View Full Version : Smitfraud-C.coreservices
GOREgasm
2008-01-17, 21:27
Hello, over the years spybot was the solution for a few headaches i had with malware but this time, i seriously need your help guys. After format, i had a stupid idea of using internet explorer without anti-virus and windows updates so I was infected by a couple of trojans. Since then I've updated windows and instaled avast (stoped working and removed it) used Spybot, Ad-aware, Avg Anti-spyware, Bit-defender online scanner, trendmicro housecall, vundofix, smitfraudfix and combofix. I managed to remove everything but one.
Everytime I use Spybot it detects Smitfraud-C.Coreservice, removes it, but after reboot it's detected again. Please help.
I've only posted the HJT logfile, Kapersky is too big for a single post (it scanned my mailbox and detected a lot of infected files on junk folder)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58:09, on 17-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Mozilla Firefox\firefox.exe
D:\appz\anti virus\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.22.22:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5602 bytes
Hello GOREgasm
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Download: DelDomains (http://mvps.org/winhelp2002/DelDomains.inf) and save it to the desktop.
Close all open windows and your browser
Right Click DelDomains.inf and select > Install
Reboot your computer
Internet Explorer is needed to run this properly.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Now run Kaspersky again and post the log, you can take as many replies as you need to post it all.
Kaspersky Online Virus Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html)
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan: Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Post the log along with a New HJT Log into your next reply.
I need to see the Smitfraud log , the Kaspersky log and a new HJT log please
GOREgasm
2008-01-18, 08:39
Hello ken545, thank you very much for your time!
Here are the logs you asked, i'll do multiple posts
SmitFraudFix v2.274
Scan done at 4:05:52,03, 18-01-2008
Run from D:\appz\anti virus\new\SmitfraudFix
OS: Microsoft Windows XP [Versão 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Goregasm
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Goregasm\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Goregasm\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Programas
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix.exe by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Atheros Wireless Network Adapter - Miniport do agendador de pacotes
DNS Server Search Order: 10.0.12.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D562218-B6D1-43C3-91DD-74C8CD4791DA}: DhcpNameServer=10.0.12.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D562218-B6D1-43C3-91DD-74C8CD4791DA}: DhcpNameServer=10.0.12.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8D562218-B6D1-43C3-91DD-74C8CD4791DA}: DhcpNameServer=10.0.12.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.12.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.12.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.12.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
GOREgasm
2008-01-18, 08:49
I just realized that my kapersky log is 134000 characters long! Mainly because i have 100+ entries like this:
C:\Documents and Settings\Goregasm\Application Data\Thunderbird\Profiles\o6nlqudo.default\Mail\mail.ouremcp.org\Inbox/[From divx-horror@linxisp.com][Date Mon, 19 Dec 2005 21:28:44 +0000]/text/[From "techzone@techzonept.com" <techzone@techzonept.com>][Date 24 Dec 2005 15:10:09 +0000]/text/[From "webmaster@pcdiga.net" <webmaster@pcdiga.net>][Date 25 Dec 2005 01:13:59 +0000]/text/[From "Prince Chu" <PrinceChu@0451.com>][Date Thu, 1 Jun 2006 07:36:26 -0060]/text/[From Larsen" <vesvisitmontaionedor@visitmontaione.c ... /[From "A ... /[From Strong" <nodwabsnac@wabs.de>][Date 16 Mar 2007 21:12:50 -0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
As I told you this is from an old mailbox that I still have backed up. If i ignore all the messages of infected mails in thunderbird, i get a logfile like this:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 18, 2008 6:30:12 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/01/2008
Kaspersky Anti-Virus database records: 485083
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 41099
Number of viruses found: 5
Number of infected objects: 196
Number of suspicious objects: 0
Duration of the scan process: 02:18:38
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Goregasm\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\cert8.db Object is locked skipped
C:\Documents and Settings\Goregasm\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\history.dat Object is locked skipped
C:\Documents and Settings\Goregasm\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\key3.db Object is locked skipped
C:\Documents and Settings\Goregasm\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\parent.lock Object is locked skipped
C:\Documents and Settings\Goregasm\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Goregasm\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Goregasm\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Application Data\Mozilla\Firefox\Profiles\19t3cej3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Goregasm\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Goregasm\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Goregasm\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B3F295A4-BE48-4A50-8A4D-03C89EBB4AE7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\wadv09ntt.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
GOREgasm
2008-01-18, 08:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:55, on 18-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Mozilla Firefox\firefox.exe
D:\appz\anti virus\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.22.22:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5913 bytes
Good Morning,
No Smitfraud showed up on either log, but your hosts file is corrupted .
Download the HostsXpert 4.2.0.0. - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
GOREgasm
2008-01-18, 17:16
Hello again.
I did as you've asked and changed the host files but i think the changes i had were made by spybot. Here are the start and finish of the "corrupted" hosts file:
127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 007guard.com
(hundreds of hosts)
127.0.0.1 www.antispywareboot.com
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy
Isn't this part of the immunization system of spybot? Anyway, i did what you have asked.
Superantispyware found the core.cashe.dsk file but named it as a different threat. I checked and rebooted but the file is still there. I didn't scanned again to follow your exact instructions but the internet explorer still opens everytime i browse the internet with firefox, the more clicks, the more pop-ups I have. The weird thing is that all pop-ups are blank, i thought it was related to the changes in hosts file, but now it is in the original format and they are still blank.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/18/2008 at 02:54 PM
Application Version : 3.9.1008
Core Rules Database Version : 3382
Trace Rules Database Version: 1376
Scan type : Complete Scan
Total Scan Time : 00:35:47
Memory items scanned : 477
Memory threats detected : 0
Registry items scanned : 3610
Registry threats detected : 0
File items scanned : 26974
File threats detected : 4
Adware.Tracking Cookie
C:\Documents and Settings\Goregasm\Cookies\goregasm@specificclick[2].txt
C:\Documents and Settings\Goregasm\Cookies\goregasm@msnportal.112.2o7[1].txt
C:\Documents and Settings\Goregasm\Cookies\goregasm@atdmt[1].txt
RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:04:03, on 18-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
D:\appz\anti virus\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.22.22:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Customize Menu - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6128 bytes
GOREgasm
2008-01-18, 17:27
Just to say that now, for the last ten minutes i had 4 new internet explorer windows, and one of them opened publicity, while the other 3 were still blank.
GOREgasm,
While I can appreciate the frustration with having infections on your computer and you running different tools to remove them, what you have done is erased entries and clues to what your infected with. There is an infection out now that if your infected with it, some tools we run can bork your system. I see no evidence of that infection but please do not run any tools unless we instruct you to do so.
Smitfraud fix showed that your hosts file was corrupted, HostSXpert reset it back to normal, this was just a precaution, feel free at anytime to use Spybot Search and Destroys hosts file program to add the bad sites to your hosts files.
RootKit.TnCore/Trace
C:\WINDOWS\system32\drivers\core.cache.dsk
SAS found and removed some bad entries but one was a Rootkit that I doubt it removed as there are other files protecting it from deletion.
What I need you to do is if its still present, drag Combofix to the trash and download a more current copy, run it and post the report please.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
GOREgasm
2008-01-18, 19:12
Thanks for your patience, and don't worry, i will follow your advices by the book. I'll do two posts, one for each log.
Combofix detected it, tryed to delete it, rebooted and it's still there. By the way, the first link you gave me to combofix downloaded an invalid win32 aplication with no icon. The second one worked.
ComboFix 08-01-18.4 - Goregasm 2008-01-18 16:56:30.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.2070.18.174 [GMT 0:00]
Executando de: C:\Documents and Settings\Goregasm\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . falha na exclusão
.
((((((((((((((((((((((( Ficheiros criados de 2007-12-18 to 2008-01-18 ))))))))))))))))))))))))))))))))
.
2008-01-18 14:15 . 2008-01-18 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 14:14 . 2008-01-18 14:17 <DIR> d-------- C:\Programas\SUPERAntiSpyware
2008-01-18 14:14 . 2008-01-18 14:14 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\SUPERAntiSpyware.com
2008-01-18 04:11 . 2008-01-18 04:11 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Media Player Classic
2008-01-17 22:23 . 2008-01-17 22:23 <DIR> d-------- C:\WINDOWS\Sun
2008-01-17 22:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 22:21 . 2008-01-17 22:22 <DIR> d-------- C:\Programas\Java
2008-01-17 22:19 . 2008-01-17 22:19 <DIR> d-------- C:\Programas\Ficheiros comuns\Java
2008-01-17 16:36 . 2008-01-18 04:06 722 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 16:35 . 2008-01-17 16:39 <DIR> d-------- C:\Documents and Settings\Goregasm\SmitfraudFix
2008-01-17 16:11 . 2008-01-17 16:11 101 --a------ C:\WINDOWS\wininit.ini
2008-01-16 23:06 . 2008-01-16 23:06 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\AdobeUM
2008-01-16 21:22 . 2008-01-16 21:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 19:14 . 2008-01-18 17:00 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-16 18:28 . 2008-01-18 17:01 1,598,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-16 18:28 . 2008-01-18 17:01 27,936 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-16 18:28 . 2008-01-18 16:59 24,524 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-16 18:28 . 2008-01-18 16:59 6,824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-16 18:13 . 2008-01-16 18:13 <DIR> d-------- C:\Programas\Kaspersky Lab
2008-01-16 18:13 . 2008-01-16 18:13 <DIR> d-------- C:\KAV
2008-01-16 18:13 . 2008-01-18 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 17:38 . 2008-01-16 17:38 <DIR> d-------- C:\Programas\Usingit
2008-01-16 14:54 . 2008-01-16 14:54 <DIR> d-------- C:\Documents and Settings\Goregasm\Definições locais
2008-01-16 14:48 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 14:39 . 2008-01-16 14:39 <DIR> d-------- C:\VundoFix Backups
2008-01-16 11:59 . 2008-01-16 14:26 <DIR> d-------- C:\Documents and Settings\Administrador\Os meus documentos
2008-01-16 11:59 . 2008-01-15 18:53 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos
2008-01-16 11:59 . 2008-01-15 18:48 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar
2008-01-16 11:59 . 2008-01-15 18:48 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos
2008-01-16 11:59 . 2008-01-16 14:19 <DIR> d-------- C:\Documents and Settings\Administrador\Definições locais
2008-01-16 11:59 . 2008-01-16 14:42 <DIR> d--h----- C:\Documents and Settings\Administrador\Defini‡äes locais
2008-01-16 11:59 . 2008-01-15 18:48 <DIR> d-------- C:\Documents and Settings\Administrador\Ambiente de trabalho
2008-01-16 08:16 . 2008-01-16 08:16 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-01-16 08:16 . 2008-01-16 08:16 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\HouseCall 6.6
2008-01-16 06:13 . 2008-01-16 06:13 <DIR> d-------- C:\Programas\Lavasoft
2008-01-16 06:13 . 2008-01-18 14:14 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-01-16 06:13 . 2008-01-16 06:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 04:23 . 2008-01-16 04:23 <DIR> d-------- C:\Programas\MozBackup
2008-01-16 04:19 . 2008-01-16 05:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-16 03:57 . 2008-01-16 14:54 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definições locais
2008-01-16 03:57 . 2008-01-16 14:54 <DIR> d-------- C:\Documents and Settings\NetworkService\Definições locais
2008-01-16 03:57 . 2008-01-16 14:54 <DIR> d-------- C:\Documents and Settings\LocalService\Definições locais
2008-01-16 03:57 . 2008-01-16 14:54 <DIR> d-------- C:\Documents and Settings\Default User\Definições locais
2008-01-16 02:34 . 2008-01-16 03:05 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\SoftMaker
2008-01-16 02:21 . 2008-01-16 02:22 <DIR> d-------- C:\Programas\WinAce
2008-01-16 02:19 . 2003-03-20 17:24 26,240 --a------ C:\WINDOWS\system32\drivers\wbsd.sys
2008-01-16 01:56 . 2008-01-16 01:56 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\FlashFXP
2008-01-16 01:55 . 2008-01-18 03:43 <DIR> d-------- C:\Programas\FlashFXP
2008-01-16 01:30 . 2008-01-16 01:30 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Grisoft
2008-01-16 01:30 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-16 01:29 . 2008-01-16 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-16 01:26 . 2007-10-10 23:49 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-16 01:26 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-16 01:26 . 2007-07-01 03:36 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-16 01:26 . 2007-10-10 23:49 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-16 01:26 . 2007-10-10 23:49 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-16 01:26 . 2007-10-10 23:49 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-16 01:26 . 2007-10-10 23:49 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-16 01:26 . 2007-10-10 23:49 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-16 01:26 . 2007-10-10 10:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-16 01:25 . 2008-01-16 01:27 <DIR> d-------- C:\WINDOWS\system32\pt-pt
2008-01-16 01:20 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-16 00:21 . 2008-01-16 00:21 1,081,616 --a------ C:\WINDOWS\MSCOMCTL.OCX
2008-01-15 21:28 . 2007-07-09 13:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-15 21:21 . 2008-01-16 07:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-15 21:21 . 2008-01-15 21:21 <DIR> d--hs---- C:\Documents and Settings\Goregasm\UserData
2008-01-15 20:56 . 2008-01-16 02:31 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-15 20:56 . 2008-01-15 20:56 86,016 --a------ C:\WINDOWS\system32\drivers\wadv09ntt.sys
2008-01-15 20:51 . 2008-01-17 22:24 1,414 --a------ C:\WINDOWS\mozver.dat
2008-01-15 20:47 . 2008-01-15 22:07 <DIR> d-------- C:\Documents and Settings\Goregasm\Contacts
2008-01-15 20:45 . 2008-01-15 20:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-15 20:44 . 2008-01-15 20:44 <DIR> d-------- C:\Programas\MSN Messenger
2008-01-15 20:25 . 2008-01-15 20:25 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Thunderbird
2008-01-15 20:23 . 2008-01-18 16:15 <DIR> d-------- C:\Programas\Mozilla Thunderbird
2008-01-15 20:22 . 2008-01-15 20:38 <DIR> d-------- C:\Programas\Winamp
2008-01-15 20:22 . 2008-01-15 20:23 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Winamp
2008-01-15 20:20 . 2008-01-15 20:20 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe
2008-01-15 20:18 . 2008-01-15 20:18 <DIR> d-------- C:\Programas\Google
2008-01-15 20:14 . 2006-03-20 14:37 5,689,344 --a------ C:\Programas\mplayerc.exe
2008-01-15 20:14 . 2003-05-29 08:50 94,208 --a------ C:\Programas\WinDV.exe
2008-01-15 19:54 . 2008-01-15 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-01-15 19:53 . 2008-01-15 19:53 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-15 19:53 . 2008-01-15 19:53 <DIR> d-------- C:\Programas\Siber Systems
2008-01-15 19:52 . 2008-01-15 19:52 <DIR> d-------- C:\Programas\Alwil Software
2008-01-15 19:52 . 2008-01-15 19:52 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Talkback
2008-01-15 19:52 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-15 19:52 . 2003-03-18 19:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-15 19:52 . 2003-02-21 03:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-01-15 19:51 . 2008-01-15 19:51 <DIR> d-------- C:\Programas\K-Lite Codec Pack
2008-01-15 19:51 . 2007-07-25 14:24 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-15 19:51 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-01-15 19:51 . 2008-01-15 19:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-15 19:49 . 2008-01-16 19:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-15 19:42 . 2004-09-14 12:55 88,960 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-01-15 19:42 . 2006-06-14 08:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-15 19:42 . 2006-06-14 08:47 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-01-15 19:41 . 2008-01-16 02:19 <DIR> d--h----- C:\Programas\InstallShield Installation Information
2008-01-15 19:41 . 2008-01-15 19:43 <DIR> d-------- C:\Programas\Ficheiros comuns\InstallShield
2008-01-15 19:41 . 2008-01-15 19:41 <DIR> d-------- C:\Programas\Analog Devices
2008-01-15 19:37 . 2008-01-15 19:37 <DIR> d-------- C:\WINDOWS\Options
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 18:57 --------- d-----w C:\Programas\microsoft frontpage
2008-01-15 18:56 --------- d-----w C:\Programas\Serviços online
2008-01-15 18:55 --------- d-----w C:\Programas\Ficheiros comuns\MSSoap
2008-01-15 18:48 --------- d-----w C:\Programas\Ficheiros comuns\SpeechEngines
2008-01-15 18:48 --------- d-----w C:\Programas\Ficheiros comuns\ODBC
2007-11-30 09:17 3,818 ----a-w C:\Programas\goregasm-nosound.rdp
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-06-19 07:25 3,836 ----a-w C:\Programas\goregasm.rdp
.
((((((((((((((((((((((((((((( snapshot@2008-01-16_ 3.57.09.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 03:50:36 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 16:55:58 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 03:50:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 16:55:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 03:50:36 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 16:55:58 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 03:50:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 16:55:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 03:50:36 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 16:55:59 2,666,496 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 03:50:36 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 16:55:59 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2007-03-06 03:32:04 216,288 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 03:33:14 388,320 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 18:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2008-01-18 14:15:00 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-18 14:15:00 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-18 14:15:00 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-01-16 06:14:12 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-01-16 06:14:13 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-01-16 06:14:12 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-01-16 06:14:13 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-01-16 19:11:51 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
- 2007-08-13 18:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:30:31 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-07-11 13:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 12:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2008-01-16 18:27:59 194,320 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-08-07 12:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2008-01-16 03:03:20 113,376 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-01-18 17:00:23 113,376 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2005-09-23 06:07:24 95,744 ----a-w C:\WINDOWS\system32\HouseCall 6.6\ATL80.dll
+ 2007-09-21 15:29:02 457,728 ----a-w C:\WINDOWS\system32\HouseCall 6.6\Housecall_ActiveX.dll
+ 2005-09-23 08:16:14 1,079,808 ----a-w C:\WINDOWS\system32\HouseCall 6.6\MFC80U.dll
+ 2005-09-23 06:05:58 548,864 ----a-w C:\WINDOWS\system32\HouseCall 6.6\MSVCP80.dll
+ 2005-09-23 06:05:58 626,688 ----a-w C:\WINDOWS\system32\HouseCall 6.6\MSVCR80.dll
+ 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 12:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 15:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 15:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-14 11:32:52 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2006-12-14 08:54:49 15,072 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 03:31:59 15,072 ------w C:\WINDOWS\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-15 19:53 160592]
"MsnMsgr"="C:\Programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"AVP"="C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-04-19 10:03 88209 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ansn]
C:\DOCUME~1\Goregasm\APPLIC~1\SMANTE~1\msdtc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2002-08-28 17:17 28672 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncnexn]
C:\WINDOWS\?ssembly\e?plorer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Programas\Winamp Remote\bin\OrbTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-23 12:41 860160 C:\Programas\Analog Devices\SoundMAX\Smax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 09:11 1388544 C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Programas\Web Buying\v1.8.6\webbuying.exe
R1 wadv09ntt;wadv09ntt;C:\WINDOWS\system32\drivers\wadv09ntt.sys [2008-01-15 20:56]
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS [2003-03-20 17:24]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 17:01:16
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusÆo: 2008-01-18 17:04:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 17:03:48
ComboFix2.txt 2008-01-16 14:54:20
ComboFix3.txt 2008-01-16 14:42:23
ComboFix4.txt 2008-01-16 12:39:41
ComboFix5.txt 2008-01-16 04:07:35
.
2008-01-17 05:25:43 --- E O F ---
GOREgasm
2008-01-18, 19:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:11:10, on 18-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Mozilla Firefox\firefox.exe
D:\appz\anti virus\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.22.22:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Customize Menu - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6137 bytes
Hi,
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . falha na exclusão
As you can see the Rootkit is still present, :red:this should fix it.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::
File::
C:\WINDOWS\system32\drivers\wadv09ntt.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\mrofinu572.exe
Folder::
C:\VundoFix Backups
C:\Programas\Web Buying
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncnexn]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
GOREgasm
2008-01-18, 23:10
Well, i think that's it. Problem solved :bigthumb:
I can't thank you enuff!
Again, 1 log per post.
ComboFix 08-01-18.4 - Goregasm 2008-01-18 20:54:31.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.2070.18.160 [GMT 0:00]
Executando de: C:\Documents and Settings\Goregasm\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\Goregasm\Ambiente de trabalho\CFScript.txt
* Criado um novo ponto de restauro
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wadv09ntt.sys
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wadv09ntt.sys
.
((((((((((((((((((((((( Ficheiros criados de 2007-12-18 to 2008-01-18 ))))))))))))))))))))))))))))))))
.
2008-01-18 14:15 . 2008-01-18 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 14:14 . 2008-01-18 14:17 <DIR> d-------- C:\Programas\SUPERAntiSpyware
2008-01-18 14:14 . 2008-01-18 14:14 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\SUPERAntiSpyware.com
2008-01-18 04:11 . 2008-01-18 04:11 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Media Player Classic
2008-01-17 22:23 . 2008-01-17 22:23 <DIR> d-------- C:\WINDOWS\Sun
2008-01-17 22:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-17 22:21 . 2008-01-17 22:22 <DIR> d-------- C:\Programas\Java
2008-01-17 22:19 . 2008-01-17 22:19 <DIR> d-------- C:\Programas\Ficheiros comuns\Java
2008-01-17 16:36 . 2008-01-18 04:06 722 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 16:35 . 2008-01-17 16:39 <DIR> d-------- C:\Documents and Settings\Goregasm\SmitfraudFix
2008-01-17 16:11 . 2008-01-17 16:11 101 --a------ C:\WINDOWS\wininit.ini
2008-01-16 23:06 . 2008-01-16 23:06 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\AdobeUM
2008-01-16 21:22 . 2008-01-16 21:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 18:28 . 2008-01-18 20:59 1,637,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-16 18:28 . 2008-01-18 20:59 29,728 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-16 18:28 . 2008-01-18 20:57 25,076 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-16 18:28 . 2008-01-18 20:57 6,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-16 18:13 . 2008-01-16 18:13 <DIR> d-------- C:\Programas\Kaspersky Lab
2008-01-16 18:13 . 2008-01-16 18:13 <DIR> d-------- C:\KAV
2008-01-16 18:13 . 2008-01-18 20:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-16 17:38 . 2008-01-16 17:38 <DIR> d-------- C:\Programas\Usingit
2008-01-16 14:54 . 2008-01-18 17:04 <DIR> d-------- C:\Documents and Settings\Goregasm\Definições locais
2008-01-16 14:48 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 11:59 . 2008-01-16 14:26 <DIR> d-------- C:\Documents and Settings\Administrador\Os meus documentos
2008-01-16 11:59 . 2008-01-15 18:53 <DIR> d--h----- C:\Documents and Settings\Administrador\Modelos
2008-01-16 11:59 . 2008-01-15 18:48 <DIR> dr------- C:\Documents and Settings\Administrador\Menu Iniciar
2008-01-16 11:59 . 2008-01-15 18:48 <DIR> d-------- C:\Documents and Settings\Administrador\Favoritos
2008-01-16 11:59 . 2008-01-18 17:04 <DIR> d-------- C:\Documents and Settings\Administrador\Definições locais
2008-01-16 11:59 . 2008-01-16 14:42 <DIR> d--h----- C:\Documents and Settings\Administrador\Defini‡äes locais
2008-01-16 11:59 . 2008-01-15 18:48 <DIR> d-------- C:\Documents and Settings\Administrador\Ambiente de trabalho
2008-01-16 08:16 . 2008-01-16 08:16 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-01-16 08:16 . 2008-01-16 08:16 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\HouseCall 6.6
2008-01-16 06:13 . 2008-01-16 06:13 <DIR> d-------- C:\Programas\Lavasoft
2008-01-16 06:13 . 2008-01-18 14:14 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-01-16 06:13 . 2008-01-16 06:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 04:23 . 2008-01-16 04:23 <DIR> d-------- C:\Programas\MozBackup
2008-01-16 04:19 . 2008-01-16 05:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-16 03:57 . 2008-01-18 17:04 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definições locais
2008-01-16 03:57 . 2008-01-18 17:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Definições locais
2008-01-16 03:57 . 2008-01-18 17:04 <DIR> d-------- C:\Documents and Settings\LocalService\Definições locais
2008-01-16 03:57 . 2008-01-18 17:04 <DIR> d-------- C:\Documents and Settings\Default User\Definições locais
2008-01-16 02:34 . 2008-01-16 03:05 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\SoftMaker
2008-01-16 02:21 . 2008-01-16 02:22 <DIR> d-------- C:\Programas\WinAce
2008-01-16 02:19 . 2003-03-20 17:24 26,240 --a------ C:\WINDOWS\system32\drivers\wbsd.sys
2008-01-16 01:56 . 2008-01-16 01:56 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\FlashFXP
2008-01-16 01:55 . 2008-01-18 03:43 <DIR> d-------- C:\Programas\FlashFXP
2008-01-16 01:30 . 2008-01-16 01:30 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Grisoft
2008-01-16 01:30 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-16 01:29 . 2008-01-16 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-16 01:26 . 2007-10-10 23:49 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-16 01:26 . 2007-07-01 03:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-16 01:26 . 2007-07-01 03:36 1,036,288 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-16 01:26 . 2007-10-10 23:49 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-16 01:26 . 2007-10-10 23:49 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-16 01:26 . 2007-10-10 23:49 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-16 01:26 . 2007-10-10 23:49 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-16 01:26 . 2007-10-10 23:49 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-16 01:26 . 2007-10-10 10:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-16 01:25 . 2008-01-16 01:27 <DIR> d-------- C:\WINDOWS\system32\pt-pt
2008-01-16 01:20 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-01-16 00:21 . 2008-01-16 00:21 1,081,616 --a------ C:\WINDOWS\MSCOMCTL.OCX
2008-01-15 21:28 . 2007-07-09 13:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-15 21:21 . 2008-01-16 07:55 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-15 21:21 . 2008-01-15 21:21 <DIR> d--hs---- C:\Documents and Settings\Goregasm\UserData
2008-01-15 20:56 . 2008-01-16 02:31 <DIR> d-------- C:\WINDOWS\system32\edcA01
2008-01-15 20:51 . 2008-01-17 22:24 1,414 --a------ C:\WINDOWS\mozver.dat
2008-01-15 20:47 . 2008-01-15 22:07 <DIR> d-------- C:\Documents and Settings\Goregasm\Contacts
2008-01-15 20:45 . 2008-01-15 20:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-15 20:44 . 2008-01-15 20:44 <DIR> d-------- C:\Programas\MSN Messenger
2008-01-15 20:25 . 2008-01-15 20:25 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Thunderbird
2008-01-15 20:23 . 2008-01-18 17:27 <DIR> d-------- C:\Programas\Mozilla Thunderbird
2008-01-15 20:22 . 2008-01-15 20:38 <DIR> d-------- C:\Programas\Winamp
2008-01-15 20:22 . 2008-01-15 20:23 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Winamp
2008-01-15 20:20 . 2008-01-15 20:20 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe
2008-01-15 20:18 . 2008-01-15 20:18 <DIR> d-------- C:\Programas\Google
2008-01-15 20:14 . 2006-03-20 14:37 5,689,344 --a------ C:\Programas\mplayerc.exe
2008-01-15 20:14 . 2003-05-29 08:50 94,208 --a------ C:\Programas\WinDV.exe
2008-01-15 19:54 . 2008-01-15 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2008-01-15 19:53 . 2008-01-15 19:53 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-01-15 19:53 . 2008-01-15 19:53 <DIR> d-------- C:\Programas\Siber Systems
2008-01-15 19:52 . 2008-01-15 19:52 <DIR> d-------- C:\Programas\Alwil Software
2008-01-15 19:52 . 2008-01-15 19:52 <DIR> d-------- C:\Documents and Settings\Goregasm\Application Data\Talkback
2008-01-15 19:52 . 2003-03-18 20:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-15 19:52 . 2003-03-18 19:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-15 19:52 . 2003-02-21 03:42 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2008-01-15 19:51 . 2008-01-15 19:51 <DIR> d-------- C:\Programas\K-Lite Codec Pack
2008-01-15 19:51 . 2007-07-25 14:24 1,559,040 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-01-15 19:51 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll
2008-01-15 19:51 . 2008-01-15 19:51 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-15 19:49 . 2008-01-16 19:51 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-15 19:42 . 2004-09-14 12:55 88,960 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-01-15 19:42 . 2006-06-14 08:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-15 19:42 . 2006-06-14 08:47 6,400 --a--c--- C:\WINDOWS\system32\dllcache\splitter.sys
2008-01-15 19:41 . 2008-01-16 02:19 <DIR> d--h----- C:\Programas\InstallShield Installation Information
2008-01-15 19:41 . 2008-01-15 19:43 <DIR> d-------- C:\Programas\Ficheiros comuns\InstallShield
2008-01-15 19:41 . 2008-01-15 19:41 <DIR> d-------- C:\Programas\Analog Devices
2008-01-15 19:37 . 2008-01-15 19:37 <DIR> d-------- C:\WINDOWS\Options
2008-01-15 19:29 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-15 19:25 . 2008-01-15 19:25 <DIR> d-------- C:\Documents and Settings\LocalService\Menu Iniciar
2008-01-15 19:23 . 2008-01-15 19:23 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 18:57 --------- d-----w C:\Programas\microsoft frontpage
2008-01-15 18:56 --------- d-----w C:\Programas\Serviços online
2008-01-15 18:55 --------- d-----w C:\Programas\Ficheiros comuns\MSSoap
2008-01-15 18:48 --------- d-----w C:\Programas\Ficheiros comuns\SpeechEngines
2008-01-15 18:48 --------- d-----w C:\Programas\Ficheiros comuns\ODBC
2007-11-30 09:17 3,818 ----a-w C:\Programas\goregasm-nosound.rdp
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-06-19 07:25 3,836 ----a-w C:\Programas\goregasm.rdp
.
((((((((((((((((((((((((((((( snapshot_2008-01-18_17.03.22.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 16:55:58 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 20:54:20 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-18 16:55:58 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 20:54:20 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-18 16:55:58 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-18 20:54:21 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-18 16:55:59 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 20:54:21 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-18 16:55:59 2,666,496 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 20:54:21 2,666,496 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-18 16:55:59 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 20:54:21 143,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-01-15 19:53 160592]
"MsnMsgr"="C:\Programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"AVP"="C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-04-19 10:03 88209 C:\WINDOWS\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ansn]
C:\DOCUME~1\Goregasm\APPLIC~1\SMANTE~1\msdtc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2002-08-28 17:17 28672 C:\WINDOWS\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Programas\Winamp Remote\bin\OrbTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-09-23 12:41 860160 C:\Programas\Analog Devices\SoundMAX\Smax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 09:11 1388544 C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS [2003-03-20 17:24]
S1 wadv09ntt;wadv09ntt;C:\WINDOWS\system32\drivers\wadv09ntt.sys []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 20:59:13
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusÆo: 2008-01-18 21:02:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 21:01:47
ComboFix2.txt 2008-01-18 17:04:13
ComboFix3.txt 2008-01-16 14:54:20
ComboFix4.txt 2008-01-16 14:42:23
ComboFix5.txt 2008-01-16 12:39:41
.
2008-01-17 05:25:43 --- E O F ---
GOREgasm
2008-01-18, 23:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:16, on 18-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Winamp\winamp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\appz\anti virus\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.22.22:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programas\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programas\Winamp\winampa.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Programas\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Customize Menu - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programas\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 6267 bytes
Good Job :bigthumb::bigthumb: Its a pleasure working with someone who can follow directions :bigthumb:
Did you set this proxy server??
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.22.22:3128
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://java.sun.com/javase/downloads/index.jsp) and install the update
Java Runtime Environment (JRE) 6 Update 4 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
GOREgasm
2008-01-19, 17:57
Hey ken, thanks again for your time.
Yes that is the proxy server of a wireless community I'm in, we are 10 users with a single ADSL access, where the biggest link has 3.6 km. :D:
I'm downloading the latest java right now, thanks for pointing that.
The problem is definitely solved, you may close the topic and thank you very much.
Thats great :bigthumb: Glad we could get you back up to snuff.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Glad we could help
Safe Surfn
Ken