1vcd4ouk.default\Cache\1A2F37EDd01/keyfinder.exe/data.rar/xpkey.exe    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1vcd4ouk.default\Cache\1A2F37EDd01/keyfinder.exe/data.rar/officekey.exe    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1vcd4ouk.default\Cache\1A2F37EDd01/keyfinder.exe/data.rar    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1vcd4ouk.default\Cache\1A2F37EDd01/keyfinder.exe    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Mozilla\Firefox\Profiles\1vcd4ouk.default\Cache\1A2F37EDd01    RAR: infected - 4    skipped
C:\Documents and Settings\Frank\Local Settings\History\History.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Temp\~DF61D4.tmp    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Temp\~DF620C.tmp    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Temp\~DF8863.tmp    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Temp\~DF88AA.tmp    Object is locked    skipped
C:\Documents and Settings\Frank\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\Frank\NTUSER.DAT    Object is locked    skipped
C:\Documents and Settings\Frank\ntuser.dat.LOG    Object is locked    skipped
C:\Documents and Settings\LocalService\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\NTUSER.DAT    Object is locked    skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG    Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat    Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG    Object is locked    skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT    Object is locked    skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG    Object is locked    skipped
C:\i8.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log    Object is locked    skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\AutoProtect.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\AVContext.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\AVManual.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\Backup.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\EmailScan.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\NCO.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log    Object is locked    skipped
C:\Program Files\Norton 360\Log\WDFScanner.log    Object is locked    skipped
C:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0003957.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0004026.exe/keyfinder.exe/data.rar/xpkey.exe    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0004026.exe/keyfinder.exe/data.rar/officekey.exe    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0004026.exe/keyfinder.exe/data.rar    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0004026.exe/keyfinder.exe    Infected: not-a-virus:PSWTool.Win32.RAS.a    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0004026.exe    RAR: infected - 4    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0004452.dll    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP15\A0004453.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP16\A0004456.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004462.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004473.dll    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004474.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004482.dll    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004483.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004491.dll    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004492.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004499.exe    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004500.dll    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\A0004501.com    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\System Volume Information\_restore{48E807A5-A1C6-4F3E-9B8A-DCF50B0B1E36}\RP17\change.log    Object is locked    skipped
C:\WINDOWS\Debug\PASSWD.LOG    Object is locked    skipped
C:\WINDOWS\SchedLgU.Txt    Object is locked    skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\edb.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb    Object is locked    skipped
C:\WINDOWS\system32\config\AppEvent.Evt    Object is locked    skipped
C:\WINDOWS\system32\config\default    Object is locked    skipped
C:\WINDOWS\system32\config\default.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\SAM    Object is locked    skipped
C:\WINDOWS\system32\config\SAM.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\SecEvent.Evt    Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY    Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\software    Object is locked    skipped
C:\WINDOWS\system32\config\software.LOG    Object is locked    skipped
C:\WINDOWS\system32\config\SysEvent.Evt    Object is locked    skipped
C:\WINDOWS\system32\config\system    Object is locked    skipped
C:\WINDOWS\system32\config\system.LOG    Object is locked    skipped
C:\WINDOWS\system32\drivers\etc\Hosts.bak    Object is locked    skipped
C:\WINDOWS\system32\kavo.exe    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\WINDOWS\system32\kavo0.dll    Infected: Packed.Win32.PolyCrypt.h    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP    Object is locked    skipped
C:\WINDOWS\Temp\cc2.tmp    Object is locked    skipped
C:\WINDOWS\Temp\JETBB6C.tmp    Object is locked    skipped
C:\WINDOWS\Temp\JETBD60.tmp    Object is locked    skipped
C:\WINDOWS\WindowsUpdate.log    Object is locked    skipped

Scan process completed.


3.) I have used ComboFix and this is my ComboFix.txt:

CODE
ComboFix 08-03-17.1 - Frank 2008-03-18 15:15:03.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.950.1.1028.18.164 [GMT -7:00]
Running from: C:\Documents and Settings\Frank\Desktop\ComboFix.exe
Command switches used :: /killall

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((   Files Created from 2008-02-18 to 2008-03-18  )))))))))))))))))))))))))))))))))
.

2008-03-18 14:53 . 2008-01-12 18:32    23,904    --a------    C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-18 14:53 . 2008-01-15 09:54    10,537    --a------    C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-18 14:53 . 2008-01-15 05:28    706    --a------    C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-18 13:04 . 2008-03-18 13:04    <DIR>    d--------    C:\Documents and Settings\Frank\Application Data\Symantec
2008-03-18 12:35 . 2008-03-18 12:35    <DIR>    d--------    C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 12:35 . 2008-03-18 12:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-18 12:22 . 2008-03-17 14:16    <DIR>    d--------    C:\Documents and Settings\Administrator\Desktop
2008-03-18 12:22 . 2008-03-17 14:16    <DIR>    dr-------    C:\Documents and Settings\Administrator\Start Menu
2008-03-18 12:14 . 2008-03-18 12:14    <DIR>    d--------    C:\Program Files\Trend Micro
2008-03-17 20:17 . 2008-03-17 20:17    <DIR>    d--------    C:\Documents and Settings\Frank\Contacts
2008-03-17 20:15 . 2008-03-17 20:15    <DIR>    d----c---    C:\WINDOWS\system32\DRVSTORE
2008-03-17 20:01 . 2008-03-17 20:12    <DIR>    d--hsc---    C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-17 20:00 . 2008-03-17 20:14    <DIR>    d--------    C:\Program Files\Windows Live
2008-03-17 20:00 . 2008-03-17 20:00    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-17 19:57 . 2008-03-18 15:09    1,606    --a------    C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-17 19:19 . 2006-08-21 02:14    128,896    -----c---    C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-17 19:19 . 2006-08-21 02:14    23,040    -----c---    C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-17 19:19 . 2006-08-21 05:27    16,896    -----c---    C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-17 18:22 . 2007-07-09 06:11    584,192    -----c---    C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-17 17:49 . 2008-03-17 17:49    16    --a------    C:\WINDOWS\system32\coh.cache
2008-03-17 17:41 . 2008-03-17 17:41    <DIR>    d--------    C:\Documents and Settings\Frank\Application Data\ContentGuard
2008-03-17 17:39 . 2008-03-17 17:39    <DIR>    d--------    C:\Program Files\Common Files\Zinio
2008-03-17 17:39 . 2008-03-16 11:54    113,859    -r-hs----    C:\i8.com
2008-03-17 17:39 . 2008-03-18 14:57    502    -r-hs----    C:\autorun.inf
2008-03-17 17:38 . 2008-03-17 17:40    <DIR>    d--------    C:\Program Files\Zinio
2008-03-17 17:10 . 2008-03-17 19:33    <DIR>    d--h-----    C:\WINDOWS\$hf_mig$
2008-03-17 16:31 . 2008-03-18 15:02    <DIR>    d--------    C:\Program Files\Norton 360
2008-03-17 16:29 . 2008-03-17 17:18    <DIR>    d--------    C:\Program Files\Symantec
2008-03-17 16:29 . 2008-03-18 14:53    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-17 16:29 . 2008-03-17 17:18    123,952    --a------    C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-17 16:29 . 2008-03-17 17:18    60,800    --a------    C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-17 16:29 . 2008-03-17 17:18    10,740    --a------    C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-17 16:29 . 2008-03-17 17:18    805    --a------    C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-17 16:27 . 2008-03-18 14:29    <DIR>    d--------    C:\Program Files\Common Files\Symantec Shared
2008-03-17 16:23 . 2008-03-17 16:23    <DIR>    d--------    C:\Program Files\Windows Media Connect 2
2008-03-17 16:23 . 2006-10-04 07:06    1,197,294    -----c---    C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-03-17 16:23 . 2006-10-04 07:06    764,868    -----c---    C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-03-17 16:23 . 2006-10-04 07:06    217,118    -----c---    C:\WINDOWS\system32\dllcache\apphelp.sdb
2008-03-17 16:21 . 2003-06-18 02:31    17,920    --a------    C:\WINDOWS\system32\mdimon.dll
2008-03-17 16:21 . 2008-03-17 16:21    379    --a------    C:\WINDOWS\ODBC.INI
2008-03-17 16:19 . 2008-03-17 16:19    <DIR>    d--------    C:\WINDOWS\system32\LogFiles
2008-03-17 16:19 . 2008-03-17 16:21    <DIR>    d--------    C:\WINDOWS\system32\drivers\UMDF
2008-03-17 16:18 . 2008-03-17 16:18    <DIR>    d--------    C:\Program Files\Microsoft ActiveSync
2008-03-17 16:17 . 2008-03-17 16:18    <DIR>    d--------    C:\WINDOWS\SHELLNEW
2008-03-17 16:15 . 2008-03-17 16:15    <DIR>    dr-h-----    C:\MSOCache
2008-03-17 16:13 . 2007-07-30 04:19    43,352    --a------    C:\WINDOWS\system32\wups2.dll
2008-03-17 16:13 . 2007-07-30 04:20    30,040    --a------    C:\WINDOWS\system32\wucltui.dll.mui
2008-03-17 16:13 . 2007-07-30 04:19    25,944    --a------    C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-17 16:13 . 2007-07-30 04:19    25,944    --a------    C:\WINDOWS\system32\wuapi.dll.mui
2008-03-17 16:13 . 2007-07-30 04:19    16,216    --a------    C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-17 16:12 . 2008-03-17 16:12    <DIR>    d---s----    C:\Documents and Settings\Frank\UserData
2008-03-17 16:07 . 2008-03-17 16:07    <DIR>    d--------    C:\Documents and Settings\LocalService\Start Menu
2008-03-17 15:57 . 2008-03-17 16:08    316,640    --a------    C:\WINDOWS\WMSysPr9.prx
2008-03-17 15:52 . 2008-03-17 15:52    <DIR>    d--------    C:\WINDOWS\ServicePackFiles
2008-03-17 15:46 . 2004-07-16 20:40    19,528    --a------    C:\WINDOWS\[u]0[/u]02289_.tmp
2008-03-17 15:44 . 2006-09-25 02:58    23,856    --a------    C:\WINDOWS\system32\spupdsvc.exe
2008-03-17 15:39 . 2008-03-17 15:56    <DIR>    d--------    C:\WINDOWS\EHome
2008-03-17 15:38 . 2008-03-17 20:26    <DIR>    d--------    C:\Documents and Settings\Frank\Application Data\skypePM
2008-03-17 15:38 . 2008-03-17 15:38    32    --a------    C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-17 15:37 . 2008-03-18 15:07    <DIR>    d--------    C:\Documents and Settings\Frank\Application Data\Skype
2008-03-17 15:35 . 2008-03-17 15:45    <DIR>    d--------    C:\Program Files\Skype
2008-03-17 15:35 . 2008-03-17 15:35    <DIR>    d--------    C:\Program Files\Common Files\Skype
2008-03-17 15:34 . 2008-03-17 15:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Skype
2008-03-17 15:11 . 2008-03-17 15:11    <DIR>    d--------    C:\Program Files\Common Files\Adobe

.
((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 21:42    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-03-17 21:42    ---------    d-----w    C:\Program Files\Common Files\InstallShield
2008-03-17 21:42    ---------    d-----w    C:\Program Files\ANI
2008-03-17 21:41    ---------    d-----w    C:\Program Files\D-Link
2008-03-17 21:31    ---------    d-----w    C:\Program Files\microsoft frontpage
.
[color=red]Files Infected -  Win32.Agent.zb[/color]
.

(((((((((((((((((((((((((((((   snapshot@2008-03-18_15.10.20.43   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-18 19:30:32    39,992    ----a-w    C:\WINDOWS\system32\perfc009.dat
+ 2008-03-18 22:09:45    39,992    ----a-w    C:\WINDOWS\system32\perfc009.dat
- 2008-03-18 19:30:32    311,604    ----a-w    C:\WINDOWS\system32\perfh009.dat
+ 2008-03-18 22:09:45    311,604    ----a-w    C:\WINDOWS\system32\perfh009.dat
- 2008-03-18 19:30:32    42,290    ----a-w    C:\WINDOWS\system32\prfc0404.dat
+ 2008-03-18 22:09:45    42,406    ----a-w    C:\WINDOWS\system32\prfc0404.dat
- 2008-03-18 19:30:32    130,958    ----a-w    C:\WINDOWS\system32\prfh0404.dat
+ 2008-03-18 22:09:45    131,180    ----a-w    C:\WINDOWS\system32\prfh0404.dat
+ 2008-03-18 22:23:00    16,384    ----atw    C:\WINDOWS\TEMP\Perflib_Perfdata_e50.dat
.
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 09:47 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 02:22 21898024]
"Zinio DLM"="C:\Program Files\Zinio\ZinioReader.exe" [2008-01-18 10:00 3760198]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-17 20:35 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 07:32 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 09:48 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 09:48 455168]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-18 18:15 1216512]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-21 22:42 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 07:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 14:59 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 02:38 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 09:47 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4879cf6-f46a-11dc-912e-0050bf915b4b}]
\Shell\AutoRun\command - F:\i8.com
\Shell\explore\Command - F:\i8.com
\Shell\open\Command - F:\i8.com

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 15:21:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-18 15:32:07 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-18 22:31:39
ComboFix2.txt  2008-03-18 22:11:54


4.) And this is my new HijackThis log:

CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:51, on 2008-03-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205795577245
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5339 bytes


I found that my ComboFix.txt is rather different from others, and I am not sure if it is normal since my log does not produce "FILE" or "OTHER DELETIONS" sections in the beginning of the log. But other than that, I am looking for further guidance on what to insert into CFScript.txt in order to continue with the next steps.

Hopefully someone can guide me on this soon. Thanks!

This post has been edited by abcdefGARY: Mar 30 2008, 02:23 PM
Go to the top of the page
 
+Quote Post
Scotty
post Mar 26 2008, 08:27 AM
Post #2


Always Happy
Group Icon

Group: Malware Team
Posts: 3,653
Joined: 9-December 06
From: Haggistown, Kiltland
Member No.: 65,226
Operating System: XP Pro
Ubuntu 8.04
Hello and welcome to the forum.

Sorry about the delay in responding

If you still need help, Scan again with HijackThis, and "copy/paste" a new log file into this thread.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.


Also please describe how your computer behaves at the moment.
Go to the top of the page
 
+Quote Post
abcdefGARY
post Mar 26 2008, 01:34 PM
Post #3


New Member
*

Group: New Member
Posts: 8
Joined: 19-March 08
Member No.: 77,719
Operating System: Mac OS X 10.5
Hi, no problem. Thanks for the reply. None of the Kavo.exe and Tavo.exe messages are popping up now when I start my computer... which is a good sign I think/hope. But I want to make sure that there's nothing else living inside my computer.

Here is my new HijackThis log:

CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:28, on 2008-03-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO&