Slow Computer, Trojans and weird WinLogon entries? - Safer-Networking Forums

indigoclio · 2006-08-14, 23:24

Hello

On the last days, my computer is becoming very slow, for unknown reasons. I thought that it could be virus/malware, and examined it with BitDefender (log below). The online antivirus found some trojans and deleted some of them. But I want to know: is my computer clean?

For some extra information, I received some days ago a really strange popup, telling I had a Virus infection, but it wasn't a Avast popup; rather, it was a Javascript command from the page, or something like that. And on the Tools/System Startup tab on Spybot there are some WinLogon entries with really weird value names, like this:

Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Hope it helps
Thanks in Advance!

BitDefender Online Scanner
Scan report generated at: Mon, Aug 14, 2006 - 16:47:45
Scan path: A:\;C:\;D:\;E:\;F:\;
Statistics
Time

02:34:32

Files

422527

Folders

4760

Boot Sectors

2

Archives

9519

Packed Files

34729

Results

Identified Viruses

10

Infected Files

13

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

13

Engines Info

Virus Definitions

444449

Engine build

AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins

13

Archive plugins

39

Unpack plugins

5

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class

Infected with: Trojan.Downloader.Ieax.A

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class

Infected with: Java.Trojan.Downloader.OpenStream.C

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class

Infected with: Trojan.Java.Classloader.H

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class

Infected with: Trojan.Java.Classloader.G

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class

Infected with: Trojan.Java.Classloader.D

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class

Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class

Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class

Infected with: Trojan.Java.Classloader.Dummy.A

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip

Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class

Infected with: Java.Trojan.OpenConnection.F

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class

Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class

Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip

Updated

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip)

Infected with: Trojan.Spy.Banker.HQ

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip)

Disinfection failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip)

Deleted

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html

Update failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm

Infected with: Trojan.Spy.Banker.HQ

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm

Disinfection failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm

Deleted

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm

Infected with: Trojan.Spy.Banker.HQ

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm

Disinfection failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm

Deleted

C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe

Infected with: Trojan.Downloader.Banload.AOO

C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe

Disinfection failed

C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe

indigoclio · 2006-08-14, 23:25

Logfile of HijackThis v1.98.2
Scan saved at 17:52:43, on 14/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Nova pasta\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Registro da Corel.lnk.disabled
O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Analisar com LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download usando LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

**LonnyRJones** · 2006-08-18, 01:54

Hi
You did not delete any of the files did you ?
If not re-enable all these normal windows items >
Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
=========

then restart your PC

Post a current version Hijackthis log please
HijackThis 1.99.1
http://www.merijn.org/files/HijackThis.exe

indigoclio · 2006-08-18, 04:37

Re-enabled the WinLogon entries and redid the scan with newest HijackThis.
BTW, this computer has two user profiles on WinXP: mine (the Gabi one) and the other one (asd) is used by my mother. Should I do a HJT scan from her profile too?

Logfile of HijackThis v1.99.1
Scan saved at 23:28:30, on 17/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Nova pasta\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Registro da Corel.lnk.disabled
O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Analisar com LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download usando LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02E8671F-FAFB-483E-A18D-DBF9E22610C0}: NameServer = 200.165.132.148 200.149.55.140
O17 - HKLM\System\CS2\Services\Tcpip\..\{02E8671F-FAFB-483E-A18D-DBF9E22610C0}: NameServer = 200.165.132.148 200.149.55.140
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)

**LonnyRJones** · 2006-08-18, 06:08

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache

To clear the java's cache, open the windows control panel > java and click the delete files button.
Update suns java manualy
Sun Java "Java Runtime Environment (JRE) 5.0 Update 8" is Available:
http://forums.spybot.info/showpost.p...80&postcount=2
Afterwards it's important to uninstall the old version's via addremove programs.

Other than i remnant of symantec Your log looks fine, I assume it was uninstalled ?

You can post a log taken from the other profile but its not needed unless there are spyware symtoms/problem.

indigoclio · 2006-08-18, 20:50

Well, I cleared the cache and updated Java as you asked, removing the old versions. About the Symantec entry, is because I used to have Norton, but not anymore. Is there a way to take off that remnant?

And I'm putting the HJT log for the other profile below, since BitDefender found a bank Trojan on it; just to be on the safe side.

Thanks for all the help!

Logfile of HijackThis v1.99.1
Scan saved at 15:40:20, on 18/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\D-Tools\daemon.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Java\jre1.5.0_08\bin\jusched.exe
C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe
C:\Nova pasta\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.4.1.4:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_08\bin\jusched.exe
O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: Download using LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)

**LonnyRJones** · 2006-08-19, 01:48

Looks fine.

Norton/Symantec programs are nefarious for not cleaning up after themselves
Go here and follow instructs for whatever version it was that you had
Symantec Removal: http://basconotw.mvps.org/SymRem.htm

**tashi** · 2006-08-25, 18:59

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.

2006-08-14, 23:24	#1
indigoclio Junior Member Join Date: Aug 2006 Posts: 4	Slow Computer, Trojans and weird WinLogon entries? Hello On the last days, my computer is becoming very slow, for unknown reasons. I thought that it could be virus/malware, and examined it with BitDefender (log below). The online antivirus found some trojans and deleted some of them. But I want to know: is my computer clean? For some extra information, I received some days ago a really strange popup, telling I had a Virus infection, but it wasn't a Avast popup; rather, it was a Javascript command from the page, or something like that. And on the Tools/System Startup tab on Spybot there are some WinLogon entries with really weird value names, like this: Located: WinLogon, crypt32chain (DISABLED) command: crypt32.dll file: crypt32.dll Located: WinLogon, cryptnet (DISABLED) command: cryptnet.dll file: cryptnet.dll Located: WinLogon, cscdll (DISABLED) command: cscdll.dll file: cscdll.dll Located: WinLogon, ScCertProp (DISABLED) command: wlnotify.dll file: wlnotify.dll Located: WinLogon, Schedule (DISABLED) command: wlnotify.dll file: wlnotify.dll Located: WinLogon, sclgntfy (DISABLED) command: sclgntfy.dll file: sclgntfy.dll Located: WinLogon, SensLogn (DISABLED) command: WlNotify.dll file: WlNotify.dll Located: WinLogon, termsrv (DISABLED) command: wlnotify.dll file: wlnotify.dll Located: WinLogon, wlballoon (DISABLED) command: wlnotify.dll file: wlnotify.dll Hope it helps Thanks in Advance! BitDefender Online Scanner Scan report generated at: Mon, Aug 14, 2006 - 16:47:45 Scan path: A:\;C:\;D:\;E:\;F:\; Statistics Time 02:34:32 Files 422527 Folders 4760 Boot Sectors 2 Archives 9519 Packed Files 34729 Results Identified Viruses 10 Infected Files 13 Suspect Files 0 Warnings 0 Disinfected 0 Deleted Files 13 Engines Info Virus Definitions 444449 Engine build AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38) Scan plugins 13 Archive plugins 39 Unpack plugins 5 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan Packed Yes Scan Files Yes Scan Boot Yes Scanned File Status C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class Infected with: Trojan.Downloader.Ieax.A C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class Infected with: Java.Trojan.Downloader.OpenStream.C C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class Infected with: Trojan.Java.Classloader.H C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class Infected with: Trojan.Java.Classloader.G C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class Infected with: Trojan.Java.Classloader.D C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class Infected with: Java.Trojan.Exploit.Bytverify C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class Infected with: Java.Trojan.Exploit.Bytverify C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class Infected with: Trojan.Java.Classloader.Dummy.A C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip Updated C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class Infected with: Java.Trojan.OpenConnection.F C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class Disinfection failed C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class Deleted C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip Updated C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip) Infected with: Trojan.Spy.Banker.HQ C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip) Disinfection failed C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip) Deleted C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html Update failed C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm Infected with: Trojan.Spy.Banker.HQ C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm Disinfection failed C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm Deleted C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm Infected with: Trojan.Spy.Banker.HQ C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm Disinfection failed C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm Deleted C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe Infected with: Trojan.Downloader.Banload.AOO C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe Disinfection failed C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe

2006-08-14, 23:25	#2
indigoclio Junior Member Join Date: Aug 2006 Posts: 4	HijackThis Log Logfile of HijackThis v1.98.2 Scan saved at 17:52:43, on 14/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Sygate\SPF\smc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe C:\Arquivos de programas\D-Tools\daemon.exe C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\alg.exe C:\Nova pasta\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe O4 - Startup: Registro da Corel.lnk.disabled O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Corel Registration.lnk.disabled O4 - Global Startup: CorelCENTRAL 9.LNK.disabled O4 - Global Startup: WinZip Quick Pick.lnk.disabled O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Analisar com LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html O8 - Extra context menu item: Download usando LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

2006-08-18, 01:54	#3
LonnyRJones Visiting Staff Join Date: Oct 2005 Posts: 5,089	Hi You did not delete any of the files did you ? If not re-enable all these normal windows items > Located: WinLogon, crypt32chain (DISABLED) command: crypt32.dll file: crypt32.dll Located: WinLogon, cryptnet (DISABLED) command: cryptnet.dll file: cryptnet.dll Located: WinLogon, cscdll (DISABLED) command: cscdll.dll file: cscdll.dll Located: WinLogon, ScCertProp (DISABLED) command: wlnotify.dll file: wlnotify.dll Located: WinLogon, Schedule (DISABLED) command: wlnotify.dll file: wlnotify.dll Located: WinLogon, sclgntfy (DISABLED) command: sclgntfy.dll file: sclgntfy.dll Located: WinLogon, SensLogn (DISABLED) command: WlNotify.dll file: WlNotify.dll Located: WinLogon, termsrv (DISABLED) command: wlnotify.dll file: wlnotify.dll Located: WinLogon, wlballoon (DISABLED) command: wlnotify.dll file: wlnotify.dll ========= then restart your PC Post a current version Hijackthis log please HijackThis 1.99.1 http://www.merijn.org/files/HijackThis.exe __________________ ~~~~~~~~~~~~~~~~~~~~~~~ Microsoft MVP Windows-Security 2006

2006-08-18, 06:08	#5
LonnyRJones Visiting Staff Join Date: Oct 2005 Posts: 5,089	C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache To clear the java's cache, open the windows control panel > java and click the delete files button. Update suns java manualy Sun Java "Java Runtime Environment (JRE) 5.0 Update 8" is Available: http://forums.spybot.info/showpost.p...80&postcount=2 Afterwards it's important to uninstall the old version's via addremove programs. Other than i remnant of symantec Your log looks fine, I assume it was uninstalled ? You can post a log taken from the other profile but its not needed unless there are spyware symtoms/problem. __________________ ~~~~~~~~~~~~~~~~~~~~~~~ Microsoft MVP Windows-Security 2006

2006-08-19, 01:48	#7
LonnyRJones Visiting Staff Join Date: Oct 2005 Posts: 5,089	Looks fine. Norton/Symantec programs are nefarious for not cleaning up after themselves Go here and follow instructs for whatever version it was that you had Symantec Removal: http://basconotw.mvps.org/SymRem.htm __________________ ~~~~~~~~~~~~~~~~~~~~~~~ Microsoft MVP Windows-Security 2006

2006-08-18, 04:37	#4
indigoclio Junior Member Join Date: Aug 2006 Posts: 4	Re-enabled the WinLogon entries and redid the scan with newest HijackThis. BTW, this computer has two user profiles on WinXP: mine (the Gabi one) and the other one (asd) is used by my mother. Should I do a HJT scan from her profile too? Logfile of HijackThis v1.99.1 Scan saved at 23:28:30, on 17/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Sygate\SPF\smc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe C:\Arquivos de programas\D-Tools\daemon.exe C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\alg.exe C:\Nova pasta\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe O4 - Startup: Registro da Corel.lnk.disabled O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Corel Registration.lnk.disabled O4 - Global Startup: CorelCENTRAL 9.LNK.disabled O4 - Global Startup: WinZip Quick Pick.lnk.disabled O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Analisar com LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html O8 - Extra context menu item: Download usando LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02E8671F-FAFB-483E-A18D-DBF9E22610C0}: NameServer = 200.165.132.148 200.149.55.140 O17 - HKLM\System\CS2\Services\Tcpip\..\{02E8671F-FAFB-483E-A18D-DBF9E22610C0}: NameServer = 200.165.132.148 200.149.55.140 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)

2006-08-18, 20:50	#6
indigoclio Junior Member Join Date: Aug 2006 Posts: 4	Well, I cleared the cache and updated Java as you asked, removing the old versions. About the Symantec entry, is because I used to have Norton, but not anymore. Is there a way to take off that remnant? And I'm putting the HJT log for the other profile below, since BitDefender found a bank Trojan on it; just to be on the safe side. Thanks for all the help! Logfile of HijackThis v1.99.1 Scan saved at 15:40:20, on 18/8/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Arquivos de programas\D-Tools\daemon.exe C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe C:\Arquivos de programas\Java\jre1.5.0_08\bin\jusched.exe C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe C:\Nova pasta\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.4.1.4:80 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_08\bin\jusched.exe O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Corel Registration.lnk.disabled O4 - Global Startup: CorelCENTRAL 9.LNK.disabled O4 - Global Startup: WinZip Quick Pick.lnk.disabled O8 - Extra context menu item: Download using LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html O8 - Extra context menu item: Parse with LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br...bPluginUni.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)

2006-08-25, 18:59	#8
tashi Member of Team Spybot Join Date: Oct 2005 Location: USA Posts: 23,455 Rated LASSHes: 16	This topic has been archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter. __________________ UNITE-ASAP Microsoft MVP. Consumer Security 2006-2010 Please help us improve Spybot, download our distributed testing client

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode