View Full Version : Bifrose
Nashinoshi
2007-12-09, 21:58
Hi
I play a game named World of Warcraft wich detected Backdoor.Win32.Bifrose.aej. I have Kaspersky Internet Security 6 with wich I ran a scan and found nothing.
I've tryed a Kaspersky online scan but it failed to update and I couldn't scan.
I've also run a scan with Spybot S&D wich found Bifrose.LA, wich I removed and did nothing, I restarted the computer and the registry enters wich he deleted came back.
Also I have a hidden iexplore.exe wich appears every time I restart my computer, if I terminate it WoW doesn't detect the Bifrose anymore. The hidden iexplore.exe seems to be sendind data to someone. Also it makes some issues when I try to Alt+TAB from IE to other programes. Basicaly the Alt+TAB window apears but I can't change to the other program, and I have to shut down the hidden iexplore.exe to be able to Alt+TAB.
I've also searched my computer for bifrost files (as other people had them) but found nothing.
I've searched the registry for bifrost entrys and deleted the ones I found but I think they were the same ones Spybot found, so they just keep coming back after restarts.
I've run a HiJackThis and fixed a
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
but it seems to come back again after restarts.
Here's the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:57:08, on 09-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programas\DAP\DAP.EXE
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\Detector\CTDetect.exe
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\Programas\DAEMON Tools\daemon.exe
C:\Programas\NDAS\System\ndasmgmt.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Programas\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programas\CyberLink\Shared Files\RichVideo.exe
c:\Programas\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Programas\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\Programas\internet explorer\iexplore.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Auxiliar de Conex? do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programas\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programas\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programas\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] C:\Programas\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Gest? de dispositivo NDAS.lnk
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Programas\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programas\DAP\dapextie.htm
O8 - Extra context menu item: Adicionar ao Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Anti-Vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Publicar em Blogue - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Publicar no Blogue no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O15 - Trusted Zone: http://s3.travian.pt
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187792627343
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191322556406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programas\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Programas\NDAS\System\ndassvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programas\Windows Live\installer\WLSetupSvc.exe
--
End of file - 11033 bytes
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
There is nothing showing in your HJT log, which doesn't mean you aren't infected :sad:
Let's try a different scan
Download and Run ComboFix
Download Combofix from one of the links below :
ComboFix.exe 1 (http://subs.geekstogo.com/ComboFix.exe)
ComboFix.exe 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
ComboFix.exe 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
Nashinoshi
2007-12-19, 14:51
Thanks for helping me :heart:
Heres the log:
ComboFix 07-12-19.2 - Nashinoshi 2007-12-19 13:40:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.493 [GMT 0:00]
Executando de: C:\Documents and Settings\Nashinoshi\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Nashinoshi\Application Data\addon.dat
C:\WINDOWS\system32\Cache
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\NPF
((((((((((((((((((((((( Ficheiros criados de 2007-11-19 to 2007-12-19 ))))))))))))))))))))))))))))))))
.
2007-12-19 13:37 . 2007-12-19 13:37 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-12-19 13:37 . 2007-12-19 13:37 <DIR> d-------- C:\Programas\microsoft frontpage
2007-12-01 11:53 . 2007-12-01 11:53 <DIR> d-------- C:\Programas\Mozilla ActiveX Control v1.7.12
2007-12-01 11:48 . 2007-12-01 11:48 <DIR> d-------- C:\Programas\NuxBox
2007-11-27 21:18 . 2007-12-17 22:31 <DIR> d-------- C:\Documents and Settings\Nashinoshi\Application Data\teamspeak2
2007-11-27 21:17 . 2007-11-27 21:18 <DIR> d-------- C:\Programas\Teamspeak2_RC2
2007-11-27 21:17 . 2007-11-27 21:17 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2007-11-22 12:23 . 2007-11-22 12:23 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2007-11-22 12:23 . 2007-11-22 12:23 22,328 --a------ C:\Documents and Settings\Nashinoshi\Application Data\PnkBstrK.sys
2007-11-22 11:58 . 2007-11-11 09:48 6,479,353,856 --a------ C:\rzr-crys.iso
2007-11-21 14:55 . 2007-11-21 14:55 <DIR> d-------- C:\HammerAutosave
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-19 13:46 46,549,024 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-19 13:46 1,567,520 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-19 13:45 634,820 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-19 13:45 155,312 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-19 13:37 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-14 23:56 --------- d-----w C:\Programas\DScaler
2007-12-11 18:24 --------- d-----w C:\Programas\eMule
2007-12-09 17:57 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\IGN_DLM
2007-11-30 11:11 --------- d-----w C:\Programas\Windows Live
2007-11-22 12:23 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-17 13:10 --------- d--h--w C:\Programas\InstallShield Installation Information
2007-11-17 12:07 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\uTorrent
2007-11-15 23:18 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\Microsoft Games
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-03 12:50 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\Windows Desktop Search
2007-11-03 00:16 --------- d-----w C:\Programas\Windows Desktop Search
2007-11-03 00:16 --------- d-----w C:\Programas\Microsoft SQL Server Compact Edition
2007-11-03 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-02 11:32 --------- d-----w C:\Programas\Opera
2007-11-01 17:09 --------- d-----w C:\Programas\NDAS
2007-10-31 10:49 --------- d-----w C:\Programas\Java
2007-10-30 22:35 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\LimeWire
2007-10-30 22:27 --------- d-----w C:\Programas\LimeWire
2007-10-30 22:23 --------- d-----w C:\Programas\Ficheiros comuns\Java
2007-10-29 12:57 --------- d-----w C:\Programas\Download Manager
2007-10-23 17:49 586,752 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-23 16:15 --------- d-----w C:\Programas\EdicoesSegurancaRodoviaria
2007-10-19 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-19 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-10-19 11:56 --------- d-----w C:\Programas\ATI Technologies
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Creative Detector"="C:\Programas\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]
"MsnMsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.exe" [2007-08-16 16:19]
"DAEMON Tools"="C:\Programas\DAEMON Tools\daemon.exe" [2007-08-22 12:06]
"igndlm.exe"="C:\Programas\Download Manager\DLM.exe" [2007-03-05 21:57]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kis"="C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 18:09]
"P17Helper"="Rundll32 P17.dll" []
"DownloadAccelerator"="C:\Programas\DAP\DAP.exe" [2007-08-21 21:03]
"HP Software Update"="C:\Programas\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 16:28]
"HP Component Manager"="C:\Programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 23:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 23:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32]
"RemoteControl"="C:\Programas\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 21:26]
"LanguageShortcut"="C:\Programas\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 21:17]
"StartCCC"="C:\Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 01:56 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 01:37]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
"RunLogonScriptSync"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)
"HideStartupScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"HideLogoffScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"= 0 (0x0)
"NoDispAppearancePage"= 0 (0x0)
"NoDispScrSavPage"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"NoVisualStyleChoice"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"HideLogoffScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoShellSearchButton"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoRecentDocsMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoRecentDocsHistory"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoTrayItemsDisplay"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"NoToolbarsOnTaskbar"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoViewContextMenu"= 0 (0x0)
"NoShellSearchButton"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoRecentDocsMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoWindowsUpdate"= 0 (0x0)
"NoFolderOptions"= 0 (0x0)
"NoRecentDocsHistory"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"StartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoTrayItemsDisplay"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoToolbarsOnTaskbar"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programas\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nashinoshi^Menu Iniciar^Programas^Arranque^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Nashinoshi\Menu Iniciar\Programas\Arranque\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Programas\Download Manager\DLM.exe /windowsstart /startifwork
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
c:\programas\ncsoft\launcher\NCLauncher.exe /Minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 --a------ C:\Programas\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 15:46 1460560 --a------ C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2006-09-07 17:19 15872 --a------ C:\Programas\Unlocker\UnlockerAssistant.exe
R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-06-29 17:32]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-06-29 17:32]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 12:22]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-06-29 17:32]
R2 HWiNFO32;HWiNFO32 Kernel Driver;C:\Programas\HWiNFO32\HWiNFO32.SYS [2007-03-05 19:14]
R2 SQLWriter;SQL Server VSS Writer;"c:\Programas\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 08:14]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-06-29 17:32]
R3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-06-29 17:32]
R3 P17;SB Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys [2005-07-07 08:14]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 14:05]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 15:32]
S3 drhard;DRHARD;C:\WINDOWS\system32\DRIVERS\DRHARD.SYS [2005-12-01 10:49]
S3 DSDrv4;DSDrv4;C:\PROGRA~1\DScaler\DSDrv4.sys [2005-12-18 19:42]
S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys []
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Programas\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8BFA84CD-3AF3-0AB9-A2F8-83C2FD4B2B22}]
C:\WINDOWS\system32\geil\server.exe s
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 13:47:17
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusÆo: 2007-12-19 13:49:03 - machine was rebooted [Nashinoshi]
.
2007-12-14 00:15:21 --- E O F ---
That isn't showing very much either :sad:
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINDOWS\system32\geil\server.exe
Click Submit/Send File
Please post back, to let me know the results.
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK
Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.
Nashinoshi
2007-12-20, 16:05
File has already been analysed:
MD5: 3a07be8889e12baa53c63a182b84920c
Date: 2007.09.04 20:20:58 (CET) [>106D]
Results: 6/32
Permalink: resultado.html?e65c6471f3e75ac6370ea82dea36681b
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.CFI.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - MemScan:Backdoor.Bifrose.NQ
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - -
Kaspersky - - -
McAfee - - BackDoor-CEP.svr
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.CFI.Gen
Then I clicked a button to reanalyse or something like that and gave me these results:
Antivirus Version Last Update Result
AhnLab-V3 2007.12.20.11 2007.12.20 Win-Trojan/Bifrose.1124521
AntiVir 7.6.0.46 2007.12.20 BDS/Bifrose.Gen
Authentium 4.93.8 2007.12.20 -
Avast 4.7.1098.0 2007.12.20 -
AVG 7.5.0.503 2007.12.19 BackDoor.Generic8.ITQ
BitDefender 7.2 2007.12.20 MemScan:Backdoor.Bifrose.NQ
CAT-QuickHeal 9.00 2007.12.19 -
ClamAV 0.91.2 2007.12.20 PUA.Packed.TeLock
DrWeb 4.44.0.09170 2007.12.20 -
eSafe 7.0.15.0 2007.12.19 suspicious Trojan/Worm
eTrust-Vet 31.3.5390 2007.12.20 -
Ewido 4.0 2007.12.19 -
FileAdvisor 1 2007.12.20 High threat detected
Fortinet 3.14.0.0 2007.12.20 BDoor.CEP!tr.bdr
F-Prot 4.4.2.54 2007.12.20 -
F-Secure 6.70.13030.0 2007.12.20 -
Ikarus T3.1.1.15 2007.12.20 MemScanBackdoor.Bifrose.NQ
Kaspersky 7.0.0.125 2007.12.20 Heur.Trojan.Generic
McAfee 5189 2007.12.19 BackDoor-CEP.svr
Microsoft 1.3109 2007.12.20 -
NOD32v2 2736 2007.12.20 -
Norman 5.80.02 2007.12.19 -
Panda 9.0.0.4 2007.12.19 Generic Backdoor
Prevx1 V2 2007.12.20 Generic.Malware
Rising 20.23.31.00 2007.12.20 -
Sophos 4.24.0 2007.12.20 Mal/Generic-A
Sunbelt 2.2.907.0 2007.12.20 VIPRE.Suspicious
Symantec 10 2007.12.20 Infostealer
TheHacker 6.2.9.165 2007.12.19 W32/Behav-Heuristic-066
VBA32 3.12.2.5 2007.12.20 -
VirusBuster 4.3.26:9 2007.12.19 -
Webwasher-Gateway 6.0.1 2007.12.20 Trojan.Backdoor.Bifrose.Gen
Additional information
File size: 1124521 bytes
MD5: 3a07be8889e12baa53c63a182b84920c
SHA1: 5d83df07fa745515ad388760c5f37b8cc72686c6
PEiD: tElock 0.98 -> tE!
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=3a07be8889e12baa53c63a182b84920c
packers: TeLock
packers: PE_Patch, TeLock
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=6D6D0F8BA9AE21CC284711434945A000BFDF5220
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Nashinoshi
2007-12-20, 16:07
Here's the Total Scan log(wich i had to separate in 2 posts):
;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-12-20 14:58:35
PROTECTIONS: 1
MALWARE: 77
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Internet Security 6.0 6.0.0.303 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00045952 spyware/media-motor Spyware No 1 Yes No c:\windows\unstall.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\SmitfraudFix.zip[SmitfraudFix/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP136\A0037094.exe
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@247realmedia[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@tribalfusion[1].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@revenue[2].txt
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.revenue.net/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.yadro.ru/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@yadro[2].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.yadro.ru/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.xiti.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@xiti[1].txt
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.hotlog.ru/]
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@hotlog[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.statcounter.com/]
00167785 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@gamearena.com[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@perf.overture[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@www.burstbeacon[2].txt
00168102 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@as1.falkag[1].txt
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@weborama[1].txt
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.weborama.fr/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@adtech[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.adtech.de/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@server.iad.liveperson[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@stat.onestat[1].txt
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@fl01.ct2.comclick[1].txt
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.fl01.ct2.comclick.com/]
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.fl01.ct2.comclick.com/]
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.fl01.ct2.comclick.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.advertising.com/]
Nashinoshi
2007-12-20, 16:08
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@ads.pointroll[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ads.pointroll.com/]
00170553 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ig.com.br/]
00170553 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@ig.com[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@overture[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@realmedia[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.realmedia.com/]
00170557 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.terra.com.br/]
00170557 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@terra.com[1].txt
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@uol.com[1].txt
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.uol.com.br/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@questionmarket[2].txt
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.xxxcounter.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@adultfriendfinder[2].txt
00199231 HackTool/EvID HackTools No 0 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\226-patch_sp2_tcpip.zip[EvID4226Patch.exe]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.searchportal.information.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@searchportal.information[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@searchportal.information[1].txt
00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@i.screensavers[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@atwola[1].txt
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.smartadserver.com/]
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@smartadserver[2].txt
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@www3.addfreestats[1].txt
00286734 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@adserver.filefront[2].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@www6.addfreestats[2].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@ads.addynamix[1].txt
00376900 Adware/SaveNow Adware No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP40\A0016772.exe
00391539 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0015341.exe
00510234 Application/Dnet.A HackTools No 0 No No D:\System Volume Information\_restore{06317BA0-0F54-4435-A5B2-EDF61E4F2F28}\RP87\A0016349.exe[dnetc.exe]
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\SmitfraudFix.zip[SmitfraudFix/restart.exe]
00517584 Application/SuperFast HackTools No 0 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP136\A0037096.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\SmitfraudFix\restart.exe
00815385 Bck/Pcclient.ED Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0012729.exe
00861842 Generic Backdoor Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP162\A0046780.exe
00861842 Generic Backdoor Virus/Trojan No 0 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\Downloads\Windows Vista 32 all versions multilanguage with activation crack (Paradox)\Windows Vista crack paradox\Check.exe
00863965 Generic Backdoor Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP162\A0046783.exe
00863965 Generic Backdoor Virus/Trojan No 0 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\Downloads\Windows Vista 32 all versions multilanguage with activation crack (Paradox)\Windows Vista crack paradox\Validate.exe
00933898 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{630F24B8-5FA5-4093-A8FE-89514AA93F4E}\RP16\A0001001.exe
00958483 Generic Worm Virus/Worm No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0007043.ExE
01048153 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0004927.exe
01048187 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0004926.exe
01048913 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0013216.exe
01049078 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0005777.exe
01049078 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0005778.exe
01049287 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0013215.exe
01072236 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0005319.exe
01072694 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0009834.exe
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP182\A0056142.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\All Users\Documentos\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP182\A0056170.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP136\A0037083.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP136\A0037083.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\All Users\Documentos\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Nashinoshi\Ambiente de trabalho\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\ComboFix.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Nashinoshi\Ambiente de trabalho\ComboFix.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP183\A0056247.exe
01269613 Trj/QQPass.QV Virus/Trojan No 1 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0004797.exe
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Cookies\nashinoshi@adserver.easyad[1].txt
01891301 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0012730.exe
01946824 Generic Backdoor Virus/Trojan No 0 Yes No C:\WINDOWS\system32\geil\server.exe
02092651 Adware/SecurityError Adware No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0004799.exe
02121207 Generic Malware Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0004964.exe
02181950 Generic Malware Virus/Trojan No 0 No No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0005200.exe[update.exe]
02181950 Generic Malware Virus/Trojan No 0 No No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0005202.exe[update.exe]
02181950 Generic Malware Virus/Trojan No 0 No No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0005212.exe[update.exe]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP136\A0037095.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
02326757 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0012794.exe
02426948 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0004922.exe
02519515 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{0F50E03B-332E-466C-9714-23336E506210}\RP136\A0037081.exe
02519515 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\All Users\Documentos\SmitfraudFix.exe
02519515 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\SmitfraudFix.exe
02551250 Adware/SaveNow Adware No 0 Yes No C:\Programas\DAEMON Tools\AdVantageSetup.exe
02572368 Generic Trojan Virus/Trojan No 0 Yes No D:\System Volume Information\_restore{39F06959-4B56-42C6-AD20-E6017AFDAE57}\RP37\A0007013.exe
02646143 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\ADSTechnologyInstall.exe[ADSTechnology.exe]
02878173 Generic Trojan Virus/Trojan No 0 Yes No G:\Colones\FEAR\Keygen\Keygen for F.E.A.R.exe
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\nr7.zip[NR7/Texmod.exe]
;===================================================================================================================================================================================
Nashinoshi
2007-12-20, 16:08
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No D:\Users\Nashinoshi\AppData\Roaming\Microsoft\Windows\Cookies\nashinoshi@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Nashinoshi\Application Data\Mozilla\Firefox\Profiles\zyl5br6i.default\cookies.txt[.ads.pointroll.com/]
had to cut this from the middle of it cause it made it too long lol
I'm afraid I have unpleasant news for you. You have two Very Dangerous infections on this machine.
Windows Vista crack paradox and server.exe are both Backdoor Trojans
They allow outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.
We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.
The Decision Whether to ReFormat or Not should be based on:
The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
Nashinoshi
2007-12-21, 12:38
I've had this backdoor for over a month, maybe two, and haven't had anything stolen, at least that I notice.
And I don't use this computer to buy or transactions, it's all done on my dad's computer.
Only thing that worries me a bit is that I've used my dad's credit card once to activate an online game account.
When I terminate the hidden iexplore.exe in the process list it seems no data is being sent and as I haven't noticed anything being stolen I think I'll just clean my computer and ask my dad to keep watch on hes credit card.
Thanks for the help by the way.
Nashinoshi
2007-12-21, 12:55
Nevermind...changed my mind dont want to be worried everytime I type a password.
I think I'll format...
But do you think my personal data is realy in danger? As I haven't noticed anything in this 1~2 monthes... I have a hardware and software firewall and I terminate the iexplore.exe process and it seemed safe...
And I have 2 hard drives, would I need to format the 2 or just the one I have my windows instaled on?
Can you help me decide to format or not?lol basicaly I want to know if I was indeed safe or data could be stolen...
I read that page but its realy hard to decide...
Nashinoshi
2007-12-21, 13:36
Basicaly im still deciding lol sorry for the confused posts
My dad checked hes bank account and found nothing wrong
So I think I'll clean my computer, if you think the reasons I posted are enough for you to think I'll be safe.
Or format if you think the reasons I posted dont guarantee anything at all.
The chances are that the backdoor is designed to allow access to your WOW account.
However, given the nature of the infection there is no way I can say if anything else has been/will be stolen.
A backdoor can allow an attacker to do whatever they like.
If you are able to reformat, then I would strongly recommend it.
Nashinoshi
2007-12-21, 16:03
thanks for all the help
I've decided to clean the infected files
You have cleaned, or you want to clean ?
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\unstall.exe
C:\Documents and Settings\Nashinoshi\Os meus documentos\Downloads\Windows Vista 32 all versions multilanguage with activation crack (Paradox)\Windows Vista crack paradox\Check.exe
C:\Documents and Settings\Nashinoshi\Os meus documentos\Downloads\Windows Vista 32 all versions multilanguage with activation crack (Paradox)\Windows Vista crack paradox\Validate.exe
C:\WINDOWS\system32\geil\server.exe
C:\Programas\DAEMON Tools\AdVantageSetup.exe
C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\ADSTechnologyInstall.exe
G:\Colones\FEAR\Keygen\Keygen for F.E.A.R.exe
C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\nr7.zip
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8BFA84CD-3AF3-0AB9-A2F8-83C2FD4B2B22}]
Save this as CFScript.txt and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Nashinoshi
2007-12-21, 21:16
ComboFix 07-12-19.2 - Nashinoshi 2007-12-21 20:09:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.580 [GMT 0:00]
Executando de: C:\Documents and Settings\Nashinoshi\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nashinoshi\Ambiente de trabalho\CFScript.txt
FILE
C:\Documents and Settings\Nashinoshi\Os meus documentos\Downloads\Windows Vista 32 all versions multilanguage with activation crack (Paradox)\Windows Vista crack paradox\Check.exe
C:\Documents and Settings\Nashinoshi\Os meus documentos\Downloads\Windows Vista 32 all versions multilanguage with activation crack (Paradox)\Windows Vista crack paradox\Validate.exe
C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\ADSTechnologyInstall.exe
C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\nr7.zip
C:\Programas\DAEMON Tools\AdVantageSetup.exe
C:\WINDOWS\system32\geil\server.exe
c:\windows\unstall.exe
G:\Colones\FEAR\Keygen\Keygen for F.E.A.R.exe
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Nashinoshi\Application Data\addon.dat
C:\Documents and Settings\Nashinoshi\Os meus documentos\My Completed Downloads\ADSTechnologyInstall.exe
C:\Programas\DAEMON Tools\AdVantageSetup.exe
C:\WINDOWS\system32\geil\server.exe
c:\windows\unstall.exe
.
((((((((((((((((((((((( Ficheiros criados de 2007-11-21 to 2007-12-21 ))))))))))))))))))))))))))))))))
.
2007-12-20 11:32 . 2007-12-20 11:32 <DIR> d-------- C:\Programas\Panda Security
2007-12-19 13:49 . 2007-12-19 13:49 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais
2007-12-19 13:49 . 2007-12-19 13:49 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais
2007-12-19 13:49 . 2007-12-19 13:49 <DIR> d-------- C:\Documents and Settings\Nashinoshi\Definiþ§es locais
2007-12-19 13:49 . 2007-12-19 13:49 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais
2007-12-19 13:49 . 2007-12-19 13:49 <DIR> d-------- C:\Documents and Settings\Default User\Definiþ§es locais
2007-12-19 13:37 . 2007-12-19 13:37 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-12-19 13:37 . 2007-12-19 13:37 <DIR> d-------- C:\Programas\microsoft frontpage
2007-12-01 11:53 . 2007-12-01 11:53 <DIR> d-------- C:\Programas\Mozilla ActiveX Control v1.7.12
2007-12-01 11:48 . 2007-12-01 11:48 <DIR> d-------- C:\Programas\NuxBox
2007-11-27 21:18 . 2007-12-19 20:59 <DIR> d-------- C:\Documents and Settings\Nashinoshi\Application Data\teamspeak2
2007-11-27 21:17 . 2007-11-27 21:18 <DIR> d-------- C:\Programas\Teamspeak2_RC2
2007-11-27 21:17 . 2007-11-27 21:17 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2007-11-22 12:23 . 2007-11-22 12:23 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2007-11-22 12:23 . 2007-11-22 12:23 22,328 --a------ C:\Documents and Settings\Nashinoshi\Application Data\PnkBstrK.sys
2007-11-22 11:58 . 2007-11-11 09:48 6,479,353,856 --a------ C:\rzr-crys.iso
2007-11-21 14:55 . 2007-11-21 14:55 <DIR> d-------- C:\HammerAutosave
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-21 20:13 --------- d-----w C:\Programas\Kaspersky Lab
2007-12-21 20:12 48,977,184 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-21 20:12 1,582,880 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-21 20:12 --------- d-----w C:\Programas\DAEMON Tools
2007-12-21 19:04 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\uTorrent
2007-12-21 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-21 15:22 --------- d-----w C:\Programas\Security Task Manager
2007-12-21 10:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-21 00:30 665,684 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-21 00:30 155,984 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-14 23:56 --------- d-----w C:\Programas\DScaler
2007-12-11 18:24 --------- d-----w C:\Programas\eMule
2007-12-09 17:57 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\IGN_DLM
2007-11-30 11:11 --------- d-----w C:\Programas\Windows Live
2007-11-22 12:23 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-22 12:23 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-17 13:10 --------- d--h--w C:\Programas\InstallShield Installation Information
2007-11-15 23:18 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\Microsoft Games
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-03 12:50 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\Windows Desktop Search
2007-11-03 00:16 --------- d-----w C:\Programas\Windows Desktop Search
2007-11-03 00:16 --------- d-----w C:\Programas\Microsoft SQL Server Compact Edition
2007-11-03 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-02 11:32 --------- d-----w C:\Programas\Opera
2007-11-01 17:09 --------- d-----w C:\Programas\NDAS
2007-10-31 10:49 --------- d-----w C:\Programas\Java
2007-10-30 22:35 --------- d-----w C:\Documents and Settings\Nashinoshi\Application Data\LimeWire
2007-10-30 22:27 --------- d-----w C:\Programas\LimeWire
2007-10-30 22:23 --------- d-----w C:\Programas\Ficheiros comuns\Java
2007-10-29 22:43 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 12:57 --------- d-----w C:\Programas\Download Manager
2007-10-25 09:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 17:49 586,752 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-23 16:15 --------- d-----w C:\Programas\EdicoesSegurancaRodoviaria
2007-10-03 23:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-09-29 03:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 03:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 03:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 02:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 02:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 02:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 02:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 02:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 02:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 02:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 02:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 02:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 02:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 02:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 02:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 02:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-28 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
.
((((((((((((((((((((((((((((( snapshot@2007-12-19_13.48.23.62 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-21 14:37:26 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\ascstubie.dll
+ 2007-07-18 14:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
- 2007-12-12 22:50:46 90,980 ----a-w C:\WINDOWS\system32\drivers\klin.sys
+ 2007-12-20 18:07:45 91,492 ----a-w C:\WINDOWS\system32\drivers\klin.sys
- 2007-12-19 13:39:46 247,687 ---h--w C:\WINDOWS\system32\geil\klog.dat
+ 2007-12-21 11:23:07 251,111 ---ha-w C:\WINDOWS\system32\geil\klog.dat
- 2007-12-19 13:39:34 171,273 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-12-21 10:56:32 171,272 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Creative Detector"="C:\Programas\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]
"MsnMsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.exe" [2007-08-16 16:19]
"DAEMON Tools"="C:\Programas\DAEMON Tools\daemon.exe" [2007-08-22 12:06]
"igndlm.exe"="C:\Programas\Download Manager\DLM.exe" [2007-03-05 21:57]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kis"="C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 18:09]
"P17Helper"="Rundll32 P17.dll" []
"DownloadAccelerator"="C:\Programas\DAP\DAP.exe" [2007-08-21 21:03]
"HP Software Update"="C:\Programas\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 16:28]
"HP Component Manager"="C:\Programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 23:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 23:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32]
"RemoteControl"="C:\Programas\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-08 21:26]
"LanguageShortcut"="C:\Programas\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 21:17]
"StartCCC"="C:\Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:56]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="cmd.exe" [2004-08-04 01:56 C:\WINDOWS\system32\cmd.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 01:37]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
"RunLogonScriptSync"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)
"HideStartupScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"HideLogoffScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"= 0 (0x0)
"NoDispAppearancePage"= 0 (0x0)
"NoDispScrSavPage"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"NoVisualStyleChoice"= 0 (0x0)
"NoColorChoice"= 0 (0x0)
"NoSizeChoice"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)
"HideLogoffScripts"= 0 (0x0)
"HideLegacyLogonScripts"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoShellSearchButton"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoRecentDocsMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoRecentDocsHistory"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoTrayItemsDisplay"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"NoToolbarsOnTaskbar"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoThemesTab"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoRecycleFiles"= 0 (0x0)
"ForceRecycleBinSize"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoViewContextMenu"= 0 (0x0)
"NoShellSearchButton"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoCustomizeThisFolder"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoOnlinePrintsWizard"= 0 (0x0)
"NoPublishingWizard"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoRecentDocsMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoFind"= 0 (0x0)
"NoWindowsUpdate"= 0 (0x0)
"NoFolderOptions"= 0 (0x0)
"NoRecentDocsHistory"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuMorePrograms"= 0 (0x0)
"NoStartMenuEjectPC"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"StartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoSMBalloonTip"= 0 (0x0)
"NoSMBalloonTips"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoTrayItemsDisplay"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"HideClock"= 0 (0x0)
"NoToolbarsOnTaskbar"= 0 (0x0)
"NoTaskGrouping"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoWebServices"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programas\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Nashinoshi^Menu Iniciar^Programas^Arranque^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\Nashinoshi\Menu Iniciar\Programas\Arranque\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
dxdllreg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Programas\Download Manager\DLM.exe /windowsstart /startifwork
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayNC Launcher]
c:\programas\ncsoft\launcher\NCLauncher.exe /Minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 --a------ C:\Programas\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 15:46 1460560 --a------ C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 01:11 132496 --a------ C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
Nashinoshi
2007-12-21, 21:17
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2006-09-07 17:19 15872 --a------ C:\Programas\Unlocker\UnlockerAssistant.exe
R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-06-29 17:32]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-06-29 17:32]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 12:22]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-06-29 17:32]
R2 HWiNFO32;HWiNFO32 Kernel Driver;C:\Programas\HWiNFO32\HWiNFO32.SYS [2007-03-05 19:14]
R2 SQLWriter;SQL Server VSS Writer;"c:\Programas\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 04:29]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 08:14]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-06-29 17:32]
R3 P17;SB Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys [2005-07-07 08:14]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 14:05]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 15:32]
S3 drhard;DRHARD;C:\WINDOWS\system32\DRIVERS\DRHARD.SYS [2005-12-01 10:49]
S3 DSDrv4;DSDrv4;C:\PROGRA~1\DScaler\DSDrv4.sys [2005-12-18 19:42]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-06-29 17:32]
S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys []
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Programas\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-21 20:12:47
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusão: 2007-12-21 20:13:54
C:\ComboFix2.txt ... 2007-12-19 13:49
.
2007-12-14 00:15:21 --- E O F ---
Looks better :bigthumb:
Please can you post a fresh HJT log for a final look.
How are things running now ?
Nashinoshi
2007-12-21, 21:53
Running great, the hidden iexplore.exe doesn't start whenever I restart now, everythings fine.
But I have a question, I once had a program similar to a firewall, wich showed a list of IPs of every conection I had and I could, for example, right click one and block one of them. Just wondering if you could give me the name of that program. If you can't its not problem I'll keep looking.
Heres the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50:12, on 21-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programas\DAP\DAP.EXE
C:\Programas\HP\HP Software Update\HPWuSchd.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Creative\MediaSource\Detector\CTDetect.exe
C:\Programas\Windows Live\Messenger\MsnMsgr.Exe
C:\Programas\DAEMON Tools\daemon.exe
C:\Programas\NDAS\System\ndasmgmt.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programas\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programas\CyberLink\Shared Files\RichVideo.exe
c:\Programas\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programas\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Auxiliar de Conex? do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programas\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programas\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programas\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [igndlm.exe] C:\Programas\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Gest? de dispositivo NDAS.lnk
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Programas\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programas\DAP\dapextie.htm
O8 - Extra context menu item: Adicionar ao Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Anti-Vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Publicar em Blogue - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Publicar no Blogue no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O15 - Trusted Zone: http://s3.travian.pt
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187792627343
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191322556406
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programas\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Programas\NDAS\System\ndassvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programas\Windows Live\installer\WLSetupSvc.exe
--
End of file - 10683 bytes
Are either of these two what you are looking for ?
TCPView (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx)
CurrPorts (http://www.nirsoft.net/utils/cports.html)
Congratulations your logs look clean :D
Let's see if I can help you keep it that way
First lets tidy up :D
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.
Reset System Restore.
Now you should disable System restore to purge any infected files and then re-enable it,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Un-Check Turn off System Restore.
Click Apply, and then click OK.
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
All the programs in this list have a free version.
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
AVG Anti-Spyware 7.5 (http://www.ewido.net/en/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Ad-Aware 2007 Free (http://www.lavasoftusa.com/products/ad_aware_free.php) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 3.5.1 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/content/view/15/33/) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/content/view/19/2/) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.......So How Did I Get Infected In The First Place (http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Nashinoshi
2007-12-22, 13:22
omg great programs!!!
Thanks a lot!
Everythings fine you can archive this :)
Now I just have to know more about Combofix and discover why is it dangerous to use it without supervision, realy curious.
ComboFix is a very powerful removal tool.
Given the wrong set of circumstances it is fully capable of deleting your operating system.
That's why we don't recommend it be used unless we suggest it :D:
Nashinoshi
2007-12-22, 14:13
erm..one more thing that now's happening.
Wheneve I start a program wich has a "mini-internet explorer" there's an error like this:
"Error
An error occurred during execution.
Do you wish to depurate?
Line: 178
Error: Expected an object
[Yes] [No]"
(this was translated from portuguese by me so I don't know if it's exactly like that lol)
I called it a "mini-internet explorer" because I have no idea what that is called lol but it's like a normal program that can show an web site page... like World of warcraft Launch program starts a window witch shows a web page with news of the game, or Download Accelarator Plus wich has internet access too in a search window.
However if I click "No" it seems continues normaly with no problams.
Think it's something to do with javascript?
It's possible that it is java related, download the latest version, and then uninstall all versions you have on your machine.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Nashinoshi
2007-12-22, 14:17
instead of
"Do you wish to depurate?"
change that to
"Do you wish to debugg?"
sorry realy bad translated
Nashinoshi
2007-12-22, 14:39
It still happens :(
think it started happening after I instaled some of those programs (namely CurrPorts, Winpatrol, SpywareBlaster 3.5.1, MVPS HOSTS, CCleaner), updated them, turned on theyr protection and cleaned some files with CCleaner (namely cookies, temporary internet files, temporary files, transfer area, memory dump, fragmented files from chkdsk, windows access files) and restarted the computer.
hopefuly I didn't delete something that I wasn't suposed to delete.
Nashinoshi
2007-12-22, 14:42
By the way it seems like on an english computer the error would be:
"Error
A runtime error has occurred.
Do you wish to debug?
Line: 178
Error: Expected an object
[Yes] [No]"
although I'm not 100% sure
Nashinoshi
2007-12-22, 14:48
when I open it in the IE (http://launcher.wow-europe.com/en) it doesn't show up any error so it doesn't seem like it was bad programing from them.
Which program is actually giving the problem ?
Nashinoshi
2007-12-22, 15:52
It's a JavaScript error(you probably know, javascript it's a script programing language for web pages)
By the way if I go to the internet options, advanced and uncheck disable script debugging in internet explorer the script error happens too on http://launcher.wow-europe.com/en
But I tested it on my brother's computer, same conditions(unchecked disable script script debugging in IE) and the script error doesn't happen, I don't get it why it happens.
I can disable the script debugging in IE and Others but then it happens another error if I open the World of Warcraft Launcher(the program that automaticaly opens that web page) wich is:
A script error has occurred in this page
Line: 179
Char:
Nashinoshi
2007-12-22, 15:53
Char: 1
Code: 0
URL: http://launcher.wow-europe.com/en
Do you wish to continue executing scripts in this page?
[Yes] [No]
Sorry I sent the reply too soon by mistake
Nashinoshi
2007-12-22, 16:05
Fixed
I had "127.0.0.1 www.google-analytics.com #[Google Analytics]" on my host file(the host file you pointed me to download), so this page was getting blocked. It seems WoW launcher needs to contact this or whatever for some reason...
a person on the WoW forums had a similar problem and fixed it saying www.google-analytics.com was getting blocked and I imidiatly remember what might be the problem lol
Nashinoshi
2007-12-22, 16:11
Everything is ok now thanks for all the great help:D
And sorry for all the work
You can archive anytime you want :)