View Full Version : Smitfraud-C.CoreService problem
fernandosz
2007-06-14, 15:37
Hi everyone!
I´ve just found Smitfraud-C.CoreService in my computer, using S&D 1.4.
Coul´d you help me with it?
It seems to be a long road until the end of the journey, is it correct?
Thanks in advance.
Fernandosz
fernandosz
2007-06-14, 19:09
Hi, again.
I spent a few moments checking on how to proceed, looking at the forums pages and on the "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at my own risk.
I found at least 4 other guys with the same problem I´m facing now.
Since they seem to have lots of experience, and to save us time, I started the Avast and dowloaded Hijackthis and Combofix.
They´re both in c:\hijackthis
As soon as the results are ready i´ll post them
Thanks in advance
Fernandosz
fernandosz
2007-06-14, 23:22
Logfile of HijackThis v1.99.1
Scan saved at 18:03:46, on 14/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NVATray.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe
C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Arquivos de programas\Microsoft Money\System\reminder.exe
C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe
C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.spher.com.br/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ssh2 Class - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=050407 serial=DR12WEL-6341663-NKM lang=BP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WireLessMouse ] C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Reminder] C:\Arquivos de programas\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Gerenciador do HotSync.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Arquivos de programas\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://wwwss.bradesco.com.br/ib2k1/scpsssh2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101156446546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O23 - Service: Apache - Unknown owner - C:\Arquivos de programas\Saurus CMS\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Gbp Service (GbpSv) - Banco Unibanco - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:/Arquivos de programas/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
Hello fernandosz and welcome to the Forums :)
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
fernandosz
2007-06-16, 17:19
Here´s the combofix.txt paste.
Thanks for your attention
Fernandosz
ComboFix 07-06-13.3 - C:\hijackthis\ComboFix.exe
"Fernando" - 2007-06-16 10:48:11 - Service Pack 2
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\install.log
((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))
2007-06-16 10:47 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 11:18 <DIR> d-------- C:\hijackthis
2007-06-05 11:53 1,037,312 --a------ C:\Arquivos de programas\iview399.exe
2007-06-05 09:29 <DIR> d-------- C:\Arquivos de programas\Aur‚lio - S‚culo XXI
2007-06-05 09:28 315,904 --a------ C:\WINDOWS\IsUn0416.exe
2007-06-05 09:19 <DIR> d-------- C:\Arquivos de programas\AURELIO
2007-06-05 09:09 <DIR> d-------- C:\Arquivos de programas\MS Project 98
2007-05-30 17:34 <DIR> d--hs---- C:\FOUND.017
2007-05-25 19:35 <DIR> d-------- C:\Arquivos de programas\WBS Chart Pro
2007-05-25 19:25 <DIR> d-------- C:\Arquivos de programas\Filzip
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-06 19:53:08 132,176 ----a-w C:\DOCUME~1\Fernando\DADOSD~1\GDIPFONTCACHEV1.DAT
2007-06-05 12:29:26 -------- d-----w C:\Arquivos de programas\Aurélio - Século XXI
2007-06-05 12:19:54 -------- d-----w C:\Arquivos de programas\AURELIO
2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:56 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:42 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:24 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:22:28 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 13:57:10 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-23 11:53:20 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Corel
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:44:50 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2E3C3651-B19C-4DD9-A979-901EC3E930AF}=C:\WINDOWS\system32\scpsssh2.dll [2005-05-05 09:52]
{53707962-6F74-2D53-2644-206D7942484F}=C:\spybot\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll [2006-01-17 16:04]
{C41A1C0E-EA6C-11D4-B1B8-444553540007}=C:\WINDOWS\Downloaded Program Files\gbiehabn.dll [2006-11-22 13:19]
{C41A1C0E-EA6C-11D4-B1B8-444553540008}=C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-01-12 10:58]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-07-28 15:19 C:\WINDOWS\system32\nwiz.exe]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2002-06-18 04:25 C:\WINDOWS\system32\NVATray.exe]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 12:42]
"NVMixerTray"="C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"InstantAccess"="C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [1998-07-07 16:04]
"RegisterDropHandler"="C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 16:20]
"HP Component Manager"="C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 15:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"CorelDRAW Graphics Suite 11b"="C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" []
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"WireLessMouse "="C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:38]
"WireLessKeyboard "="C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 22:45]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 09:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="C:\Arquivos de programas\Microsoft Money\System\reminder.exe" [1998-07-25 00:00]
"Dilberttest3 web link"="C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe" [2002-01-31 12:31]
"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"="C:\WINDOWS\Downloaded Program Files\gbiehuni.dll" [2007-01-12 10:58]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"="C:\WINDOWS\Downloaded Program Files\gbiehabn.dll" [2006-11-22 13:19]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Arquivos de programas\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f23ef0b4-f5a1-11db-a924-00006cac253f}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe
Contents of the 'Scheduled Tasks' folder
2007-07-13 18:44:10 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\install.log
((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))
2007-06-05 09:19 <DIR> d-------- C:\Arquivos de programas\AURELIO
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-06 19:53:08 132,176 ----a-w C:\DOCUME~1\Fernando\DADOSD~1\GDIPFONTCACHEV1.DAT
2007-06-05 12:29:26 -------- d-----w C:\Arquivos de programas\Aurélio - Século XXI
2007-06-05 12:19:54 -------- d-----w C:\Arquivos de programas\AURELIO
2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:56 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:42 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:24 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:22:28 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 13:57:10 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-23 11:53:20 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Corel
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:44:50 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2E3C3651-B19C-4DD9-A979-901EC3E930AF}=C:\WINDOWS\system32\scpsssh2.dll [2005-05-05 09:52]
{53707962-6F74-2D53-2644-206D7942484F}=C:\spybot\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll [2006-01-17 16:04]
{C41A1C0E-EA6C-11D4-B1B8-444553540007}=C:\WINDOWS\Downloaded Program Files\gbiehabn.dll [2006-11-22 13:19]
{C41A1C0E-EA6C-11D4-B1B8-444553540008}=C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-01-12 10:58]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-07-28 15:19 C:\WINDOWS\system32\nwiz.exe]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2002-06-18 04:25 C:\WINDOWS\system32\NVATray.exe]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 12:42]
"NVMixerTray"="C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"InstantAccess"="C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [1998-07-07 16:04]
"RegisterDropHandler"="C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 16:20]
"HP Component Manager"="C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 15:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"CorelDRAW Graphics Suite 11b"="C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" []
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"WireLessMouse "="C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:38]
"WireLessKeyboard "="C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 22:45]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 09:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="C:\Arquivos de programas\Microsoft Money\System\reminder.exe" [1998-07-25 00:00]
"Dilberttest3 web link"="C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe" [2002-01-31 12:31]
"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"="C:\WINDOWS\Downloaded Program Files\gbiehuni.dll" [2007-01-12 10:58]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"="C:\WINDOWS\Downloaded Program Files\gbiehabn.dll" [2006-11-22 13:19]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Arquivos de programas\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f23ef0b4-f5a1-11db-a924-00006cac253f}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe
Contents of the 'Scheduled Tasks' folder
2007-07-13 18:44:10 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\install.log
((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))
2007-06-05 09:19 <DIR> d-------- C:\Arquivos de programas\AURELIO
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-06 19:53:08 132,176 ----a-w C:\DOCUME~1\Fernando\DADOSD~1\GDIPFONTCACHEV1.DAT
2007-06-05 12:29:26 -------- d-----w C:\Arquivos de programas\Aurélio - Século XXI
2007-06-05 12:19:54 -------- d-----w C:\Arquivos de programas\AURELIO
2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:56 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:42 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:24 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:22:28 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 13:57:10 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-23 11:53:20 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Corel
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-17 13:44:50 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2E3C3651-B19C-4DD9-A979-901EC3E930AF}=C:\WINDOWS\system32\scpsssh2.dll [2005-05-05 09:52]
{53707962-6F74-2D53-2644-206D7942484F}=C:\spybot\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll [2006-01-17 16:04]
{C41A1C0E-EA6C-11D4-B1B8-444553540007}=C:\WINDOWS\Downloaded Program Files\gbiehabn.dll [2006-11-22 13:19]
{C41A1C0E-EA6C-11D4-B1B8-444553540008}=C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-01-12 10:58]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-07-28 15:19 C:\WINDOWS\system32\nwiz.exe]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2002-06-18 04:25 C:\WINDOWS\system32\NVATray.exe]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 12:42]
"NVMixerTray"="C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"InstantAccess"="C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [1998-07-07 16:04]
"RegisterDropHandler"="C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 16:20]
"HP Component Manager"="C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 15:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"CorelDRAW Graphics Suite 11b"="C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" []
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"WireLessMouse "="C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:38]
"WireLessKeyboard "="C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 22:45]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 09:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="C:\Arquivos de programas\Microsoft Money\System\reminder.exe" [1998-07-25 00:00]
"Dilberttest3 web link"="C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe" [2002-01-31 12:31]
"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"="C:\WINDOWS\Downloaded Program Files\gbiehuni.dll" [2007-01-12 10:58]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"="C:\WINDOWS\Downloaded Program Files\gbiehabn.dll" [2006-11-22 13:19]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Arquivos de programas\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f23ef0b4-f5a1-11db-a924-00006cac253f}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe
Contents of the 'Scheduled Tasks' folder
2007-07-13 18:44:10 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 12:05:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Files hidden from API:
C:\WINDOWS\Bolhas de sabÆo.bmp
Completion time: 2007-06-16 12:08:41
C:\ComboFix-quarantined-files.txt ... 2007-06-16 12:06
--- E O F ---
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Please download Flash_Disinfector by sUBs (http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe) to your desktop, don't run yet.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
==================
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f23ef0b4-f5a1-11db-a924-00006cac253f}]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: Driveinfo.exe
Please run and run Flash_Disinfector by sUBs
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
Run ComboFix again.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- ComboFix log
fernandosz
2007-06-18, 04:04
Dear Mr_JAk3
Thanks for the tips.
Since there´s a long list of tasks, I´ll perform them tomorrow morning.
But I sill have 2 questions: how do this "SOAB" came into my computer? And how does it spead itself?
Thanks in advance, again.
Fernandosz
fernandosz
2007-06-18, 07:40
OK
I couldn´t sleep...
Here goes the reports.
Thanks
Fernandosz
---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------
+ Criação: 02:12:50 18/6/2007
+ Resultado da verificação:
HKU\S-1-5-21-117609710-1078081533-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{74CC49F7-EB32-4A08-B204-948962A6E3DB} -> Adware.RogueSuspect : Limpo com backup (em quarentena).
C:\Documents and Settings\Fernando\Meus documentos\Cida\FunnyStufs\FunnyStufs.zip/papatudo1.exe -> Not-A-Virus.BadJoke.Win32.Proxima : Limpo com backup (em quarentena).
C:\Documents and Settings\Fernando\Meus documentos\Cida\FunnyStufs\FunnyStufs\papatudo1.exe -> Not-A-Virus.BadJoke.Win32.Proxima : Limpo com backup (em quarentena).
::Fim do relatório
\
Logfile of HijackThis v1.99.1
Scan saved at 02:29, on 2007-06-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\NVATray.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe
C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Arquivos de programas\Microsoft Money\System\reminder.exe
C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe
C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
C:\Palm\HOTSYNC.EXE
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.spher.com.br/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ssh2 Class - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\system32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=050407 serial=DR12WEL-6341663-NKM lang=BP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WireLessMouse ] C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Reminder] C:\Arquivos de programas\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Dilberttest3 web link] "C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Gerenciador do HotSync.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Arquivos de programas\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://wwwss.bradesco.com.br/ib2k1/scpsssh2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101156446546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O23 - Service: Apache - Unknown owner - C:\Arquivos de programas\Saurus CMS\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Gbp Service (GbpSv) - Banco Unibanco - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:/Arquivos de programas/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
ComboFix 07-06-13.3 - C:\hijackthis\ComboFix.exe
"Fernando" - 2007-06-18 2:19:15 - Service Pack 2
((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))
2007-06-18 00:06 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-06-18 00:06 <DIR> drahs---- C:\autorun.inf
2007-06-17 23:29 5,420,992 --a------ C:\RegBackUp.reg
2007-06-17 23:22 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-16 16:06 13,630 -ra------ C:\WINDOWS\system32\RDCOMMON.DLL
2007-06-16 10:47 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-14 11:18 <DIR> d-------- C:\hijackthis
2007-06-05 11:53 1,037,312 --a------ C:\Arquivos de programas\iview399.exe
2007-06-05 09:29 <DIR> d-------- C:\Arquivos de programas\Aur‚lio - S‚culo XXI
2007-06-05 09:28 315,904 --a------ C:\WINDOWS\IsUn0416.exe
2007-06-05 09:19 <DIR> d-------- C:\Arquivos de programas\AURELIO
2007-06-05 09:09 <DIR> d-------- C:\Arquivos de programas\MS Project 98
2007-05-30 17:34 <DIR> d--hs---- C:\FOUND.017
2007-05-25 19:35 <DIR> d-------- C:\Arquivos de programas\WBS Chart Pro
2007-05-25 19:25 <DIR> d-------- C:\Arquivos de programas\Filzip
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-06 19:53:08 132,176 ----a-w C:\DOCUME~1\Fernando\DADOSD~1\GDIPFONTCACHEV1.DAT
2007-06-05 12:29:26 -------- d-----w C:\Arquivos de programas\Aurélio - Século XXI
2007-06-05 12:19:54 -------- d-----w C:\Arquivos de programas\AURELIO
2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:56 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:42 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:52 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:24 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:22:28 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 13:57:10 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-23 11:53:20 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Corel
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2E3C3651-B19C-4DD9-A979-901EC3E930AF}=C:\WINDOWS\system32\scpsssh2.dll [2005-05-05 09:52]
{53707962-6F74-2D53-2644-206D7942484F}=C:\spybot\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}=C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll [2004-08-13 17:42]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll [2006-01-17 16:04]
{C41A1C0E-EA6C-11D4-B1B8-444553540007}=C:\WINDOWS\Downloaded Program Files\gbiehabn.dll [2006-11-22 13:19]
{C41A1C0E-EA6C-11D4-B1B8-444553540008}=C:\WINDOWS\Downloaded Program Files\gbiehuni.dll [2007-01-12 10:58]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2003-07-28 15:19 C:\WINDOWS\system32\nwiz.exe]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2002-06-18 04:25 C:\WINDOWS\system32\NVATray.exe]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 12:42]
"NVMixerTray"="C:\Arquivos de programas\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"InstantAccess"="C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.exe" [1998-07-07 16:04]
"RegisterDropHandler"="C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 16:20]
"HP Component Manager"="C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38]
"HP Software Update"="C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 15:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"CorelDRAW Graphics Suite 11b"="C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe" []
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"WireLessMouse "="C:\Arquivos de programas\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:38]
"WireLessKeyboard "="C:\Arquivos de programas\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 22:45]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 09:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="C:\Arquivos de programas\Microsoft Money\System\reminder.exe" [1998-07-25 00:00]
"Dilberttest3 web link"="C:\Arquivos de programas\Dilberttest3\Screen Saver\FWLink.exe" [2002-01-31 12:31]
"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"=C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"="C:\WINDOWS\Downloaded Program Files\gbiehuni.dll" [2007-01-12 10:58]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"="C:\WINDOWS\Downloaded Program Files\gbiehabn.dll" [2006-11-22 13:19]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="C:\Arquivos de programas\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 14:57]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 09:29]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
Contents of the 'Scheduled Tasks' folder
2007-07-13 18:44:10 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
Ok looks pretty good :)
How is the computer running?
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
fernandosz
2007-06-19, 06:59
Here goes the Karsperky´s report
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-06-19 01:56
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/06/2007
Kaspersky Anti-Virus database records: 348650
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 132348
Number of viruses found: 2
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:54:12
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5ac.dat Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Fernando\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Fernando\Meus documentos\Cida\Antigos\Pessoais\CidaPessoal.zip/CidaPessoal/InternetAppl/babylon32.exe/SaveNowInst.exe/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bf skipped
C:\Documents and Settings\Fernando\Meus documentos\Cida\Antigos\Pessoais\CidaPessoal.zip/CidaPessoal/InternetAppl/babylon32.exe/SaveNowInst.exe/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\Fernando\Meus documentos\Cida\Antigos\Pessoais\CidaPessoal.zip/CidaPessoal/InternetAppl/babylon32.exe/SaveNowInst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\Fernando\Meus documentos\Cida\Antigos\Pessoais\CidaPessoal.zip/CidaPessoal/InternetAppl/babylon32.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
C:\Documents and Settings\Fernando\Meus documentos\Cida\Antigos\Pessoais\CidaPessoal.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Fernando\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Fernando\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\history.dat Object is locked skipped
C:\Documents and Settings\Fernando\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Fernando\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\parent.lock Object is locked skipped
C:\Documents and Settings\Fernando\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\cert8.db Object is locked skipped
C:\Documents and Settings\Fernando\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\key3.db Object is locked skipped
C:\Documents and Settings\Fernando\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Fernando\Dados de aplicativos\Mozilla\Firefox\Profiles\cwsek6eo.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Fernando\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Fernando\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Fernando\ntuser.dat Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\report\Proteção residente.txt Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Arquivos de programas\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\_restore{C0892739-3DC7-405A-926D-245C708397A4}\RP660\change.log Object is locked skipped
Scan process completed.
OK good, how is the computer running?
fernandosz
2007-06-19, 22:54
It seems fine...after the 1st combofix the strange things stoped.
May I kill the infected files that Karspersky found?
Thanks for you efforts.
Fernandosz
Hi again, it is looking clean now :)
Yes you may delete this file:
C:\Documents and Settings\Fernando\Meus documentos\Cida\Antigos\Pessoais\CidaPessoal.zip
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)