Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] How to remove tavo.exe, kavo.exe, 2.exe etc


  • This topic is locked This topic is locked
2 replies to this topic

#1 Petra75

Petra75

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 07 May 2008 - 06:53 PM

Hi,

I noticed that this topic has been dealt with before(around March 9, 2008) and I was able to proceed following some of the instructions from previous posts by running HijackThis(didn't remove the malware) and ComboFix(seems that the malware's been removed!!). Since the last step after ComboFix is based on each individual's ComboFix logFile, I wonder if you could help me complete the rest of the steps?

Thanks a lot
Sincerely Petra

Here's the logfile after running ComboFix

ComboFix 08-05-01.3 - zpmi 2008-05-07 20:09:00.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.158 [GMT -4:00]
Running from: C:\Documents and Settings\zpmi\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.bat
C:\autorun.inf
C:\o9o2u.bat
C:\Program Files\newdotnet
C:\Program Files\newdotnet\readme.html
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
C:\WINDOWS\system32\tavo1.dll
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\Web\default.htt
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 19:56 . 2008-05-07 19:55 116,300 -r-hs---- C:\6g3.com
2008-05-07 19:09 . 2008-05-07 19:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 21:02 . 2008-05-06 21:02 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-05 20:33 . 2008-05-05 20:33 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-05 20:33 . 2008-05-05 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 20:32 . 2008-05-05 20:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-04 11:04 . 2008-05-06 21:34 118,115 -r-hs---- C:\0qx0sc6.bat
2008-05-04 10:51 . 2008-05-04 10:51 <DIR> d-------- C:\Program Files\Sophos
2008-05-04 10:50 . 2008-05-04 10:50 <DIR> d-------- C:\savinstall
2008-05-04 10:06 . 2008-05-04 10:06 <DIR> d-------- C:\Documents and Settings\zpmi\Application Data\Uniblue
2008-05-03 21:48 . 2008-05-03 21:48 119,285 -r-hs---- C:\0.com
2008-05-02 08:52 . 2008-05-01 17:35 118,298 -r-hs---- C:\h3hi1k3.exe
2008-04-29 17:52 . 2008-04-29 17:52 <DIR> d-------- C:\fea2d6f5c0a498a1acd7c6eda3d7c6
2008-04-29 17:52 . 2008-04-29 17:52 0 --a------ C:\WINDOWS\VPC32.INI
2008-04-26 15:42 . 2008-04-26 15:41 118,479 -r-hs---- C:\f2ir.com
2008-04-24 23:08 . 2008-04-25 23:50 116,441 -r-hs---- C:\nsv.bat
2008-04-23 20:11 . 2008-04-23 20:10 116,539 -r-hs---- C:\c9.com
2008-04-21 22:36 . 2008-04-22 22:41 116,049 -r-hs---- C:\v2h3.exe
2008-04-20 22:10 . 2008-04-20 22:09 118,047 -r-hs---- C:\dh66ln.cmd
2008-04-19 12:45 . 2008-04-19 12:44 115,760 -r-hs---- C:\xj.bat
2008-04-17 12:07 . 2008-04-17 12:06 115,728 -r-hs---- C:\2y8la.exe
2008-04-12 20:29 . 2008-04-13 18:30 118,971 -r-hs---- C:\30ed3.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 00:01 89,784 ----a-w C:\Documents and Settings\zpmi\Application Data\GDIPFONTCACHEV1.DAT
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\dllcache\win32k.sys
2008-03-01 22:36 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2006-10-21 04:22 194,376 ----a-w C:\Documents and Settings\zpmi\Application Data\shb.dat
2004-03-21 22:28 24,377,290 ------r C:\Program Files\TaxCut_2003_Federal_UpdaterC.exe
2001-08-04 02:09 0 ------w C:\Program Files\CONFIG.BAK
2000-10-13 20:56 271 --sh--w C:\Program Files\desktop.ini
2000-10-13 20:56 23,357 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}]
C:\Program Files\NewDotNet\newdotnet6_38.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Microsoft Works Update Detection"="???\WkDetect.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [2005-11-10 20:57 776704]
"spc_w"="C:\Program Files\NZSearch\nzspc.exe" [2006-07-11 02:00 311362]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:32 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 01:31 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 01:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 01:32 455168]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-08-21 20:07 180269]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51 257088]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 14:37 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2001-08-23 12:00 30208]

C:\Documents and Settings\zpmi\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-10 12:00:00 24633]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-03 21:03:12 113664]
Inetd.lnk - C:\WINDOWS\SYSTEM\Hummbird\inetd32.exe [1998-08-13 09:27:46 26624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Mozilla Quick Launch"="c:\Program Files\Netscape\Netscp.exe" -turbo -aim

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"EnsoniqMixer"=starter.exe
"POINTER"=point32.exe
"RxMon"=C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"MadExe"=C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
"LoadQM"=loadqm.exe
"MotiveMonitor"=C:\Program Files\Motive\motmon.exe
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
"New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
"Motive SmartBridge"=C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
"Zone Labs Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
"MSConfigReminder"=C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\MSCONFIG.EXE /reminder
"OSS"=C:\WINDOWS\SYSTEM32\rlvknlg.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 14:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 14:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\0qx0sc6.bat
\Shell\explore\Command - C:\0qx0sc6.bat
\Shell\open\Command - C:\0qx0sc6.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\o9o2u.bat
\Shell\explore\Command - F:\o9o2u.bat
\Shell\open\Command - F:\o9o2u.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{689205d0-067b-11dc-9f64-001195626b33}]
\Shell\AutoRun\command - F:\o9o2u.bat
\Shell\explore\Command - F:\o9o2u.bat
\Shell\open\Command - F:\o9o2u.bat


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\^RNA]
rundll rnasetup.dll,installoptionalcomponent rna

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 23:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-05-07 04:12:32 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
"2007-06-26 22:16:34 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-07 20:15:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-07 20:17:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-08 00:17:34

Pre-Run: 11,365,908,480 bytes free
Post-Run: 12,008,259,584 bytes free

195 --- E O F --- 2008-04-29 22:11:49

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 13 May 2008 - 03:08 PM

Posted Image

Sorry about the delay in responding :(

http://forums.whatth...ING_t86364.html


If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 19 May 2008 - 04:05 PM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users