View Full Version : hldrrr.exe, wintems.exe
Hi everyone.
I have had some bad experiences in the past but nothing like this. At least I managed to solved all the others, and this one I'm out of solutions!
Safe Mode doesn't start.
I've found out that it was hdlrrr.exe and wintems.exe just by inspection on the threads that were running.
I am unable to run HiJack because it says it's not a valid win32 application. Some goes for Spy-Bot.
I am a bit desperate... and I could use your help!
Thanks in advance!
*** Update ***
Since I'm a bit desperate, I searched this forum and found this idea of changin the name of the files... and try to run them after. Using that idea, I managed to run ComboFix.
It deleted all these files (or at least I hope so...)
C:\Documents and Settings\PTMB\Application Data\macromedia\Flash Player\#SharedObjects\8KDKQ9HR\iforex.com
C:\Documents and Settings\PTMB\Application Data\macromedia\Flash Player\#SharedObjects\8KDKQ9HR\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\PTMB\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\PTMB\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Programas\WinBudget
C:\Programas\WinBudget\bin\tempzor
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\201500.exe
C:\WINDOWS\system32\drivers\down\202953.exe
C:\WINDOWS\system32\drivers\down\206312.exe
C:\WINDOWS\system32\drivers\down\209109.exe
C:\WINDOWS\system32\drivers\down\222390.exe
C:\WINDOWS\system32\drivers\down\222734.exe
C:\WINDOWS\system32\drivers\down\222968.exe
C:\WINDOWS\system32\drivers\down\223593.exe
C:\WINDOWS\system32\drivers\down\229234.exe
C:\WINDOWS\system32\drivers\down\230328.exe
C:\WINDOWS\system32\drivers\down\233265.exe
C:\WINDOWS\system32\drivers\down\234718.exe
C:\WINDOWS\system32\drivers\down\235156.exe
C:\WINDOWS\system32\drivers\down\236906.exe
C:\WINDOWS\system32\drivers\down\237703.exe
C:\WINDOWS\system32\drivers\down\238687.exe
C:\WINDOWS\system32\drivers\down\239656.exe
C:\WINDOWS\system32\drivers\down\241421.exe
C:\WINDOWS\system32\drivers\down\243109.exe
C:\WINDOWS\system32\drivers\down\243390.exe
C:\WINDOWS\system32\drivers\down\245343.exe
C:\WINDOWS\system32\drivers\down\246046.exe
C:\WINDOWS\system32\drivers\down\246218.exe
C:\WINDOWS\system32\drivers\down\246625.exe
C:\WINDOWS\system32\drivers\down\247484.exe
C:\WINDOWS\system32\drivers\down\248093.exe
C:\WINDOWS\system32\drivers\down\248640.exe
C:\WINDOWS\system32\drivers\down\250093.exe
C:\WINDOWS\system32\drivers\down\250875.exe
C:\WINDOWS\system32\drivers\down\258109.exe
C:\WINDOWS\system32\drivers\down\262078.exe
C:\WINDOWS\system32\drivers\down\262375.exe
C:\WINDOWS\system32\drivers\down\263437.exe
C:\WINDOWS\system32\drivers\down\265812.exe
C:\WINDOWS\system32\drivers\down\265875.exe
C:\WINDOWS\system32\drivers\down\269031.exe
C:\WINDOWS\system32\drivers\down\271718.exe
C:\WINDOWS\system32\drivers\down\271796.exe
C:\WINDOWS\system32\drivers\down\272609.exe
C:\WINDOWS\system32\drivers\down\280390.exe
C:\WINDOWS\system32\drivers\down\282515.exe
C:\WINDOWS\system32\drivers\down\289718.exe
C:\WINDOWS\system32\drivers\down\304578.exe
C:\WINDOWS\system32\drivers\down\306984.exe
C:\WINDOWS\system32\drivers\down\307906.exe
C:\WINDOWS\system32\drivers\down\312765.exe
C:\WINDOWS\system32\drivers\down\314265.exe
C:\WINDOWS\system32\drivers\down\315734.exe
C:\WINDOWS\system32\drivers\down\321687.exe
C:\WINDOWS\system32\drivers\down\323343.exe
C:\WINDOWS\system32\drivers\down\327265.exe
C:\WINDOWS\system32\drivers\down\334875.exe
C:\WINDOWS\system32\drivers\down\338171.exe
C:\WINDOWS\system32\drivers\down\338265.exe
C:\WINDOWS\system32\drivers\down\340390.exe
C:\WINDOWS\system32\drivers\down\344640.exe
C:\WINDOWS\system32\drivers\down\345125.exe
C:\WINDOWS\system32\drivers\down\346140.exe
C:\WINDOWS\system32\drivers\down\346828.exe
C:\WINDOWS\system32\drivers\down\347578.exe
C:\WINDOWS\system32\drivers\down\348781.exe
C:\WINDOWS\system32\drivers\down\349171.exe
C:\WINDOWS\system32\drivers\down\349656.exe
C:\WINDOWS\system32\drivers\down\352562.exe
C:\WINDOWS\system32\drivers\down\353265.exe
C:\WINDOWS\system32\drivers\down\357109.exe
C:\WINDOWS\system32\drivers\down\357296.exe
C:\WINDOWS\system32\drivers\down\358437.exe
C:\WINDOWS\system32\drivers\down\359859.exe
C:\WINDOWS\system32\drivers\down\360500.exe
C:\WINDOWS\system32\drivers\down\374281.exe
C:\WINDOWS\system32\drivers\down\382312.exe
C:\WINDOWS\system32\drivers\down\383859.exe
C:\WINDOWS\system32\drivers\down\409281.exe
C:\WINDOWS\system32\drivers\down\409843.exe
C:\WINDOWS\system32\drivers\down\411781.exe
C:\WINDOWS\system32\drivers\down\415406.exe
C:\WINDOWS\system32\drivers\down\425312.exe
C:\WINDOWS\system32\drivers\down\441000.exe
C:\WINDOWS\system32\drivers\down\480375.exe
C:\WINDOWS\system32\drivers\down\508937.exe
C:\WINDOWS\system32\drivers\down\770609.exe
C:\WINDOWS\system32\drivers\down\771093.exe
C:\WINDOWS\system32\drivers\down\773000.exe
C:\WINDOWS\system32\drivers\down\773828.exe
C:\WINDOWS\system32\drivers\down\775875.exe
C:\WINDOWS\system32\drivers\down\780140.exe
C:\WINDOWS\system32\drivers\down\803703.exe
C:\WINDOWS\system32\drivers\down\851843.exe
C:\WINDOWS\system32\drivers\down\861625.exe
C:\WINDOWS\system32\drivers\down\864250.exe
C:\WINDOWS\system32\drivers\down\870546.exe
C:\WINDOWS\system32\drivers\down\874140.exe
C:\WINDOWS\system32\drivers\down\902250.exe
C:\WINDOWS\system32\drivers\down\918093.exe
C:\WINDOWS\system32\drivers\down\920812.exe
C:\WINDOWS\system32\drivers\down\922625.exe
C:\WINDOWS\system32\drivers\down\936187.exe
C:\WINDOWS\system32\drivers\down\941531.exe
C:\WINDOWS\system32\drivers\down\944671.exe
C:\WINDOWS\system32\drivers\down\950031.exe
C:\WINDOWS\system32\drivers\down\950234.exe
C:\WINDOWS\system32\drivers\down\954312.exe
C:\WINDOWS\system32\drivers\down\955031.exe
C:\WINDOWS\system32\drivers\down\962000.exe
C:\WINDOWS\system32\drivers\down\968671.exe
C:\WINDOWS\system32\drivers\down\974312.exe
C:\WINDOWS\system32\drivers\down\989625.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
Just managed to run HiJack This. Here is the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:11, on 2008-03-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Intel\Wireless\Bin\EvtEng.exe
C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Synaptics\SynTP\SynTPLpr.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\Notebook Hardware Control\nhc.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe
C:\Programas\Creative\Shared Files\CTSched.exe
C:\Programas\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Programas\UltraMon\UltraMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programas\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Skype\Phone\Skype.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programas\VirtuaWin\VirtuaWin.exe
C:\Programas\MagicDisc\MagicDisc.exe
C:\Programas\SpeedFan\speedfan.exe
C:\Programas\VirtuaWin\modules\VWAssigner.exe
C:\Programas\VirtuaWin\modules\WinList.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ist.utl.pt:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programas\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Programas\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GBMPro7Agent] C:\Programas\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programas\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=031608 serial=DR12WRX-7466708-FYP lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHEI~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Programas\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVFX Engine] C:\Programas\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Programas\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programas\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [GBMPro7Agent] C:\Programas\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - Startup: MagicDisc.lnk = C:\Programas\MagicDisc\MagicDisc.exe
O4 - Startup: SpeedFan.lnk = C:\Programas\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: VirtuaWin.lnk = C:\Programas\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IEWatch Professional - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Programas\IEWatch\IEWatch.dll
O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Programas\IEWatch\IEWatch.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156969862718
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programas\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programas\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programas\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 10943 bytes
After reinstalling SpyBot, it is working again.
I'm running a full system scan now.
I'm still worried about the safe mode, I'm wondering if it's working now or not, or if that malware or whatever it was comes back if I try to run safe mode, I have no idea if it hides somewhere and it can get back if I start safe mode...
Bad news and good news.
The good news: Spybot still found some traces of Bagle, that's his name after all. But it managed to fix them (it was only 3 registry keys.
The bad news: When I try to restart in safe mode, when it's loading, it suddently restarts again. So basically, I can't boot in safe mode.
I'm going to run SpyBot again and see if it finds anything. If it doesn't, and after looking at
http://forums.spybot.info/showthread.php?t=22446&page=2
I'm going to try that AVZ to fix SafeBoot Registry Keys.
Let's hope it works.
Not good...
It had found this the first time and I thought it had been fixed.
Win32.Agent.bgy: [SBI $3FF5579E] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-842925246-1563985344-725345543-1003\Software\FirstRRRun
Win32.Bagle.hi: [SBI $37536BC2] Pasta de programa (Pasta, nothing done)
C:\WINDOWS\system32\drivers\down\
It's only a folder and a registry key, but if it was unable to remove it the first time, that can't be a good sign:mad:
Ok, so I fix it and apparantely it's fixed.
Going to run that AVZ Antiviral toolkit to restore safeboot registry keys. Let's hope it works.
Good news (I guess....)
I have Safe Boot Mode again.
I think I got rid of that Bagle dude...
Here's the latest HiJack report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:24, on 2008-03-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Intel\Wireless\Bin\EvtEng.exe
C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Synaptics\SynTP\SynTPLpr.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\Notebook Hardware Control\nhc.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe
C:\Programas\Creative\Shared Files\CTSched.exe
C:\Programas\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programas\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Skype\Phone\Skype.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programas\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programas\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\VirtuaWin\VirtuaWin.exe
C:\Programas\VirtuaWin\modules\VWAssigner.exe
C:\Programas\MagicDisc\MagicDisc.exe
C:\Programas\SpeedFan\speedfan.exe
C:\Programas\VirtuaWin\modules\WinList.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ist.utl.pt:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programas\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Programas\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GBMPro7Agent] C:\Programas\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programas\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=031608 serial=DR12WRX-7466708-FYP lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHEI~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Programas\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVFX Engine] C:\Programas\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Programas\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programas\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [GBMPro7Agent] C:\Programas\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - Startup: MagicDisc.lnk = C:\Programas\MagicDisc\MagicDisc.exe
O4 - Startup: SpeedFan.lnk = C:\Programas\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: VirtuaWin.lnk = C:\Programas\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IEWatch Professional - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Programas\IEWatch\IEWatch.dll
O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Programas\IEWatch\IEWatch.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156969862718
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programas\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programas\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programas\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
--
Not so good news... Symantec Anitvirus is gone (I guess it was corrupted by that bagle dude.
Other than that, the system seems a bit slower to restart but after that it seems normal. Any comments? Should I run any additional tests?
Thanks.
Report: The computer is incredible slower during startup. After that, it seems rather ok.
Update: I installed BitDefender and Comodo.
I still feel that the system is too slow during startup but after that it seems ok.
But I don't feel safe yet... :sad:
Here's the latest HJ report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:02, on 2008-03-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Intel\Wireless\Bin\EvtEng.exe
C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Synaptics\SynTP\SynTPLpr.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\Notebook Hardware Control\nhc.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe
C:\Programas\Creative\Shared Files\CTSched.exe
C:\Programas\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programas\Intel\Wireless\Bin\EOUWiz.exe
C:\Programas\COMODO\Firewall\cfp.exe
C:\Programas\BitDefender\BitDefender 2008\bdagent.exe
C:\Programas\Genie-Soft\GBMPro8\GBMAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Skype\Phone\Skype.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programas\COMODO\Firewall\cmdagent.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Intel\Wireless\Bin\OProtSvc.exe
C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Programas\Ficheiros comuns\BitDefender\BitDefender Update Service\livesrv.exe
C:\Programas\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\VirtuaWin\VirtuaWin.exe
C:\Programas\VirtuaWin\modules\VWAssigner.exe
C:\Programas\VirtuaWin\modules\WinList.exe
C:\Programas\MagicDisc\MagicDisc.exe
C:\Programas\SpeedFan\speedfan.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ist.utl.pt:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programas\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programas\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Programas\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GBMPro7Agent] C:\Programas\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programas\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=031608 serial=DR12WRX-7466708-FYP lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHEI~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programas\Ficheiros comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Programas\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVFX Engine] C:\Programas\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Programas\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Programas\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programas\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programas\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Programas\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Programas\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [GBMPro8Agent] C:\Programas\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [GBMPro7Agent] C:\Programas\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [GBMPro8Agent] C:\Programas\Genie-Soft\GBMPro8\GBMAgent.exe
O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Programas\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: SpeedFan.lnk = C:\Programas\SpeedFan\speedfan.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Programas\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - .DEFAULT Startup: SpeedFan.lnk = C:\Programas\SpeedFan\speedfan.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Programas\MagicDisc\MagicDisc.exe
O4 - Startup: SpeedFan.lnk = C:\Programas\SpeedFan\speedfan.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: VirtuaWin.lnk = C:\Programas\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IEWatch Professional - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Programas\IEWatch\IEWatch.dll
O9 - Extra 'Tools' menuitem: IEWatch - {78E5BB46-9A20-402F-BA66-B5634D177D77} - C:\Programas\IEWatch\IEWatch.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156969862718
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Programas\COMODO\Firewall\cmdagent.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programas\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programas\Ficheiros comuns\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Programas\MATLAB71\webserver\bin\win32\matlabserver.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programas\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programas\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programas\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programas\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Programas\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Programas\Ficheiros comuns\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 11972 bytes
Any ideas?
Thanks,
Hello.
Because of the volume of posts to your own topic, it would have appeared that you were already being assisted. :eek:
it would be best to start off with no more than two posts (total) in your topic before a helper responds. "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Another sticky topic: NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806)
If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.
Best regards. :)