Hijack and malware

**Wagner Abilio** · 2007-11-07, 21:32

Ok, this time I've followed the procedures, and I'm going to wait you guide me to fix the problem. Spybot S & D has fixed some thread in windows safe mode, now I'm posting the logs...

KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 07, 2007 4:32:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/11/2007
Kaspersky Anti-Virus database records: 452842

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 58467
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:26:53

Infected Object Name / Virus Name / Last Action
C:\Arquivos de programas\Eset\cache\CACHE.NDB Object is locked skipped
C:\Arquivos de programas\Eset\infected\ICIX4ZCA.NQF Infected: Trojan-Downloader.Win32.Banload.egd skipped
C:\Arquivos de programas\Eset\logs\virlog.dat Object is locked skipped
C:\Arquivos de programas\Eset\logs\warnlog.dat Object is locked skipped
C:\Arquivos de programas\Sygate\SPF\debug.log Object is locked skipped
C:\Arquivos de programas\Sygate\SPF\rawlog.log Object is locked skipped
C:\Arquivos de programas\Sygate\SPF\seclog.log Object is locked skipped
C:\Arquivos de programas\Sygate\SPF\syslog.log Object is locked skipped
C:\Arquivos de programas\Sygate\SPF\tralog.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Identities\{74F76DFD-E250-4A94-A571-51DBD62FDE50}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Identities\{74F76DFD-E250-4A94-A571-51DBD62FDE50}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Identities\{74F76DFD-E250-4A94-A571-51DBD62FDE50}\Microsoft\Outlook Express\Pergunta.dbx Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Identities\{74F76DFD-E250-4A94-A571-51DBD62FDE50}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wabilio@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wabilio@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wabilio@hotmail.com\SharingMetadata\Working\database_B2CC_9367_CC93_251F\dfsr.db Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wabilio@hotmail.com\SharingMetadata\Working\database_B2CC_9367_CC93_251F\fsr.log Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wabilio@hotmail.com\SharingMetadata\Working\database_B2CC_9367_CC93_251F\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Messenger\wabilio@hotmail.com\SharingMetadata\Working\database_B2CC_9367_CC93_251F\tmp.edb Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Dados de aplicativos\Microsoft\Windows Live Contacts\wabilio@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Histórico\History.IE5\MSHist012007110720071108\index.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\Ofb1.exe Infected: not-a-virus:AdWare.Win32.BHO.ee skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\OFoxInstaller_s.exe Infected: not-a-virus:AdWare.Win32.BHO.ee skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\~DF33A7.tmp Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\~DF33B6.tmp Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\~DF7D95.tmp Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\~DF7E9F.tmp Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\~DFA7EE.tmp Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\~DFB4A5.tmp Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temp\~DFB4BE.tmp Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\call256.dbb Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\index2.dat Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\profile256.dbb Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\user256.dbb Object is locked skipped
C:\Documents and Settings\Vinicius\Dados de aplicativos\Skype\nerabil\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Vinicius\Meus documentos\Meus arquivos recebidos\Rain.rar/Rain.exe/Ofb1.exe Infected: not-a-virus:AdWare.Win32.BHO.ee skipped
C:\Documents and Settings\Vinicius\Meus documentos\Meus arquivos recebidos\Rain.rar/Rain.exe/OFoxInstaller_s.exe Infected: not-a-virus:AdWare.Win32.BHO.ee skipped
C:\Documents and Settings\Vinicius\Meus documentos\Meus arquivos recebidos\Rain.rar/Rain.exe Infected: not-a-virus:AdWare.Win32.BHO.ee skipped
C:\Documents and Settings\Vinicius\Meus documentos\Meus arquivos recebidos\Rain.rar RAR: infected - 3 skipped
C:\Documents and Settings\Vinicius\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Vinicius\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**Wagner Abilio** · 2007-11-07, 21:47

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:06, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Arquivos de programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Arquivos de programas\Eset\nod32kui.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\BitComet\BitComet.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\UOL\UIM\uim.exe
C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Arquivos de programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Arquivos de programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de programas\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitComet] "C:\Arquivos de programas\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: UOL Messenger.lnk = C:\Arquivos de programas\UOL\UIM\uim.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 10734 bytes

**teacup61** · 2007-11-16, 00:52

Hello Wagner Abilio,

Welcome to Safer Networking Forums

Sorry for the delay. When you reply to your own topic it looks like you're being helped, as Helpers look for topics with 0 replies. If you still need help, please post a new HijackThis log so I can be sure nothing has changed.

Thanks,
tea

**Wagner Abilio** · 2007-11-16, 02:58

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:54:28, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Arquivos de programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Arquivos de programas\Eset\nod32kui.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Arquivos de programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Arquivos de programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de programas\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitComet] "C:\Arquivos de programas\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: UOL Messenger.lnk = C:\Arquivos de programas\UOL\UIM\uim.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 10403 bytes

**teacup61** · 2007-11-16, 05:20

Hello,

Please print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download AVG Anti-Spyware Free Edition and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
On the top of the main screen select the "Update" icon, then under the "Manual update" section click the "Start update" button.
The update will start and a progress bar will show the updates being installed.
Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the "Settings" screen:
- Click on "Recommended actions" -> select "Quarantine".
- Under "Reports:" -> select "Do not automatically generate reports".
Close AVG Anti-Spyware. Please do NOT run a scan yet!

Next, please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: Ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - (no file)
O2 - BHO: (no name) - {6A87B991-A31F-4130-AE72-6D0C294BF082} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - (no file)

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Then please run a scan with AVG Anti-Spyware:

IMPORTANT: Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.

Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
- If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
- Next select the "Save Report" button at the bottom.
- Then select the "Save report as" button in the lower left hand corner of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
Close AVG Anti-Spyware and reboot your system normally into Windows. Please post the contents of the AVG Anti-Spyware report in your next reply, along with a new HijackThis log.

Thanks,
tea

**Wagner Abilio** · 2007-11-16, 20:43

---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------

+ Criação: 17:24:01 16/11/2007

+ Resultado da verificação:

C:\Documents and Settings\Vinicius\Cookies\vinicius@atdmt[2].txt -> TrackingCookie.Atdmt : Limpo.
C:\Documents and Settings\Vinicius\Cookies\vinicius@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Limpo.
C:\Documents and Settings\Vinicius\Cookies\vinicius@doubleclick[1].txt -> TrackingCookie.Doubleclick : Limpo.
C:\Documents and Settings\Vinicius\Cookies\vinicius@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Limpo.
C:\Documents and Settings\Vinicius\Cookies\vinicius@serving-sys[1].txt -> TrackingCookie.Serving-sys : Limpo.
C:\Documents and Settings\Vinicius\Cookies\vinicius@site.skype[1].txt -> TrackingCookie.Skype : Limpo.
C:\Documents and Settings\Vinicius\Cookies\vinicius@skype[2].txt -> TrackingCookie.Skype : Limpo.

::Fim do relatório

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:38:59, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Arquivos de programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Arquivos de programas\Eset\nod32kui.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe
C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\BitComet\BitComet.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Arquivos de programas\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Arquivos de programas\UOL\UIM\uim.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de programas\GbPlugin\gbiehuni.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Arquivos de programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Arquivos de programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de programas\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitComet] "C:\Arquivos de programas\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: UOL Messenger.lnk = C:\Arquivos de programas\UOL\UIM\uim.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 11051 bytes

**teacup61** · 2007-11-16, 23:04

Hello,

How is it running today please?

**Wagner Abilio** · 2007-11-17, 04:06

Hi Tea, it seems that I am clean now, firewall don´t detect any hijacking application anymore, none threat detected, I am thankful for your help, God bless you. But what did you find of HijackThis log in my last post? when I ran AVG anti-spyware it solved 7 infected objects (cookies) as shown through log, I think it´s solved, but if you want to add more recomendations...

**teacup61** · 2007-11-17, 18:17

Hello,

You're most welcome.

The last log looked good.

I just wanted to be sure everything was good on your end too.

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

It is very important to maintain your Firewall.
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

IE/Spyad:
It places over 5000 malicious websites and domains in your IE's restricted zone.
IE/Spyad

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Take care!
tea

**Wagner Abilio** · 2007-11-18, 02:12

Hi Tea, sorry for bad news, there was not enough time to apply all your recommendations, I just downloaded firefox and accessed my orkut and some videos from youtube and... hijacking infected again! Avg anti-virus only detected SHELL32.DLL was changed 24/10/2006, would there be any hidden spyware in it?
Seagate firewall log
171 11/17/2007 04:26:50 Application Hijacking Critical Outgoing UDP 83.250.4.228 00-17-9A-FC-E2-09 192.168.0.164 00-C0-9F-45-AF-A6 C:\Arquivos de programas\Mozilla Firefox\firefox.exe Vinicius WAGNER Normal 1 11/17/2007 04:25:46 11/17/2007 04:25:46
172 11/17/2007 04:37:42 Application Hijacking Information Outgoing UDP nat-08.bitcomet.org [125.45.61.183] 00-17-9A-FC-E2-09 192.168.0.164 00-C0-9F-45-AF-AC C:\Arquivos de programas\Mozilla Firefox\firefox.exe Vinicius WAGNER Normal 1 11/17/2007 04:37:13 11/17/2007 04:37:13
173 11/17/2007 04:37:42 Application Hijacking Information Outgoing UDP nat-08.bitcomet.org [125.45.61.183] 00-17-9A-FC-E2-09 192.168.0.164 00-C0-9F-45-AF-A6 C:\Arquivos de programas\Mozilla Firefox\firefox.exe Vinicius WAGNER Normal 1 11/17/2007 04:37:35 11/17/2007 04:37:35
174 11/17/2007 04:39:11 Application Hijacking Critical Outgoing UDP nat-08.bitcomet.org [125.45.61.183] 00-17-9A-FC-E2-09 192.168.0.164 00-C0-9F-45-AF-A6 C:\Arquivos de programas\Mozilla Firefox\firefox.exe Vinicius WAGNER Normal 1 11/17/2007 04:38:09 11/17/2007 04:38:09
175 11/17/2007 04:39:11 Application Hijacking Critical Outgoing UDP nat-08.bitcomet.org [125.45.61.183] 00-17-9A-FC-E2-09 192.168.0.164 00-C0-9F-45-AF-A6 C:\Arquivos de programas\Mozilla Firefox\firefox.exe Vinicius WAGNER Normal 1 11/17/2007 04:38:25 11/17/2007 04:38:25
176 11/17/2007 04:51:31 Application Hijacking Information Outgoing None 0.0.0.0 FF-FF-FF-FF-FF-FF 0.0.0.0 00-C0-9F-45-AF-A6 C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe Vinicius WAGNER Normal 1 11/17/2007 04:50:30 11/17/2007 04:50:30
177 11/17/2007 12:40:51 Application Hijacking Information Outgoing TCP guru.grisoft.com [193.86.3.36] 00-17-9A-FC-E2-09 192.168.0.164 00-C0-9F-45-AF-A6 C:\Arquivos de programas\Grisoft\AVG7\avgcc.exe Vinicius WAGNER Normal 1 11/17/2007 12:39:52 11/17/2007 12:39:52
178 11/17/2007 12:40:51 Application Hijacking Critical Outgoing TCP guru.grisoft.com [193.86.3.38] 00-17-9A-FC-E2-09 192.168.0.164 00-C0-9F-45-AF-A6 C:\Arquivos de programas\Grisoft\AVG7\avgcc.exe Vinicius WAGNER Normal 1 11/17/2007 12:40:22 11/17/2007 12:40:22

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:08:28, on 17/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware

7.5\guard.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Arquivos de programas\HPQ\Quick Launch

Buttons\EabServr.exe
C:\Arquivos de programas\Eset\nod32kui.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Arquivos de programas\Nokia\Nokia PC Suite

6\LaunchApplication.exe
C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmon.exe
C:\Arquivos de programas\PC Connectivity

Solution\ServiceLayer.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware

7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Arquivos

comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
C:\Arquivos de programas\Arquivos

comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de

programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier

.exe
C:\Arquivos de programas\BitComet\BitComet.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Sony Corporation\Picture

Package\Picture Package Menu\SonyTray.exe
C:\Arquivos de programas\Sony Corporation\Picture

Package\Picture Package Applications\Residence.exe
C:\Arquivos de programas\UOL\UIM\uim.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Outlook Express\msimn.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\LimeWire\LimeWire.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgwb.dat
C:\Arquivos de programas\Trend

Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.terra.com.br/capa/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) -

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de

programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF}

- C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: BitComet ClickCapture -

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de

programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F}

- C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de

programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de

programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: G-Buster Browser Defense Unibanco -

{C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\Arquivos de

programas\GbPlugin\gbiehuni.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de

programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Arquivos de

programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Arquivos de

programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de

programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de

programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Arquivos de

programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Arquivos de

programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe

-startup
O4 - HKLM\..\Run: [TrojanScanner] C:\Arquivos de

programas\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SmcService]

C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC]

C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de

programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de

programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run:

[BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Arquivos de programas\Arquivos

comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de

programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier

.exe
O4 - HKCU\..\Run: [BitComet] "C:\Arquivos de

programas\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de

programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run]

C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]

C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: UOL Messenger.lnk = C:\Arquivos de

programas\UOL\UIM\uim.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: Baixar link usando &BitComet -

res://C:\Arquivos de

programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Baixar todos os links usando

BitComet - res://C:\Arquivos de

programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Baixar todos os vídeos usando

BitComet - res://C:\Arquivos de

programas\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft

Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search -

{461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Arquivos de

programas\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Skype -

{77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de

programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de

programas\Messenger\msmsgs.exe
O14 - IERESET.INF:

SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/al

linone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}

(CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/par...lt/kavwebscan_

unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers

Class) -

http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games

- Installer) -

http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...rStatsPAClient.

cab56907.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008}

(GbPluginObj Class) -

https://clickbanking.unibanco.com.br...cab/GbPluginUn

i.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}

(Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary...er.cab56986.ca

b
O18 - Protocol: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O21 - SSODL: CompIBBrd -

{A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de

programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB -

{A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de

programas\Scpad\scpLIB.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. -

C:\Arquivos de programas\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,

s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o.

- C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner -

C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google -

C:\Arquivos de programas\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard

Company - C:\Arquivos de programas\HPQ\SHARED\HPQWMI.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de

programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset -

C:\Arquivos de programas\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de

programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) -

Sygate Technologies, Inc. - C:\Arquivos de

programas\Sygate\SPF\smc.exe

--
End of file - 11234 bytes

---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------

+ Criação: 05:41:01 17/11/2007

+ Resultado da verificação:

:mozilla.41:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Adbrite : Limpo.
:mozilla.42:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Adbrite : Limpo.
:mozilla.43:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Adbrite : Limpo.
:mozilla.50:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Adbrite : Limpo.
:mozilla.51:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Adbrite : Limpo.
:mozilla.67:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Atdmt : Limpo.
:mozilla.13:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Doubleclick : Limpo.
:mozilla.103:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Googleadservices : Limpo.
:mozilla.108:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Googleadservices : Limpo.
:mozilla.112:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Googleadservices : Limpo.
:mozilla.113:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Googleadservices : Limpo.
:mozilla.115:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Googleadservices : Limpo.
:mozilla.70:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Pointroll : Limpo.
:mozilla.71:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Pointroll : Limpo.
:mozilla.72:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Pointroll : Limpo.
:mozilla.73:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Pointroll : Limpo.
:mozilla.74:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Pointroll : Limpo.
:mozilla.75:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Pointroll : Limpo.
:mozilla.76:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Pointroll : Limpo.
:mozilla.33:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo.
:mozilla.34:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo.
:mozilla.35:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo.
:mozilla.36:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo.
:mozilla.37:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo.
:mozilla.39:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo.
:mozilla.40:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo.
:mozilla.44:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Zedo : Limpo.
:mozilla.46:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Zedo : Limpo.
:mozilla.47:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Zedo : Limpo.
:mozilla.48:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Zedo : Limpo.
:mozilla.49:C:\Documents and Settings\Vinicius\Dados de aplicativos\Mozilla\Firefox\Profiles\39ecau63.default\cookies.txt -> TrackingCookie.Zedo : Limpo.

::Fim do relatório

Thread: Hijack and malware

Thread Tools

Display

Hijack and malware

HijackThis v2.0.2 log

Im tired !!!

Fix instructions followed

It´s now ok

Joy lasted few, infected again.

Posting Permissions