View Full Version : Please help removing Smitfraud-C.Toolbar888
edpassos
2007-05-26, 23:21
Hi, guys.
I'm new here, but I saw very nice threads in this forum.
I have a big problem removing Smitfraud-C.Toolbar888. Spybot finds and removes Smitfraud-C.Toolbar888, but it shows up again on a new scan (this is always found here HKEY_USERS\S-1-5-21-2699755501-2114792994-2502876439-1005\Software\Microsoft\aldd).
Additionally, web browser windows always pop up with some adds like WinAntiVirus Pro 2006 or Error Safe, for instance. And some times, my web browser is closed.
My OS is Windows XP SP2 and I have run Symantec Antivirus Corporate Edition, Spybot, HijackThis and Smitfraudfix.
Here is HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 17:19:30, on 26/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Azureus\Azureus.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Edu & Ana\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2283dc47-503c-4465-ab10-daf1a4762580} - C:\WINDOWS\system32\kbdrch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp14.tmp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [AMSG] C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\nnoono.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Azureus Vuze.lnk = C:\Arquivos de programas\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: kbdrch - C:\WINDOWS\SYSTEM32\kbdrch.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
And here is the Smitfraud log:
SmitFraudFix v2.188
Scan done at 17:15:54,25, s*b 26/05/2007
Run from
C:\Documents and Settings\Edu & Ana\Desktop\SmitfraudFix
OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Azureus\Azureus.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\EDU
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Arquivos de programas
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Minha p*gina inicial atual"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/1000 PM Network Connection - Miniporta do agendador de pacotes
DNS Server Search Order: 200.174.144.14
DNS Server Search Order: 200.174.144.15
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F5AD6340-AA50-4D1D-A251-434154D5C275}: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F5AD6340-AA50-4D1D-A251-434154D5C275}: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F5AD6340-AA50-4D1D-A251-434154D5C275}: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=200.174.144.14 200.174.144.15
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Thank you all in advance for your help!!!
Hello edpassos and welcome to the Forums :)
you're infected....
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
edpassos
2007-05-27, 17:28
Hey Mr_JAk3,
Thanks a lot for your help.
Here is VundoFix.txt content:
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 11:09:26 27/5/2007
Listing files found while scanning....
C:\WINDOWS\nnoono.dll
C:\WINDOWS\onoonn.ini
Beginning removal...
Attempting to delete C:\WINDOWS\onoonn.ini
C:\WINDOWS\onoonn.ini Has been deleted!
Performing Repairs to the registry.
Done!
And here is HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:27:49, on 27/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Azureus\Azureus.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Edu & Ana\Desktop\HijackThis.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2283dc47-503c-4465-ab10-daf1a4762580} - C:\WINDOWS\system32\kbdrch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\system32\tmp14.tmp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [AMSG] C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Azureus Vuze.lnk = C:\Arquivos de programas\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: kbdrch - C:\WINDOWS\SYSTEM32\kbdrch.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
Thank you again.
Hi again :)
Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please go here (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\kbdrch.dll
In the comments, please mention that I asked you to upload this file
Click on Send File
Please let me know when you have done this and then we'll get you cleaned :bigthumb:
edpassos
2007-05-28, 00:06
Hi, Mr_JAk3,
I suppose I have removed the malware. I used AntiPuper.exe and Spybot is no longer finding Smitfraud-C.Toolbar888. :eek:
Spybot found only the entry Microsoft.WindowsSecurityCenter.FirewallDisableNotify (in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0). I suppose it's not a problem, right?
However, my Internet Explorer still closed suddenly once (Mozilla Firefox is working fine). Do you think I should follow your instructions?
Here is the newest HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 18:05:15, on 27/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Azureus\Azureus.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Edu & Ana\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2283dc47-503c-4465-ab10-daf1a4762580} - C:\WINDOWS\system32\kbdrch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [AMSG] C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Azureus Vuze.lnk = C:\Arquivos de programas\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: kbdrch - C:\WINDOWS\SYSTEM32\kbdrch.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
Thanks a lot.
edpassos
2007-05-28, 02:43
Another question:
VundoFix has removed the file C:\WINDOWS\nnoono.dll. Now, I get the following RUNDLL error message on Windows startup: "Error loading C:\WINDOWS\nnoono.dll. The specified module could not be found". What should I do?
Thanks
Hello :)
You're not clean yet...
Run VundoFix again
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\hcrdbk.*
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
edpassos
2007-05-28, 21:56
Hi, Mr_JAk3,
I ran VundoFix and after I clicked on Remove Vundo, it reported that kbdrch.dll couldn't be removed and it rebooted my computer.
During Windows startup, it prompted me VundoFix again and I clicked on Remove Vundo button. It repeated that kbdrch.dll couldn't be removed and it rebooted the machine once more.
When it startup up for the second time, no file was showing in the white box (however, I didn't receive any confirmation that kbdrch.dll was deleted).
Here is VundoFix.txt content:
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 11:09:26 27/5/2007
Listing files found while scanning....
C:\WINDOWS\nnoono.dll
C:\WINDOWS\onoonn.ini
Beginning removal...
Attempting to delete C:\WINDOWS\onoonn.ini
C:\WINDOWS\onoonn.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 13:00:04 27/5/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 15:28:11 28/5/2007
Listing files found while scanning....
C:\WINDOWS\nnoono.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Here is HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 15:53:20, on 28/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Azureus\Azureus.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Eduardo\Programas\Anti Malware\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2283dc47-503c-4465-ab10-daf1a4762580} - C:\WINDOWS\system32\kbdrch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [AMSG] C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Azureus Vuze.lnk = C:\Arquivos de programas\Azureus\Azureus.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: kbdrch - C:\WINDOWS\SYSTEM32\kbdrch.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
Thanks and best regards.
Hi again :)
We'll continue...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
edpassos
2007-05-30, 01:04
Hi, Mr_JAk3,
Here is ComboFix log:
"Edu & Ana" - 2007-05-29 19:00:13 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Eduardo\Programas\Anti Malware\"
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))
2007-05-29 00:52 <DIR> d-------- C:\WINDOWS\ShellNew
2007-05-28 01:23 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Meus documentos
2007-05-28 00:45 679 --a------ C:\WINDOWS\mozver.dat
2007-05-27 12:57 <DIR> d-------- C:\WINDOWS\pss
2007-05-27 12:40 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-27 12:36 106,536 --a------ C:\WINDOWS\nnmjhe.dll
2007-05-27 11:09 <DIR> d-------- C:\VundoFix Backups
2007-05-26 17:00 106,378 --a------ C:\WINDOWS\jkjhfd.dll
2007-05-26 16:29 <DIR> d-------- C:\WINDOWS\CSC
2007-05-26 15:29 3,034 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-26 15:28 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-26 15:28 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-26 15:28 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-26 12:19 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-26 10:37 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Ahead
2007-05-26 10:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Nero
2007-05-26 10:35 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Ahead
2007-05-26 10:29 <DIR> d-------- C:\Arquivos de programas\Nero
2007-05-25 22:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy
2007-05-25 22:10 <DIR> d-------- C:\Arquivos de programas\Marcos Velasco Security
2007-05-25 19:54 <DIR> d-------- C:\WINDOWS\IBM
2007-05-25 18:44 77,824 --------- C:\WINDOWS\system32\kbdrch.dll
2007-05-25 16:15 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-05-25 16:15 0 -rahs---- C:\MSDOS.SYS
2007-05-25 16:15 <DIR> d-------- C:\Documents and Settings\EDU&AN~1\WINDOWS
2007-05-25 16:15 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\WINDOWS
2007-05-25 16:15 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Lotus
2007-05-24 19:55 <DIR> d-------- C:\Arquivos de programas\MSXML 6.0
2007-05-24 19:52 <DIR> d-------- C:\Arquivos de programas\MSBuild
2007-05-24 19:49 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-24 19:48 <DIR> d-------- C:\Arquivos de programas\Reference Assemblies
2007-05-24 19:46 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-24 19:46 <DIR> d-------- C:\9b07516d7cd2d124ee44d04b
2007-05-24 19:39 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-05-24 18:31 <DIR> d-------- C:\Arquivos de programas\Windows Media Connect 2
2007-05-24 18:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-24 18:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-23 22:16 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-23 22:16 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-23 22:16 <DIR> d-------- C:\Arquivos de programas\Symantec
2007-05-23 21:26 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-05-23 19:28 <DIR> d-------- C:\swd
2007-05-23 19:25 <DIR> d-------- C:\sdwork
2007-05-23 18:34 164,224 --a------ C:\WINDOWS\system32\drivers\abvpn2k.sys
2007-05-23 18:34 13,952 --a------ C:\WINDOWS\system32\drivers\avpnnic.sys
2007-05-23 18:33 <DIR> d-------- C:\Arquivos de programas\AT&T Network Client
2007-05-23 18:19 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-05-23 18:19 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-05-23 18:19 159,744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-23 18:18 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe
2007-05-23 18:18 552,960 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-23 18:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-05-23 18:18 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-05-23 18:18 1,712,128 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-05-23 18:18 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Samsung
2007-05-23 18:18 <DIR> d-------- C:\Arquivos de programas\Samsung
2007-05-23 18:18 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\ST System Shared
2007-05-23 18:16 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-23 18:16 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-23 18:15 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-23 18:15 61,440 --a------ C:\WINDOWS\system32\dgnct511.dll
2007-05-23 18:15 54,784 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-23 18:15 36,864 --a------ C:\WINDOWS\system32\vgnct511.dll
2007-05-23 18:15 28,672 --a------ C:\WINDOWS\vgnct511.exe
2007-05-23 18:15 229,376 --a------ C:\WINDOWS\system32\drivers\gnct511.sys
2007-05-23 18:15 20,480 --a------ C:\WINDOWS\dgnct511.exe
2007-05-23 18:15 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-23 18:15 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-23 18:15 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-23 18:15 120,867 --a------ C:\WINDOWS\ugnct511.exe
2007-05-23 18:15 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-23 18:15 <DIR> d-------- C:\WINDOWS\Album
2007-05-23 18:15 <DIR> d-------- C:\Arquivos de programas\KYE
2007-05-23 13:37 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-05-23 08:57 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0
2007-05-22 23:44 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-22 23:22 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-22 23:21 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-05-22 23:20 607,196 --a------ C:\WINDOWS\system32\drivers\ltmdmnt.sys
2007-05-22 19:49 <DIR> d-------- C:\Arquivos de programas\SlySoft
2007-05-22 19:48 <DIR> d-------- C:\Arquivos de programas\DAMN NFO Viewer
2007-05-22 19:44 <DIR> d-------- C:\WINDOWS\system32\pt-br
2007-05-22 19:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Windows Genuine Advantage
2007-05-22 19:17 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Azureus
2007-05-22 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Azureus
2007-05-22 19:14 <DIR> d-------- C:\Arquivos de programas\Azureus
2007-05-22 19:09 <DIR> d-------- C:\Arquivos de programas\eMule
2007-05-22 18:59 <DIR> d-------- C:\Documents and Settings\EDU&AN~1\Contacts
2007-05-22 18:59 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\Contacts
2007-05-22 18:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-22 18:58 <DIR> d-------- C:\Arquivos de programas\MSN Messenger
2007-05-22 18:55 <DIR> d--hs---- C:\RECYCLER
2007-05-22 18:51 <DIR> d-------- C:\Eduardo
2007-05-22 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\ThinkVantage
2007-05-22 18:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DADOSD~1\Lenovo
2007-05-22 18:28 143,360 --a------ C:\WINDOWS\system32\igfxres.dll
2007-05-22 18:27 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-05-22 18:27 2,883,584 --ah----- C:\Documents and Settings\EDU&AN~1\NTUSER.DAT
2007-05-22 18:27 2,883,584 --ah----- C:\DOCUME~1\EDU&AN~1\NTUSER.DAT
2007-05-22 18:27 <DIR> dr-h----- C:\Documents and Settings\EDU&AN~1\Dados de aplicativos
2007-05-22 18:27 <DIR> dr-h----- C:\DOCUME~1\EDU&AN~1\Dados de aplicativos
2007-05-22 18:27 <DIR> dr------- C:\Documents and Settings\EDU&AN~1\Meus documentos
2007-05-22 18:27 <DIR> dr------- C:\Documents and Settings\EDU&AN~1\Menu Iniciar
2007-05-22 18:27 <DIR> dr------- C:\Documents and Settings\EDU&AN~1\Favoritos
2007-05-22 18:27 <DIR> dr------- C:\DOCUME~1\EDU&AN~1\Meus documentos
2007-05-22 18:27 <DIR> dr------- C:\DOCUME~1\EDU&AN~1\Menu Iniciar
2007-05-22 18:27 <DIR> dr------- C:\DOCUME~1\EDU&AN~1\Favoritos
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Modelos
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Configura‡äes locais
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Ambiente de rede
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Ambiente de impressÆo
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Modelos
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Configura‡äes locais
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Ambiente de rede
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Ambiente de impressÆo
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\ThinkVantage
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Symantec
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\IBM
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Google
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\ThinkVantage
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\Symantec
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\IBM
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\Google
2007-05-22 18:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\ThinkVantage
2007-05-22 18:19 <DIR> d-------- C:\WINDOWS\system32\Client Security
2007-05-22 18:17 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-05-01 11:29 17,792 --a------ C:\WINDOWS\system32\drivers\tpm.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-29 02:17:43 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2007-05-28 19:27:25 40 ----a-w C:\WINDOWS\system32\profile.dat
2007-05-27 03:00:12 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2007-05-25 21:29:52 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-05-25 01:04:47 -------- d-----w C:\Arquivos de programas\Picasa2
2007-05-24 23:18:10 78,760 ----a-w C:\WINDOWS\system32\perfc016.dat
2007-05-24 23:18:10 469,136 ----a-w C:\WINDOWS\system32\perfh016.dat
2007-05-24 21:28:55 -------- d-----w C:\Arquivos de programas\Windows Media Connect
2007-05-24 01:15:47 -------- d-----w C:\Arquivos de programas\Symantec Client Security
2007-05-23 21:19:47 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-05-23 12:00:08 -------- d-----w C:\Arquivos de programas\Messenger
2007-05-22 21:54:04 -------- d-----w C:\Arquivos de programas\Google
2007-05-22 21:28:15 0 ---ha-w C:\IO.SYS
2007-05-22 21:28:15 0 ---ha-w C:\CONFIG.SYS
2007-05-22 21:28:15 0 ---ha-w C:\AUTOEXEC.BAT
2007-04-18 16:13:00 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 16:33:34 254,872 ----a-w C:\WINDOWS\system32\drivers\e1e5132.sys
2007-04-12 14:47:30 154,496 ----a-w C:\WINDOWS\system32\Prounstl.exe
2007-03-23 09:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 09:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 23:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:44:49 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:54 578,048 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:54 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:54 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:32 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{2283dc47-503c-4465-ab10-daf1a4762580}=C:\WINDOWS\system32\kbdrch.dll [2007-05-25 18:44]
{53707962-6F74-2D53-2644-206D7942484F}=C:\ARQUIV~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 11:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 10:59]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 11:03]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 14:34 C:\WINDOWS\system32\ico.exe]
"SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11]
"SoundMAX"="C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 15:06]
"suScheduler"="C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 17:32]
"AMSG"="C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe" [2005-10-05 17:26]
"LPManager"="C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-09-08 01:01]
"cssauth"="C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-08-02 18:52]
"PDService.exe"="C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-07-07 15:22]
"DiskeeperSystray"="C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-09-26 16:11]
"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 19:54]
"CloneCDTray"="C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 16:21]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2006-12-13 11:04]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-09-27 20:33]
"NeroFilterCheck"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"WMPNSCFG"="C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe" [2006-11-02 23:32]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kbdrch]
kbdrch.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli csspwntfy
*Newly Created Service* -MDM
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 19:02:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-29 19:02:37
C:\ComboFix-quarantined-files.txt ... 2007-05-29 19:02
C:\ComboFix2.txt ... 2007-05-27 15:07
C:\ComboFix3.txt ... 2007-05-27 12:48
--- E O F ---
edpassos
2007-05-30, 05:27
Bad news :sad:
The unexpected pop ups increased and the web browser is often closing. I think I'm going to format my PC and restore the last backup...
edpassos
2007-05-30, 05:44
In fact, Spybot has found Smitfraud once again... Damn! I've never seen such kind of malware!
edpassos
2007-05-30, 06:32
I repeated all steps you have told me in this thred. Here are my last logs, if you think thta they are still worth to look at:
ComboFix:
"Edu & Ana" - 2007-05-30 0:23:53 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Eduardo\Programas\Anti Malware\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
"C:\WINDOWS\system32\tmp7A6.tmp.dll"
((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))
2007-05-29 23:41 <DIR> d-------- C:\Arquivos de programas\Microsoft CAPICOM 2.1.0.2
2007-05-29 23:28 106,487 --a------ C:\WINDOWS\jkjkkh.dll
2007-05-29 00:52 <DIR> d-------- C:\WINDOWS\ShellNew
2007-05-28 01:23 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Meus documentos
2007-05-28 00:45 679 --a------ C:\WINDOWS\mozver.dat
2007-05-27 12:57 <DIR> d-------- C:\WINDOWS\pss
2007-05-27 12:40 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-27 12:36 106,536 --a------ C:\WINDOWS\nnmjhe.dll
2007-05-27 11:09 <DIR> d-------- C:\VundoFix Backups
2007-05-26 17:00 106,378 --a------ C:\WINDOWS\jkjhfd.dll
2007-05-26 16:29 <DIR> d-------- C:\WINDOWS\CSC
2007-05-26 15:29 3,034 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-26 15:28 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-05-26 15:28 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-05-26 15:28 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-05-26 12:19 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-26 10:37 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Ahead
2007-05-26 10:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Nero
2007-05-26 10:35 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Ahead
2007-05-26 10:29 <DIR> d-------- C:\Arquivos de programas\Nero
2007-05-25 22:11 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy
2007-05-25 22:10 <DIR> d-------- C:\Arquivos de programas\Marcos Velasco Security
2007-05-25 19:54 <DIR> d-------- C:\WINDOWS\IBM
2007-05-25 16:15 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-05-25 16:15 0 -rahs---- C:\MSDOS.SYS
2007-05-25 16:15 <DIR> d-------- C:\Documents and Settings\EDU&AN~1\WINDOWS
2007-05-25 16:15 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\WINDOWS
2007-05-25 16:15 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Lotus
2007-05-24 19:55 <DIR> d-------- C:\Arquivos de programas\MSXML 6.0
2007-05-24 19:52 <DIR> d-------- C:\Arquivos de programas\MSBuild
2007-05-24 19:49 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-05-24 19:48 <DIR> d-------- C:\Arquivos de programas\Reference Assemblies
2007-05-24 19:46 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-05-24 19:46 <DIR> d-------- C:\9b07516d7cd2d124ee44d04b
2007-05-24 19:39 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-05-24 18:31 <DIR> d-------- C:\Arquivos de programas\Windows Media Connect 2
2007-05-24 18:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-05-24 18:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-05-23 22:16 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-23 22:16 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-23 22:16 <DIR> d-------- C:\Arquivos de programas\Symantec
2007-05-23 21:26 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-05-23 19:28 <DIR> d-------- C:\swd
2007-05-23 19:25 <DIR> d-------- C:\sdwork
2007-05-23 18:34 164,224 --a------ C:\WINDOWS\system32\drivers\abvpn2k.sys
2007-05-23 18:34 13,952 --a------ C:\WINDOWS\system32\drivers\avpnnic.sys
2007-05-23 18:33 <DIR> d-------- C:\Arquivos de programas\AT&T Network Client
2007-05-23 18:19 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-05-23 18:19 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-05-23 18:19 159,744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-05-23 18:18 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe
2007-05-23 18:18 552,960 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-05-23 18:18 420,240 --a------ C:\WINDOWS\system32\mpg4c32.dll
2007-05-23 18:18 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-05-23 18:18 1,712,128 --a------ C:\WINDOWS\system32\GdiPlus.dll
2007-05-23 18:18 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Samsung
2007-05-23 18:18 <DIR> d-------- C:\Arquivos de programas\Samsung
2007-05-23 18:18 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\ST System Shared
2007-05-23 18:16 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-05-23 18:16 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-05-23 18:15 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-05-23 18:15 61,440 --a------ C:\WINDOWS\system32\dgnct511.dll
2007-05-23 18:15 54,784 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-05-23 18:15 36,864 --a------ C:\WINDOWS\system32\vgnct511.dll
2007-05-23 18:15 28,672 --a------ C:\WINDOWS\vgnct511.exe
2007-05-23 18:15 229,376 --a------ C:\WINDOWS\system32\drivers\gnct511.sys
2007-05-23 18:15 20,480 --a------ C:\WINDOWS\dgnct511.exe
2007-05-23 18:15 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-05-23 18:15 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-05-23 18:15 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-05-23 18:15 120,867 --a------ C:\WINDOWS\ugnct511.exe
2007-05-23 18:15 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-05-23 18:15 <DIR> d-------- C:\WINDOWS\Album
2007-05-23 18:15 <DIR> d-------- C:\Arquivos de programas\KYE
2007-05-23 13:37 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2007-05-23 08:57 <DIR> d-------- C:\Arquivos de programas\MSXML 4.0
2007-05-22 23:44 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-22 23:22 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-05-22 23:21 16,128 --a------ C:\WINDOWS\system32\drivers\MODEMCSA.sys
2007-05-22 23:20 607,196 --a------ C:\WINDOWS\system32\drivers\ltmdmnt.sys
2007-05-22 19:49 <DIR> d-------- C:\Arquivos de programas\SlySoft
2007-05-22 19:48 <DIR> d-------- C:\Arquivos de programas\DAMN NFO Viewer
2007-05-22 19:44 <DIR> d-------- C:\WINDOWS\system32\pt-br
2007-05-22 19:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Windows Genuine Advantage
2007-05-22 19:17 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Azureus
2007-05-22 19:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Azureus
2007-05-22 19:14 <DIR> d-------- C:\Arquivos de programas\Azureus
2007-05-22 19:09 <DIR> d-------- C:\Arquivos de programas\eMule
2007-05-22 18:59 <DIR> d-------- C:\Documents and Settings\EDU&AN~1\Contacts
2007-05-22 18:59 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\Contacts
2007-05-22 18:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-05-22 18:58 <DIR> d-------- C:\Arquivos de programas\MSN Messenger
2007-05-22 18:55 <DIR> d--hs---- C:\RECYCLER
2007-05-22 18:51 <DIR> d-------- C:\Eduardo
2007-05-22 18:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\ThinkVantage
2007-05-22 18:30 <DIR> d-------- C:\DOCUME~1\LOCALS~1\DADOSD~1\Lenovo
2007-05-22 18:28 143,360 --a------ C:\WINDOWS\system32\igfxres.dll
2007-05-22 18:27 262,144 --a------ C:\DOCUME~1\ALLUSE~1\NTUSER.DAT
2007-05-22 18:27 2,883,584 --ah----- C:\Documents and Settings\EDU&AN~1\NTUSER.DAT
2007-05-22 18:27 2,883,584 --ah----- C:\DOCUME~1\EDU&AN~1\NTUSER.DAT
2007-05-22 18:27 <DIR> dr-h----- C:\Documents and Settings\EDU&AN~1\Dados de aplicativos
2007-05-22 18:27 <DIR> dr-h----- C:\DOCUME~1\EDU&AN~1\Dados de aplicativos
2007-05-22 18:27 <DIR> dr------- C:\Documents and Settings\EDU&AN~1\Meus documentos
2007-05-22 18:27 <DIR> dr------- C:\Documents and Settings\EDU&AN~1\Menu Iniciar
2007-05-22 18:27 <DIR> dr------- C:\Documents and Settings\EDU&AN~1\Favoritos
2007-05-22 18:27 <DIR> dr------- C:\DOCUME~1\EDU&AN~1\Meus documentos
2007-05-22 18:27 <DIR> dr------- C:\DOCUME~1\EDU&AN~1\Menu Iniciar
2007-05-22 18:27 <DIR> dr------- C:\DOCUME~1\EDU&AN~1\Favoritos
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Modelos
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Configura‡äes locais
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Ambiente de rede
2007-05-22 18:27 <DIR> d--h----- C:\Documents and Settings\EDU&AN~1\Ambiente de impressÆo
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Modelos
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Configura‡äes locais
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Ambiente de rede
2007-05-22 18:27 <DIR> d--h----- C:\DOCUME~1\EDU&AN~1\Ambiente de impressÆo
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\ThinkVantage
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Symantec
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\IBM
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\EDU&AN~1\DADOSD~1\Google
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\ThinkVantage
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\Symantec
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\IBM
2007-05-22 18:27 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\DADOSD~1\Google
2007-05-22 18:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DADOSD~1\ThinkVantage
2007-05-22 18:19 <DIR> d-------- C:\WINDOWS\system32\Client Security
2007-05-22 18:17 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-05-01 11:29 17,792 --a------ C:\WINDOWS\system32\drivers\tpm.sys
2007-04-16 22:43 208,248 --a------ C:\WINDOWS\system32\muweb.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-30 02:58:40 40 ----a-w C:\WINDOWS\system32\profile.dat
2007-05-29 22:32:21 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2007-05-27 03:00:12 5,427 ----a-w C:\WINDOWS\system32\EGATHDRV.SYS
2007-05-25 21:29:52 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-05-25 01:04:47 -------- d-----w C:\Arquivos de programas\Picasa2
2007-05-24 23:18:10 78,760 ----a-w C:\WINDOWS\system32\perfc016.dat
2007-05-24 23:18:10 469,136 ----a-w C:\WINDOWS\system32\perfh016.dat
2007-05-24 21:28:55 -------- d-----w C:\Arquivos de programas\Windows Media Connect
2007-05-24 01:15:47 -------- d-----w C:\Arquivos de programas\Symantec Client Security
2007-05-23 21:19:47 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-05-23 12:00:08 -------- d-----w C:\Arquivos de programas\Messenger
2007-05-22 21:54:04 -------- d-----w C:\Arquivos de programas\Google
2007-05-22 21:28:15 0 ---ha-w C:\IO.SYS
2007-05-22 21:28:15 0 ---ha-w C:\CONFIG.SYS
2007-05-22 21:28:15 0 ---ha-w C:\AUTOEXEC.BAT
2007-04-18 16:13:00 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 16:33:34 254,872 ----a-w C:\WINDOWS\system32\drivers\e1e5132.sys
2007-04-12 14:47:30 154,496 ----a-w C:\WINDOWS\system32\Prounstl.exe
2007-03-23 09:07:56 1,683,280 ------w C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 09:07:54 583,504 ------w C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-22 23:25:02 124,928 ------w C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:44:49 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:54 578,048 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:54 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:54 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:33:32 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{2283dc47-503c-4465-ab10-daf1a4762580}=C:\WINDOWS\system32\kbdrch.dll []
{4B646AFB-9341-4330-8FD1-C32485AEE619}=C:\WINDOWS\system32\tmp7A6.tmp.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\ARQUIV~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 11:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 10:59]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 11:03]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 14:34 C:\WINDOWS\system32\ico.exe]
"SoundMAXPnP"="C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-20 09:11]
"SoundMAX"="C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" [2005-05-06 15:06]
"suScheduler"="C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-01 17:32]
"AMSG"="C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe" [2005-10-05 17:26]
"LPManager"="C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-09-08 01:01]
"cssauth"="C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-08-02 18:52]
"PDService.exe"="C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-07-07 15:22]
"DiskeeperSystray"="C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-09-26 16:11]
"googletalk"="C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 19:54]
"CloneCDTray"="C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 16:21]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [2006-12-13 11:04]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe" [2006-09-27 20:33]
"NeroFilterCheck"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"WMPNSCFG"="C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe" [2006-11-02 23:32]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli csspwntfy
********************************************************************
catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-30 00:26:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
********************************************************************
Completion time: 2007-05-30 0:26:35
C:\ComboFix-quarantined-files.txt ... 2007-05-30 00:26
C:\ComboFix2.txt ... 2007-05-29 19:02
C:\ComboFix3.txt ... 2007-05-27 15:07
--- E O F ---
VundoFix
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 11:09:26 27/5/2007
Listing files found while scanning....
C:\WINDOWS\nnoono.dll
C:\WINDOWS\onoonn.ini
Beginning removal...
Attempting to delete C:\WINDOWS\onoonn.ini
C:\WINDOWS\onoonn.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 13:00:04 27/5/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 15:28:11 28/5/2007
Listing files found while scanning....
C:\WINDOWS\nnoono.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 15:57:09 28/5/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 16:09:14 28/5/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 20:05:29 28/5/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 23:53:01 29/5/2007
Listing files found while scanning....
VundoFix V6.4.1
Checking Java version...
Sun Java not detected
Scan started at 00:02:57 30/5/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\kbdrch.dll
C:\WINDOWS\system32\kbdrch.dll Has been deleted!
Performing Repairs to the registry.
Done!
HijackThis comes in the next post...
edpassos
2007-05-30, 06:33
HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 00:28:46, on 30/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Eduardo\Programas\Anti Malware\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2283dc47-503c-4465-ab10-daf1a4762580} - C:\WINDOWS\system32\kbdrch.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp7A6.tmp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [AMSG] C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180491571265
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
Thanks.
edpassos
2007-05-30, 06:44
Last one, from SmitFraudFix:
SmitFraudFix v2.188
Scan done at 0:33:39,53, qua 30/05/2007
Run from C:\Eduardo\Programas\Anti Malware\SmitfraudFix
OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\EDU
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Arquivos de programas
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/1000 PM Network Connection - Miniporta do agendador de pacotes
DNS Server Search Order: 200.174.144.14
DNS Server Search Order: 200.174.144.15
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F5AD6340-AA50-4D1D-A251-434154D5C275}: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F5AD6340-AA50-4D1D-A251-434154D5C275}: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F5AD6340-AA50-4D1D-A251-434154D5C275}: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=200.174.144.14 200.174.144.15
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=200.174.144.14 200.174.144.15
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O2 - BHO: (no name) - {2283dc47-503c-4465-ab10-daf1a4762580} - C:\WINDOWS\system32\kbdrch.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp7A6.tmp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\jkjkkh.dll
C:\WINDOWS\nnmjhe.dll
C:\WINDOWS\jkjhfd.dll
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
edpassos
2007-05-31, 02:35
Hi, Mr_JAk3,
I follow all your instructions. Here are the logs:
AVG:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 20:26:33 30/5/2007
+ Scan result:
C:\Eduardo\Programas\EvID4226Patch223d-en.zip/EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27368FA9-4C61-463B-AB87-54A0A29CB983}\RP24\A0003144.exe -> Not-A-Virus.Monitor.Win32.ActualSpy.29.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{27368FA9-4C61-463B-AB87-54A0A29CB983}\RP24\A0003155.exe -> Trojan.BHO.ak : Cleaned with backup (quarantined).
C:\Eduardo\Programas\WinRAR.v3.51+ crack.zip/WinRAR.v3.51.WinALL.Cracked-CORE.zip/crack.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Eduardo\Programas\WinRAR.v3.51+ crack.zip/crack.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 20:34:33, on 30/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
c:\sdwork\issimsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Arquivos de programas\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Eduardo\Programas\Anti Malware\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [suScheduler] C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [AMSG] C:\Arquivos de programas\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [LPManager] C:\ARQUIV~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [cssauth] "C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Arquivos de programas\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Arquivos de programas\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/br/pt
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180491571265
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Arquivos de programas\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\ARQUIV~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - (no file)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Arquivos de programas\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Arquivos de programas\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Arquivos de programas\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Arquivos de programas\ThinkVantage\SystemUpdate\UCLauncherService.exe
Thanks and regards.
Hello :)
Looks pretty good. How is the computer running?
:bigthumb:
edpassos
2007-06-01, 01:31
Wow!!! :eek:
That's great. The computer seems fine. No unexpected window poping up nor web browser closing mysteriously. However, I ran Spybot and it found 6 entries. Unfortunately, I cannot post full Spybot log to here (it's to long), but here are the entries:
- Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
- Avenue A, Inc.: Tracking cookie (Internet Explorer: Edu & Ana) (Cookie, nothing done)
- DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
- FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
- FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
- Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)
I also have a question: should I keep AVG Anti-Spyware and Spybot (including Tea Timer) running full time?
Thanks a lot.
Hi again, it is looking clean now :)
You shouldn't use cracks, piracy etc as it is illegal and gets you infected!
You can keep TeaTimer running if you wish. The AVG realtime protection is only available for a limited amount of time in the trial version.
Spybot findings were just cookies, they can be easily prevented by installing a hosts file and Spyware Blaster (more below).
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
edpassos
2007-06-01, 16:07
Hello, Mr_JAk3,
Really, really thanks for your help. It couldn't be better. I'll follow your tips.
Best regards,
edpassos.
That's great news and you're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: