PDA

View Full Version : Virtumonde & Cleanner 2006



Kankiz
2007-08-07, 15:27
Hi,
Spybot always detects these 2 malwares and I' ve tried a lot to vanish them away but without success. I've already executed Virtufix and Combofix, but nothing. I've AVG and it all the time detects virus in the temporary internet files - dedamisha - but it always returns. Someone can help me? I'm a new member. Thank you.
Kankiz.

pskelley
2007-08-08, 02:30
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

Thanks

Kankiz
2007-08-08, 08:24
Hi,
I've done all the instructions in "Before you post a log".
Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 02:12, on 2007-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Meus Documentos\Programas\Diversos\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73ec3f30-e7bd-4721-a32b-a2556398b002} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp74.tmp.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\ursppp.dll",forkonce
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mqbcan.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mqbcan.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - AppInit_DLLs: c:\windows\system32\sstttrp.dll
O20 - Winlogon Notify: mqbcan - C:\WINDOWS\SYSTEM32\mqbcan.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)


CA:
Virus scan finished. No viruses found.
Scan Results: Scan Completed. 139384 files scanned. No viruses found.
File Infection Status Path
- No Infections

pskelley
2007-08-08, 12:28
Thanks for returning your information, please read and follow the directions carefully.

1) Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(wait until you finish to post the reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log, Vundofix log and a new HJT log.

Thanks

Kankiz
2007-08-08, 16:47
Hi pskelley,
Here we go:

ComboFix 07-08-04.3 - "ROBERIO" 2007-08-08 10:38:46.3 [GMT -3:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.Verdadeiro


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ROBERIO\DADOSD~1\tmp1.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp28.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp2A.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp3.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp52.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp6.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp67.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp71.tmp.exe
C:\DOCUME~1\ROBERIO\DADOSD~1\tmp74.tmp.exe
C:\WINDOWS\system32\dn906d962a.dat
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp52.tmp.dll
C:\WINDOWS\system32\tmp74.tmp.dll


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-07 23:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-07 23:10 <DIR> d-------- C:\DOCUME~1\ROBERIO\.housecall6.6
2007-08-07 18:57 131,385 --a------ C:\WINDOWS\ssqrro.dll
2007-08-06 12:39 131,376 --a------ C:\WINDOWS\khiiff.dll
2007-08-06 11:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 11:36 <DIR> d-------- C:\VundoFix Backups
2007-08-06 09:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy
2007-08-06 01:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-05 20:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-05 20:05 61,440 --a------ C:\WINDOWS\system32\NI_DFD_1_5.dll
2007-08-05 20:05 393,216 --a------ C:\WINDOWS\system32\NI_IRC_1_2.dll
2007-08-05 19:22 56,320 --a------ C:\WINDOWS\system32\DeltTray.exe
2007-08-04 23:15 84,992 --a------ C:\WINDOWS\WebAssist.dll
2007-08-04 11:01 <DIR> d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\uTorrent
2007-08-04 11:01 <DIR> d-------- C:\Arquivos de programas\uTorrent


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 07:24 --------- d-------- C:\Arquivos de programas\eMule
2007-08-06 01:58 --------- d-------- C:\Arquivos de programas\Wireless Combo
2007-08-06 01:55 --------- d-------- C:\Arquivos de programas\MFR6
2007-08-06 01:52 --------- d-------- C:\Arquivos de programas\GbPlugin
2007-08-06 01:48 --------- d-------- C:\Arquivos de programas\DAEMON Tools
2007-08-06 01:44 --------- d-------- C:\Arquivos de programas\Ultra Tag Editor
2007-08-06 01:32 --------- d-------- C:\Arquivos de programas\Sibelius Software
2007-08-06 00:58 --------- d-------- C:\Arquivos de programas\Native Instruments
2007-08-05 23:21 --------- d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\BSplayer Pro
2007-08-04 15:11 --------- d-------- C:\Arquivos de programas\Total Video Converter
2007-08-03 23:41 --------- d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\Sibelius Software
2007-07-19 09:57 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-10 19:41 --------- d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\Skype
2007-07-02 11:53 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-06-22 22:04 --------- d-------- C:\Arquivos de programas\PDFCreator
2007-06-13 20:05 --------- d-------- C:\Arquivos de programas\MSINSTR
2007-05-09 13:06 2096 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
2007-05-09 13:06 164352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-09 12:47 3003 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Real Audio Encoder R3.dat
2007-05-09 12:46 574 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Dalet codec R1.dat
2007-05-09 12:46 3460 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat
2007-05-09 12:46 2159 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
2007-05-09 12:46 1936 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Real Audio Codec.dat
2007-05-09 12:45 747 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP AIFF codec r3.dat
2007-05-09 12:45 2294 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
2007-05-09 12:45 2077 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
2007-05-09 12:41 20906 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2007-01-30 10:42 604 --ah----- C:\Arquivos de programas\STLL Notifier
2006-05-28 12:46 397306 --a------ C:\Arquivos de programas\wunauclt.zip
2006-05-28 12:46 397306 --a------ C:\Arquivos de programas\wunauclt.tbe
2007-01-27 12:46:02 56 --sh--r C:\WINDOWS\system32\00B4E7D36B.sys
2007-02-25 21:00:00 43 --sha-w C:\WINDOWS\Temp\removalfile.bat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{73ec3f30-e7bd-4721-a32b-a2556398b002}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-08-04 23:15 84992 --a------ C:\WINDOWS\WebAssist.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 12:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 05:53 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-04-19 07:18]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [2006-03-26 11:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2005-12-10 11:57]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [2007-01-27 13:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [2007-01-27 13:33:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-06-25 09:24 332616]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [2007-07-23 22:39 339376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mqbcan]
mqbcan.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\sstttrp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\khiiff.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"

R0 fasttx2k;fasttx2k;C:\WINDOWS\system32\drivers\fasttx2k.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys
R1 mapledxp;mapledxp;C:\WINDOWS\system32\drivers\mapledxp.SYS
R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys
R1 UsbFltr;WayTechMUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys
R2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 3xHybrid;Pinnacle PCTV 110i service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS
R3 DELTA;Service for Delta Driver (WDM);C:\WINDOWS\system32\DRIVERS\delta.sys
R3 ElbyDelay;ElbyDelay;C:\WINDOWS\system32\Drivers\ElbyDelay.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
S3 MPE;Filtro BDA MPE;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 MSSQL$PINNACLESYS;MSSQL$PINNACLESYS;"C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS
S3 SQLAgent$PINNACLESYS;SQLAgent$PINNACLESYS;"C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS


Contents of the 'Scheduled Tasks' folder
2007-06-25 21:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\dr.exe
2007-06-25 20:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\dr.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At11.job
2007-06-25 11:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 20:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\dr.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\user32.exe
2007-06-25 11:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 17:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 21:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\dr.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-08 03:00:30 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\3w2y18no.exe
2007-06-25 11:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-08 04:00:30 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 05:00:30 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 06:01:29 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 07:00:30 C:\WINDOWS\Tasks\At23.job
2007-08-08 08:00:30 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 09:00:30 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 10:00:30 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 11:00:30 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 12:00:30 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 13:00:30 C:\WINDOWS\Tasks\At29.job
2007-06-25 17:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-07 14:00:30 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 15:00:30 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 16:01:23 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 17:00:30 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 18:00:30 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 19:00:30 C:\WINDOWS\Tasks\At35.job
2007-08-07 20:00:30 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 21:00:30 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 22:00:30 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-07 23:00:30 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\3w2y18no.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-08 00:00:30 C:\WINDOWS\Tasks\At40.job
2007-08-08 01:00:30 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 02:00:30 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-06 14:52:54 C:\WINDOWS\Tasks\At43.job
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\user32.exe
2007-06-25 20:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\dr.exe
2007-06-25 17:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At8.job
2007-06-25 21:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\dr.exe
2007-06-28 05:37:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#BR4AV2F071I5.job - C:\Arquivos de programas\HP\hpcoretech\comp\hpdarc.exe
2007-08-08 13:36:00 C:\WINDOWS\Tasks\HP Usg Daily.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 10:40:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 10:40:33
C:\ComboFix-quarantined-files.txt ... 2007-08-08 10:40

--- E O F ---


VundoFix V6.5.7

Checking Java version...

Sun Java not detected
Scan started at 10:31:13 2007-08-08

Listing files found while scanning....

C:\WINDOWS\cbxuur.dll
C:\WINDOWS\ruuxbc.ini
C:\WINDOWS\system32\tmp2A.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\cbxuur.dll
C:\WINDOWS\cbxuur.dll Has been deleted!

Attempting to delete C:\WINDOWS\ruuxbc.ini
C:\WINDOWS\ruuxbc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp2A.tmp.dll
C:\WINDOWS\system32\tmp2A.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

Kankiz
2007-08-08, 16:48
Logfile of HijackThis v1.99.1
Scan saved at 10:45:57, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
D:\Meus Documentos\Programas\Diversos\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73ec3f30-e7bd-4721-a32b-a2556398b002} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - AppInit_DLLs: c:\windows\system32\sstttrp.dll
O20 - Winlogon Notify: mqbcan - mqbcan.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

pskelley
2007-08-08, 17:04
Thanks for returning your information, proceed like this.

1) Read this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Arquivos de programas\Java\jre1.5.0_11\ <<< out of date, download the newest version and uninstall all old versions in Add Remove Programs.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(this first item is valid but damaged, download it again after we finish if you use it)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: (no name) - {73ec3f30-e7bd-4721-a32b-a2556398b002} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O20 - AppInit_DLLs: c:\windows\system32\sstttrp.dll
O20 - Winlogon Notify: mqbcan - mqbcan.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post a new HJT log and tell me how the computer is running.

Thanks

Kankiz
2007-08-08, 19:17
Man, I'm impressed! I guess things are going well. But there was an error in fixing with hijackthis (?!). Anyway, I've done all you told me. Thanks again. The log:

Logfile of HijackThis v1.99.1
Scan saved at 13:13:44, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
D:\Meus Documentos\Programas\Diversos\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

pskelley
2007-08-08, 20:00
Thanks for returning your information:
But there was an error in fixing with hijackthis (?!). That's just the junk complaining that we are removing it. Have a look at these, I can't identify them:
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mp...bPluginABN.cab
If you know they are safe, fine, if not use HJT to remove them.

Make sure this is valid for your IP:
http://whois.domaintools.com/200.165.132.147

C:\WINDOWS\ssqrro.dll
C:\WINDOWS\khiiff.dll <<< these two look like leftover Vundo files, use this scan to find out: http://www.virustotal.com/
If they scan as bad, delete them.


I would like to run one more good scan if possible, first remove Vundofix and any C:/Vundofix backups, combofix and backups including C:/qoofix/quarantine
or the scan will identify those as infected.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Kankiz
2007-08-09, 07:53
Hi pskelley,


O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mp...bPluginABN.cab

seems normal to me, as they are from 2 banks I'm client.


Make sure this is valid for your IP:
http://whois.domaintools.com/200.165.132.147

This one seems to be my internet provider (Telemar).
But I'm worried about the fact AVG always detects 4 types of viruses:

Virus identified as Obfustat.ESQ in C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP207\A0041158.dll
Virus identified as Obfustat.AAK in C:\Documents and Settings\ROBERIO\Dados de aplicativos\tmp29.tmp.exe
Virus identified as Obfustat.EUA in C:\WINDOWS\system32\mqbcan.dll
Trojan Downloader.Agent.PYM in C:\WINDOWS\system32\3w2y18no.exe

and I move them to quarantine but they return again and again. AVG don't fix the problem. Are them Vundo too?
Well, I think it was all right...ok, here it is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 09, 2007 1:48:00 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/08/2007
Kaspersky Anti-Virus database records: 353967
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 148337
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 02:05:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dados de aplicativos\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\MSHist012007080820070809\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP207\A0039113.dll Object is locked skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP212\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8925.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/irsetup.dat Infected: P2P-Worm.Win32.Insta.a skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/cheat_plugin.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/cheat_plugin.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.ny skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/cheat_plugin.exe Infected: Trojan-Downloader.Win32.IstBar.ny skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe SetupFactory: infected - 4 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP212\change.log Object is locked skipped

Scan process completed.

pskelley
2007-08-09, 13:32
But I'm worried about the fact AVG always detects 4 types of viruses:
I am looking at the Kaspersky report, it should pick those up also. The first is in System Restore and I will post instructions for cleaning those before we finish.

This next one, if you look at Other Deletions made by Combofix you will see where it removed nine of those bad files, it must not have found that one, perhaps we should run combofix again to see what it finds.

C:\Documents and Settings\ROBERIO\Dados de aplicativos\tmp29.tmp.exe <<< delete that file

C:\WINDOWS\system32\mqbcan.dll <<< delete that file

C:\WINDOWS\system32\3w2y18no.exe <<< delete that file

If any file gives you trouble, use this tool and directions:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

I am interested in these in the combofix log:
Contents of the 'Scheduled Tasks' folder
What can you tell me about those 'Scheduled Tasks'?
C:\WINDOWS\Tasks\ <<< in this folder

KASPERSKY ONLINE SCANNER REPORT Thursday, August 09, 2007 1:48:00 AM

Number of infected objects: 5

D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/irsetup.dat Infected: P2P-Worm.Win32.Insta.a skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/cheat_plugin.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/cheat_plugin.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.ny skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe/cheat_plugin.exe Infected: Trojan-Downloader.Win32.IstBar.ny skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs Especiais - Coleções de Objetos\The Sims 2 SP3-1 Christmas Party - Festa de Natal\install.exe SetupFactory: infected - 4 skipped

Above is likely the reason for your problems:sad:
these "cracks" are not only illegal, they are very, very dangerous as you can see. Navigate to those and delete them all from your computer.

Thanks

Kankiz
2007-08-09, 18:23
Hi man, a lot of thanks for you to be so patient...

Well, at least I have something good: spybot doesn't find any more threats :bigthumb:


What can you tell me about those 'Scheduled Tasks'?
I don't know much about it. I 've never performed scheduled tasks in my whole pc's life. But I realised that (in the old combofix log) there are commands to execute files and many of them AVG had detected (3w2y18no.exe) before (until last night!). Also, some of the tasks seem to have been re-scheduled to perform today. Should I delete the folder?

The combofix log you have suggested:

ComboFix 07-08-09.3 - "ROBERIO" 2007-08-09 11:40:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1539 [GMT -3:00]
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-08 19:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-08 19:35 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-08 19:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Kaspersky Lab
2007-08-07 23:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-07 23:10 <DIR> d-------- C:\DOCUME~1\ROBERIO\.housecall6.6
2007-08-06 11:38 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 09:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy
2007-08-06 01:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-05 20:24 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-08-05 20:05 61,440 --a------ C:\WINDOWS\system32\NI_DFD_1_5.dll
2007-08-05 20:05 393,216 --a------ C:\WINDOWS\system32\NI_IRC_1_2.dll
2007-08-05 19:22 56,320 --a------ C:\WINDOWS\system32\DeltTray.exe
2007-08-04 11:01 <DIR> d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\uTorrent
2007-08-04 11:01 <DIR> d-------- C:\Arquivos de programas\uTorrent


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 09:34 --------- d-------- C:\Arquivos de programas\eMule
2007-08-08 12:43 --------- d-------- C:\Arquivos de programas\Monkey's Audio
2007-08-06 01:58 --------- d-------- C:\Arquivos de programas\Wireless Combo
2007-08-06 01:55 --------- d-------- C:\Arquivos de programas\MFR6
2007-08-06 01:52 --------- d-------- C:\Arquivos de programas\GbPlugin
2007-08-06 01:48 --------- d-------- C:\Arquivos de programas\DAEMON Tools
2007-08-06 01:44 --------- d-------- C:\Arquivos de programas\Ultra Tag Editor
2007-08-06 01:32 --------- d-------- C:\Arquivos de programas\Sibelius Software
2007-08-06 00:58 --------- d-------- C:\Arquivos de programas\Native Instruments
2007-08-05 23:21 --------- d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\BSplayer Pro
2007-08-04 15:11 --------- d-------- C:\Arquivos de programas\Total Video Converter
2007-08-03 23:41 --------- d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\Sibelius Software
2007-07-19 09:57 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-10 19:41 --------- d-------- C:\DOCUME~1\ROBERIO\DADOSD~1\Skype
2007-07-02 11:53 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-06-22 22:04 --------- d-------- C:\Arquivos de programas\PDFCreator
2007-06-13 20:05 --------- d-------- C:\Arquivos de programas\MSINSTR
2007-05-09 13:06 2096 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
2007-05-09 13:06 164352 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-09 12:47 3003 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Real Audio Encoder R3.dat
2007-05-09 12:46 574 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Dalet codec R1.dat
2007-05-09 12:46 3460 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat
2007-05-09 12:46 2159 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
2007-05-09 12:46 1936 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Real Audio Codec.dat
2007-05-09 12:45 747 --a------ C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP AIFF codec r3.dat
2007-05-09 12:45 2294 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
2007-05-09 12:45 2077 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
2007-05-09 12:41 20906 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2007-01-30 10:42 604 --ah----- C:\Arquivos de programas\STLL Notifier
2006-05-28 12:46 397306 --a------ C:\Arquivos de programas\wunauclt.zip
2006-05-28 12:46 397306 --a------ C:\Arquivos de programas\wunauclt.tbe
2007-01-27 12:46:02 56 --sh--r C:\WINDOWS\system32\00B4E7D36B.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 12:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 05:53 C:\WINDOWS\SOUNDMAN.EXE]
"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-04-19 07:18]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [2006-03-26 11:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2005-12-10 11:57]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [2007-01-27 13:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [2007-01-27 13:33:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [2007-06-25 09:24 332616]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [2007-07-23 22:39 339376]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\khiiff.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"

R0 fasttx2k;fasttx2k;C:\WINDOWS\system32\drivers\fasttx2k.sys
R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys
R1 mapledxp;mapledxp;C:\WINDOWS\system32\drivers\mapledxp.SYS
R1 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\drivers\moufiltr.sys
R1 UsbFltr;WayTechMUSBFilterDriver;C:\WINDOWS\system32\drivers\UsbFltr.sys
R2 GbpSv;Gbp Service;C:\Arquivos de programas\GbPlugin\GbpSv.exe
R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
R3 3xHybrid;Pinnacle PCTV 110i service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 DELTA;Service for Delta Driver (WDM);C:\WINDOWS\system32\DRIVERS\delta.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
S3 MPE;Filtro BDA MPE;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 MSSQL$PINNACLESYS;MSSQL$PINNACLESYS;"C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS
S3 SQLAgent$PINNACLESYS;SQLAgent$PINNACLESYS;"C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS


Contents of the 'Scheduled Tasks' folder
2007-06-25 21:00:00 C:\WINDOWS\Tasks\At1.job - C:\WINDOWS\dr.exe
2007-06-25 20:00:00 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\dr.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At11.job
2007-06-25 11:00:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 20:00:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\dr.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\user32.exe
2007-06-25 11:00:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 17:00:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 21:00:00 C:\WINDOWS\Tasks\At17.job - C:\WINDOWS\dr.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-09 03:00:00 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\system32\3w2y18no.exe
2007-06-25 11:00:00 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-09 04:00:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 05:00:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 06:00:00 C:\WINDOWS\Tasks\At22.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 07:00:00 C:\WINDOWS\Tasks\At23.job
2007-08-09 08:00:00 C:\WINDOWS\Tasks\At24.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 09:00:00 C:\WINDOWS\Tasks\At25.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 10:00:00 C:\WINDOWS\Tasks\At26.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 11:00:00 C:\WINDOWS\Tasks\At27.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 12:00:00 C:\WINDOWS\Tasks\At28.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 13:00:00 C:\WINDOWS\Tasks\At29.job
2007-06-25 17:00:00 C:\WINDOWS\Tasks\At3.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-09 14:00:00 C:\WINDOWS\Tasks\At30.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 15:00:00 C:\WINDOWS\Tasks\At31.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 16:00:00 C:\WINDOWS\Tasks\At32.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 17:00:00 C:\WINDOWS\Tasks\At33.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 18:00:00 C:\WINDOWS\Tasks\At34.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 19:00:00 C:\WINDOWS\Tasks\At35.job
2007-08-08 20:00:00 C:\WINDOWS\Tasks\At36.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 21:00:00 C:\WINDOWS\Tasks\At37.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 22:00:00 C:\WINDOWS\Tasks\At38.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-08 23:00:00 C:\WINDOWS\Tasks\At39.job - C:\WINDOWS\system32\3w2y18no.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\wunauclt.exe
2007-08-09 00:00:00 C:\WINDOWS\Tasks\At40.job
2007-08-09 01:00:00 C:\WINDOWS\Tasks\At41.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-09 02:00:00 C:\WINDOWS\Tasks\At42.job - C:\WINDOWS\system32\3w2y18no.exe
2007-08-06 14:52:54 C:\WINDOWS\Tasks\At43.job
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At5.job - C:\WINDOWS\user32.exe
2007-06-25 20:00:00 C:\WINDOWS\Tasks\At6.job - C:\WINDOWS\dr.exe
2007-06-25 17:00:00 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\wunauclt.exe
2007-06-25 23:00:00 C:\WINDOWS\Tasks\At8.job
2007-06-25 21:00:00 C:\WINDOWS\Tasks\At9.job - C:\WINDOWS\dr.exe
2007-06-28 05:37:06 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#BR4AV2F071I5.job - C:\Arquivos de programas\HP\hpcoretech\comp\hpdarc.exe
2007-08-09 13:36:00 C:\WINDOWS\Tasks\HP Usg Daily.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 11:41:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000814

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 11:42:15

--- E O F ---

pskelley
2007-08-09, 19:26
Should I delete the folder? <<< I would say the folder may be needed if you use the function? This is your computer? Have a look at the first three links here:
http://www.google.com/search?hl=en&q=%27Scheduled+Tasks%27+&btnG=Search
Once you are sure you did not set the tasks, then delete the junk in it (that will move it to the recycle bin) let it set in there for a few days, once you are sure it is not needed, then empty the recycle bin.

The only question I have is about those "scheduled tasks" If you need to scan those files to see if they are bad, here are free online scanners, the one I posted earlier may limit the times you can use it?
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Remove all tools we downloaded for the cleanup, you may keep ATF-Cleaner if you wish, then do this:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Kankiz
2007-08-11, 18:47
Hi pskelley,

Finally I think it's all ok, thanks to you!!!.
I've run some antiviruses you recomended me and have installed the SpywareBlaster too.
Well man, you and the others guys of this site are heroes, contemporary heroes indeed (seems like a tv series?). Hope I won't take your time anymore :D: (but don't be so enthusiastic!)
Thanks for all,
Kankiz.

PS.: Actually I'm wondering what did you have meant when you said:

If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley
2007-08-11, 18:57
Thanks for your nice comments, let me say that you being from Brazil might not realize that without our solders most of the world may be speaking another language right now, and I can never say enough about teachers who are the unsung heros of the world.

gracias fillippe:bigthumb:

pskelley
2007-08-18, 03:30
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.