Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Tavo.exe Kavo.exe, AGAIN? O_O


  • This topic is locked This topic is locked
3 replies to this topic

#1 Reynaldo04

Reynaldo04

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 24 April 2008 - 11:24 AM

Whoaaaa i just cleaned it out at Sunday, and i got it again o_O.
Im doing the same steps that you guys told me at sunday for cleaning it:
http://forums.whatth...amp;hl=tavo.exe

Just got really nervous because it wouldnt let me system restore o_O, but the more weird thing is that ig ot it again and i havent been using my pc much....... How can someone get this malewares o_O? or they kept hiding in my pc?...

ty in advance, really scared now x_X.

Log of Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.11
Versión de la Base de Datos: 663

Tipo de examen : Examen Rápido
Objetos examinados: 28410
Tiempo transcurrido: 12 minute(s), 39 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 2
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 2
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 6

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
C:\WINDOWS\system32\kavo1.dll (Rootkit.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\tavo1.dll (Rootkit.Agent) -> Unloaded module successfully.

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kava (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tava (Rootkit.Agent) -> Quarantined and deleted successfully.

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\WINDOWS\system32\kavo0.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kavo1.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tavo0.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tavo1.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\kavo.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tavo.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
---
I cleaned it, just like the last time and than restarted my pc and got this on Hijack:

Logfile of HijackThis v1.99.1
Scan saved at 01:42:18 p.m., on 24/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\RALINK\Common\RaUI.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Archivos de programa\Opera\Opera.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\MsiExec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maplestory.nexon.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Archivos de programa\RALINK\Common\RaUI.exe
-----------------
Also what is this found in my hijack o_O?:
C:\WINDOWS\system32\MsiExec.exe
Is also 2 times...

Edited by Reynaldo04, 24 April 2008 - 11:46 AM.

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 29 April 2008 - 02:50 PM

Posted Image

Sorry about the delay in responding :(

If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Reynaldo04

Reynaldo04

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 05 May 2008 - 12:48 AM

I cleaned it and happened again then cleaned it again then after that everything is fine o-o, havent got it anymore. Thx anyway.

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 05 May 2008 - 02:22 PM

Glad you got it fixed and posted back letting us know.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users