View Full Version : Big trouble - Hijack log
Hi all!
My son's computer is hijacked. He can't access the internet, the pages open and close without warning, and any task takes too long to achieve. It has NAV 2005, SpyBoot SD, Ad-Aware Pro and Spyware Blaster installed and updated.
Every day he has to run these apps since this things keep coming back. Then He installed Kaspersky Internet Security and it removed some of them,
but the last scan says the pc is clean. He keeps disabling one to use another, they are not enable
at the same time. If you can help me, I'd be grateful.
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 14:14, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\vssvc.exe
C:\Arquivos de programas\TClock\tclock.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.terra.com.br/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\yusevnch.dll (file missing)
O4 - HKLM\..\Run: [LFAgent] C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - Global Startup: TClock.lnk = C:\Arquivos de programas\TClock\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Add to Anti-Banner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Backward Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O9 - Extra 'Tools' menuitem: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\ARQUIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gsoxduvb.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
Hello Nanna
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
C:\Arquivos de programas\HijackThis\HijackThis.exe <--Right click on this and rename it to Nanna.exe
I need to see the Vundofix log, the Combofix log and a new Hijackthis log renamed to Nanna.exe please
Hi, Ken
Some things have changed since yesterday. I didn't know there was a new version of HJT so I run the new one. My son's pc was too slow to do any task that I decided to uninstall Kaspersky Internet Security. He is used to NAV 2005, never had any trouble but this time only KIS caught some of the bad things. The dial-up connection is made, any page can open (one at a time) but as soon as it loads is closes without warning.
I hope you can continue to help us under this new conditions.
Nana
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11, on 2007-11-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe
C:\WINDOWS\System32\vssvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\TClock\tclock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\program files\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.terra.com.br/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\yusevnch.dll (file missing)
O4 - HKLM\..\Run: [LFAgent] C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Policies\Explorer\Run: [UpdateManager] C:\Program Files\Common Files\Microsoft Shared\Web Components\WUpdMan32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TClock.lnk = C:\Arquivos de programas\TClock\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O9 - Extra 'Tools' menuitem: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gsoxduvb.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6778 bytes
Hello Nanna,
Just follow the instructions as I previously posted. The older version of HJT was fine but the new one is better.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Your infected with the Vundo Trojan and the thieves that have written it have written it to go undected by Hijackthis and by renaming it those entries will show up on your HJT log
This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
I need to see.............
1. Vundofix log
2. Combofix log
3. New HJT log renamed to Scanner.exe
Hi, Ken
Two things happened: while VundoFix was running, NAV detected two things and deleted them automatically. The I disabled the auto-protect. It happened very fast. Then while running ComboFix, NAV asked to stop the script (with auto-protect still disabled) and I authorized it to run. I was reading some posts before I posted my case, and I was curious to know why people had to rename HJT, and you answered my question. So thanks for that too.
Here are the logs:
VundoFix V6.6.2
Checking Java version...
Sun Java not detected
Scan started at 13:30:39 2007-11-22
Listing files found while scanning....
C:\WINDOWS\system32\urqqron.dll
C:\WINDOWS\system32\yusevnch.dll
C:\windows\system32\yusevnch.dllbox
Beginning removal...
Attempting to delete C:\windows\system32\yusevnch.dllbox
C:\windows\system32\yusevnch.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
ComboFix log:
ComboFix 07-11-19.3 - Home 2007-11-22 14:02:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.365 [GMT -2:00]
Executando de: C:\Documents and Settings\Home\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
.
Incapaz de adquirir Privilégios de Sistema
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrador\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrador\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrador\Favoritos\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\sstts.dll
C:\WINDOWS\system32\sttss.bak1
C:\WINDOWS\system32\sttss.bak2
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\sttss.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((( Ficheiros criados de 2007-10-22 to 2007-11-22 ))))))))))))))))))))))))))))))))
.
2007-11-21 15:37 <DIR> d-------- C:\Arquivos de programas\TLKGAMES
2007-11-21 15:37 30 --a------ C:\WINDOWS\mscpt.dat
2007-11-21 14:40 80,960 --a------ C:\WINDOWS\system32\ashkegon.dll
2007-11-20 13:38 84,544 --a------ C:\WINDOWS\system32\xlkaskgf.dll
2007-11-20 13:27 84,544 --a------ C:\WINDOWS\system32\koojibsc.dll
2007-11-18 19:21 294 ---hs---- C:\WINDOWS\system32\secbmgng.ini
2007-11-18 19:15 79,424 --a------ C:\WINDOWS\system32\munynuyt.dll
2007-11-15 16:48 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Ipswitch
2007-11-15 00:01 79,424 --a------ C:\WINDOWS\system32\bgyqpqeb.dll
2007-11-14 23:53 474 ---hs---- C:\WINDOWS\system32\iyqgjdav.ini
2007-11-13 12:31 669,332 ---hs---- C:\WINDOWS\system32\hkccevmr.ini
2007-11-13 12:31 88,128 --a------ C:\WINDOWS\system32\rmvecckh.dll
2007-11-13 12:28 80,448 --a------ C:\WINDOWS\system32\waydnaoq.dll
2007-11-12 17:33 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-12 15:11 <DIR> d-------- C:\Documents and Settings\Home\Dados de aplicativos\Vso
2007-11-12 15:11 81,920 --a------ C:\Documents and Settings\Home\Dados de aplicativos\ezpinst.exe
2007-11-12 15:11 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-12 15:11 47,360 --a------ C:\Documents and Settings\Home\Dados de aplicativos\pcouffin.sys
2007-11-12 12:22 583,004 ---hs---- C:\WINDOWS\system32\gnqlgjvl.ini
2007-11-01 21:15 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-11-01 19:58 53,248 --a------ C:\WINDOWS\system32\vp6dec_settings.cpl
2007-10-31 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-28 19:39 219,648 --a--c--- C:\WINDOWS\system32\dllcache\uxtheme.dll
2007-10-26 13:41 <DIR> d-------- C:\Arquivos de programas\SymNetDrv
2007-10-26 12:49 <DIR> d-------- C:\Arquivos de programas\Norton SystemWorks
2007-10-26 12:49 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-26 12:49 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-26 12:49 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-26 12:48 <DIR> d-------- C:\Documents and Settings\Home\Dados de aplicativos\Symantec
2007-10-26 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Symantec
2007-10-26 12:48 <DIR> d-------- C:\Arquivos de programas\Symantec
2007-10-24 17:39 <DIR> d-------- C:\Documents and Settings\Home\Dados de aplicativos\AKVIS LLC
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 16:50 --------- d-----w C:\Documents and Settings\Home\Dados de aplicativos\MailWasherPro
2007-11-21 04:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink
2007-11-18 21:13 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2007-11-14 11:20 --------- d-----w C:\Arquivos de programas\Lexmark X1100 Series
2007-11-12 19:44 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP
2007-11-12 13:25 --------- d-----w C:\Arquivos de programas\SpywareBlaster
2007-11-09 15:46 --------- d-----w C:\Arquivos de programas\MSN Messenger
2007-11-09 07:12 --------- d-----w C:\Documents and Settings\Home\Dados de aplicativos\Babylon
2007-11-08 19:08 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Babylon
2007-11-01 20:29 --------- d-----w C:\Arquivos de programas\IrfanView
2007-10-31 00:27 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-10-28 15:21 --------- d-----w C:\Arquivos de programas\Winamp
2007-10-28 02:51 --------- d-----w C:\Arquivos de programas\LimeWire
2007-09-22 18:14 --------- d-----w C:\Arquivos de programas\TIM Web Movel
2004-10-09 14:16 108 --sha-r C:\WINDOWS\neoqaz2.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd8e4ea4-da2a-4a85-9f7e-c4aa7a58ab8d}]
2007-11-21 14:40 80960 --a------ C:\WINDOWS\system32\ashkegon.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LFAgent"="C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe" [2004-12-01 16:16]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:45 C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2007-02-21 17:50]
"Symantec NetDriver Monitor"="C:\ARQUIV~1\SYMNET~1\SNDMon.exe" [2007-10-26 13:41]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
TClock.lnk - C:\Arquivos de programas\TClock\tclock.exe [2004-09-07 17:16:52]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoNetworkConnections"= 01000000
"NoStrCmpLogical"= 00000000
"NoRecentDocsMenu"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoLogoff"= 0 (0x0)
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqron]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HTpatch"=C:\WINDOWS\htpatch.exe
"Lexmark X1100 Series"="C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
"PCTVOICE"=pctspk.exe
"SunJavaUpdateSched"=C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"Babylon Client"=C:\Arquivos de programas\Babylon\Babylon.exe -AutoStart
"nwiz"=nwiz.exe /install
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SMSERIAL"=C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe
R1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys
R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys
R2 LF30FS;LF30FS;\??\C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30XP.sys
R2 Ps2KSecureKeyboard;SecureKbd;\??\C:\WINDOWS\system32\DRIVERS\psseckbd.sys
S2 agrsm;Agere Modem Driver;C:\WINDOWS\system32\agrsmnt.sys
S2 Ca533av;Dual Mode Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 FXDRV;FXDRV;\??\E:\Fxdrv.sys
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc10-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc13-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc14-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc15-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69abb250-6937-11dc-a220-be378b3c01b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Conte£do da pasta 'Tarefas Agendadas'
"2007-11-09 23:17:28 C:\WINDOWS\Tasks\Norton AntiVirus - Verificar o meu computador - Home.job"
- C:\ARQUIV~1\NORTON~1\NORTON~3\Navw32.exel/task:
"2007-10-26 16:18:44 C:\WINDOWS\Tasks\One Button Checkup do Norton SystemWorks.job"
- C:\Arquivos de programas\Norton SystemWorks\OBC.exe
"2007-11-20 02:00:15 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 14:07:34
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusÆo: 2007-11-22 14:08:41 - machine was rebooted
.
--- E O F ---
New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:11:48, on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\vssvc.exe
C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\TClock\tclock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\program files\HijackThis\Scanner.exe.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.terra.com.br/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Arquivos de programas\Ipswitch\WS_FTP Professional\wsbho2k0.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: {d8ba85a7-aa4c-e7f9-58a4-a2ad4ae4e8df} - {fd8e4ea4-da2a-4a85-9f7e-c4aa7a58ab8d} - C:\WINDOWS\system32\ashkegon.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LFAgent] C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Policies\Explorer\Run: [UpdateManager] C:\Program Files\Common Files\Microsoft Shared\Web Components\WUpdMan32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TClock.lnk = C:\Arquivos de programas\TClock\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O9 - Extra 'Tools' menuitem: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: urqqron - C:\WINDOWS\
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7496 bytes
Nanna,
Your doing well :bigthumb:
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: {d8ba85a7-aa4c-e7f9-58a4-a2ad4ae4e8df} - {fd8e4ea4-da2a-4a85-9f7e-c4aa7a58ab8d} - C:\WINDOWS\system32\ashkegon.dll
O20 - Winlogon Notify: urqqron - C:\WINDOWS\
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\ashkegon.dll
C:\WINDOWS\system32\xlkaskgf.dll
C:\WINDOWS\system32\koojibsc.dll
C:\WINDOWS\system32\secbmgng.ini
C:\WINDOWS\system32\munynuyt.dll
C:\WINDOWS\system32\bgyqpqeb.dll
C:\WINDOWS\system32\iyqgjdav.ini
C:\WINDOWS\system32\hkccevmr.ini
C:\WINDOWS\system32\rmvecckh.dll
C:\WINDOWS\system32\waydnaoq.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\gnqlgjvl.ini
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Let me see the new Combofix log, the SAS log and a New HJT log please
Hi, Ken :eek:
I'm going nuts this afternoon running from my office's pc to my son's in his bedroom! The only weird thing that happened this time is that after I run ComboFix, it asked me to reboot and then it showed a warning saying that the boot mode had changed. I looked at the bios and it seemed normal to me, first hd, then cd then floppy. I didn't change anything and allowed to proceed. Then after SuperSpyware, it happened again, so I don't know what to do if this warning shows again in the next reboot. My head is aching already!
Here are the logs:
ComboFix 07-11-19.3 - Home 2007-11-22 16:34:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.337 [GMT -2:00]
Executando de: C:\Documents and Settings\Home\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Home\Desktop\CFScript.txt
* Criado um novo ponto de restauro
FILE
C:\WINDOWS\system32\ashkegon.dll
C:\WINDOWS\system32\bgyqpqeb.dll
C:\WINDOWS\system32\gnqlgjvl.ini
C:\WINDOWS\system32\hkccevmr.ini
C:\WINDOWS\system32\iyqgjdav.ini
C:\WINDOWS\system32\koojibsc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\munynuyt.dll
C:\WINDOWS\system32\rmvecckh.dll
C:\WINDOWS\system32\secbmgng.ini
C:\WINDOWS\system32\waydnaoq.dll
C:\WINDOWS\system32\xlkaskgf.dll
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\ashkegon.dll
C:\WINDOWS\system32\bgyqpqeb.dll
C:\WINDOWS\system32\gnqlgjvl.ini
C:\WINDOWS\system32\hkccevmr.ini
C:\WINDOWS\system32\iyqgjdav.ini
C:\WINDOWS\system32\koojibsc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\munynuyt.dll
C:\WINDOWS\system32\rmvecckh.dll
C:\WINDOWS\system32\secbmgng.ini
C:\WINDOWS\system32\waydnaoq.dll
C:\WINDOWS\system32\xlkaskgf.dll
.
((((((((((((((((((((((( Ficheiros criados de 2007-10-22 to 2007-11-22 ))))))))))))))))))))))))))))))))
.
2007-11-22 14:08 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Configurações locais
2007-11-22 14:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Configurações locais
2007-11-22 14:08 <DIR> d-------- C:\Documents and Settings\LocalService\Configurações locais
2007-11-22 14:08 <DIR> d-------- C:\Documents and Settings\Home\Configurações locais
2007-11-22 14:08 <DIR> d-------- C:\Documents and Settings\Default User\Configurações locais
2007-11-22 14:08 <DIR> d-------- C:\Documents and Settings\Administrador\Configurações locais
2007-11-21 15:37 <DIR> d-------- C:\Arquivos de programas\TLKGAMES
2007-11-15 16:48 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Ipswitch
2007-11-12 15:11 <DIR> d-------- C:\Documents and Settings\Home\Dados de aplicativos\Vso
2007-11-12 15:11 81,920 --a------ C:\Documents and Settings\Home\Dados de aplicativos\ezpinst.exe
2007-11-12 15:11 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-12 15:11 47,360 --a------ C:\Documents and Settings\Home\Dados de aplicativos\pcouffin.sys
2007-11-01 21:15 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2007-10-31 14:11 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-26 13:41 <DIR> d-------- C:\Arquivos de programas\SymNetDrv
2007-10-26 12:49 <DIR> d-------- C:\Arquivos de programas\Norton SystemWorks
2007-10-26 12:49 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-26 12:49 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-26 12:49 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-26 12:48 <DIR> d-------- C:\Documents and Settings\Home\Dados de aplicativos\Symantec
2007-10-26 12:48 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Symantec
2007-10-26 12:48 <DIR> d-------- C:\Arquivos de programas\Symantec
2007-10-24 17:39 <DIR> d-------- C:\Documents and Settings\Home\Dados de aplicativos\AKVIS LLC
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 16:50 --------- d-----w C:\Documents and Settings\Home\Dados de aplicativos\MailWasherPro
2007-11-21 04:01 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\DVD Shrink
2007-11-18 21:13 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2007-11-14 11:20 --------- d-----w C:\Arquivos de programas\Lexmark X1100 Series
2007-11-12 19:44 --------- d---a-w C:\Documents and Settings\All Users\Dados de aplicativos\TEMP
2007-11-12 13:25 --------- d-----w C:\Arquivos de programas\SpywareBlaster
2007-11-09 15:46 --------- d-----w C:\Arquivos de programas\MSN Messenger
2007-11-09 07:12 --------- d-----w C:\Documents and Settings\Home\Dados de aplicativos\Babylon
2007-11-08 19:08 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Babylon
2007-11-01 20:29 --------- d-----w C:\Arquivos de programas\IrfanView
2007-10-31 00:27 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-10-28 15:21 --------- d-----w C:\Arquivos de programas\Winamp
2007-10-28 02:51 --------- d-----w C:\Arquivos de programas\LimeWire
2007-09-22 18:14 --------- d-----w C:\Arquivos de programas\TIM Web Movel
2001-11-23 04:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2004-10-09 14:16 108 --sha-r C:\WINDOWS\neoqaz2.dll
.
((((((((((((((((((((((((((((( snapshot@2007-11-22_14.07.58.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-22 16:07:22 218,044 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-22 18:39:30 218,046 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LFAgent"="C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe" [2004-12-01 16:16]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:45 C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2007-02-21 17:50]
"Symantec NetDriver Monitor"="C:\ARQUIV~1\SYMNET~1\SNDMon.exe" [2007-10-26 13:41]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
TClock.lnk - C:\Arquivos de programas\TClock\tclock.exe [2004-09-07 17:16:52]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoNetworkConnections"= 01000000
"NoStrCmpLogical"= 00000000
"NoRecentDocsMenu"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoLogoff"= 0 (0x0)
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HTpatch"=C:\WINDOWS\htpatch.exe
"Lexmark X1100 Series"="C:\Arquivos de programas\Lexmark X1100 Series\lxbkbmgr.exe"
"PCTVOICE"=pctspk.exe
"SunJavaUpdateSched"=C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"Babylon Client"=C:\Arquivos de programas\Babylon\Babylon.exe -AutoStart
"nwiz"=nwiz.exe /install
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SMSERIAL"=C:\Arquivos de programas\Motorola\SMSERIAL\sm56hlpr.exe
R1 SNSID;SNSID;C:\WINDOWS\system32\Drivers\SNSID.sys
R1 SNSMS;SNSMS;C:\WINDOWS\system32\Drivers\SNSMS.sys
R2 Agendador do LiveUpdate automático;Agendador do LiveUpdate automático;"C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
R2 LF30FS;LF30FS;\??\C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30XP.sys
R2 Ps2KSecureKeyboard;SecureKbd;\??\C:\WINDOWS\system32\DRIVERS\psseckbd.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R3 vhidmini;Secure Mouse;C:\WINDOWS\system32\DRIVERS\vhsecmou.sys
S2 agrsm;Agere Modem Driver;C:\WINDOWS\system32\agrsmnt.sys
S2 Ca533av;Dual Mode Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys
S3 FXDRV;FXDRV;\??\E:\Fxdrv.sys
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial;C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\E:\NTGLM7X.sys
S3 USBCamera;Dual Mode Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc10-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc13-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc14-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24d2cc15-6935-11dc-a21f-be10cae735b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69abb250-6937-11dc-a220-be378b3c01b9}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Conte£do da pasta 'Tarefas Agendadas'
"2007-11-09 23:17:28 C:\WINDOWS\Tasks\Norton AntiVirus - Verificar o meu computador - Home.job"
- C:\ARQUIV~1\NORTON~1\NORTON~3\Navw32.exe
"2007-10-26 16:18:44 C:\WINDOWS\Tasks\One Button Checkup do Norton SystemWorks.job"
- C:\Arquivos de programas\Norton SystemWorks\OBC.exe
"2007-11-20 02:00:15 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SymDrmc.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 16:39:40
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusÆo: 2007-11-22 16:40:41 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-22 14:08
.
--- E O F ---
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/22/2007 at 05:31 PM
Application Version : 3.9.1008
Core Rules Database Version : 3348
Trace Rules Database Version: 1349
Scan type : Complete Scan
Total Scan Time : 00:35:26
Memory items scanned : 352
Memory threats detected : 0
Registry items scanned : 5554
Registry threats detected : 0
File items scanned : 36914
File threats detected : 10
Adware.Tracking Cookie
C:\Documents and Settings\Home\Cookies\home@bestsellerantivirus[1].txt
C:\Documents and Settings\Home\Cookies\home@ad.ural-banners.bb[1].txt
Adware.Vundo-Variant/Small-A
C:\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20071122-163344-871.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4326EA49-C233-4DA1-B8BE-485B2D739F3F}\RP42\A0051289.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4326EA49-C233-4DA1-B8BE-485B2D739F3F}\RP42\A0051290.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4326EA49-C233-4DA1-B8BE-485B2D739F3F}\RP42\A0051294.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4326EA49-C233-4DA1-B8BE-485B2D739F3F}\RP42\A0051295.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4326EA49-C233-4DA1-B8BE-485B2D739F3F}\RP42\A0051299.DLL
Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4326EA49-C233-4DA1-B8BE-485B2D739F3F}\RP41\A0051236.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4326EA49-C233-4DA1-B8BE-485B2D739F3F}\RP42\A0051298.DLL
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:29, on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\vssvc.exe
C:\Arquivos de programas\TClock\tclock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\program files\HijackThis\Scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.terra.com.br/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Arquivos de programas\Ipswitch\WS_FTP Professional\wsbho2k0.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LFAgent] C:\Arquivos de programas\Everstrike Software\Lock Folder XP 3.5\LF30.exe -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [UpdateManager] C:\Program Files\Common Files\Microsoft Shared\Web Components\WUpdMan32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: TClock.lnk = C:\Arquivos de programas\TClock\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O9 - Extra 'Tools' menuitem: MSN Messenger - {978ac263-6169-4969-9ca8-dc16fe0f45aa} - C:\ARQUIV~1\MSNMES~1\msnmsgr.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {3C8B9651-4E3E-424D-B51C-54544ABF536B} (CAtmCap Object) - https://ww7.banrisul.com.br/bxz/data/securecontrol2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agendador do LiveUpdate automático - Symantec Corporation - C:\Arquivos de programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Serviço do Auto-Protect do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7580 bytes
Your log looks fine :bigthumb:
You may want to enter the bios and make sure that CD, HD and then floppy are selected and then save it and reboot, let me know if your still getting that error on boot up.
Good evening, Ken
I can't believe we got rid of that awful thing! I always thought that the first boot was from hd(?) Both pcs are like this: first HD, second CD and third floppy. Should I change this? One more question, abusing your patience, should I do that disable/enable system restore/reboot thing?
Waiting for your answer to have a good night sleep!
Nana
Nana,
HD, CD, Floppy is fine BUT, if you ever run into a windows problem and you need to boot from the windows CD, it won't boot unless the CD is first.
System Restore, everything we removed is most likely backed up in that program and if you should use it to restore your system to a previous date for some reason you take the chance of reinfecting yourself. I am going to give you the instructions for flushing it all out and creating a new Restore point, BUT, I would wait a few days until your sure your system is stable.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
How are things running now??
Hi, Ken
It's past 10 pm down here and I'm ready to go to sleep. I'm very happy with your help, you must be proud of yourself to help people around the world by sharing your knowledge. I was afraid my English would be an issue, but you were so kind and patient, I can't thank you enough.
I see your point about the boot thing and I will flush the system restore, for good measure. The system is fine and I'm sending this message from my kid's pc! I didn't reboot it since I was waiting for you so I don't know if it will show the warning again. If is does, I'll get back to you, for sure!
Thanks for all you taught me and for your kind attention.
Wishing you all the best, Merry Christmas and Happy New Year!!!!!!!!
Nana
You were :crowned:
Hello Nana,
Here are some tips and free programs to install to help keep you more secure.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken
Hello Ken
I'll check all the tips you gave me. I changed the boot to cd first and on reboot I didn't get any warning. Everything is running fine and I'll take your advice to wait a few days to flush SR.
Thanks again for all you've done to help me.
All the best,
Nana:bow::bow:
Your very welcome Nana,
Stay Well,
Ken :)