PDA

View Full Version : Smitfraud-C, Virtumond, Zlob, MicrosWindowsSecurity



Sigma6
2008-04-28, 06:03
Hello there.

OS - Windows Vista Home Premium 32

For a few days ago, i've been experiencing some spyware/malware troubles everytime i use IE or MFirefox. Lots of windows with random publicity would appear everytime i wanted to navigate or do some search. I was using Avast Anti-virus at first, but that wasn't enough for my protection against these buggers.
After some time it wasn't only publicity windows, but also some kind of malfunction of IE and MFirefox. Both began to be slower and would open more windows about "fakes" anti-spywares, etc... Besides that, i found that my Task Manager was disabled, and that i didn't had access to it, even being an administrator. (This problem seems already undertaken now)

Anyway, i was advised to install Ad-Aware, Zone Alarm and Spybot S&D and so i did. Now i have the 3 of them. I started with Zone Alarm, wich found some viruses and spywares, and i soon deleted them. I also activated ZA firewall instead of using the one of Vista.

I don't know if this has helped in anyway, because i still have popups appearing from time to time when i use IE or MF. Still, they do not function properly. For instance, i need to uninstall and re-install MF everytime i want to use google or anything else. And still, i'm only able to use it the first time. If i close the window and re-opened it, i will get to google (my homepage), but get no search made, or any address else i try to input. It will just stay "waiting for server" and never go anywhere.

I used Spybot S&D then, and i found lots of infections and i (badly or not) decided to delete some of them, speacially the cookies, wich seemed to me more reliable to do. I don't know if it was a good decision or not, but i've less often popups, and those related to "infections and spyware" have disappeared.
With Spybot, i figured that some of the files in C:/Windows are infected, and "winsystem.exe" got my attention... :/
I'm not sure about choosing "Fixing and deleting" option in Spybot in here. I'm afraid that if i do that, next time i turn on my computer, i'll get no access to windows again.
That's when i decided to look for your help.

Right now, i have my Avast Anti-Virus and ZA fiirewall activated. I'm also using a router, wich as far as i've seen, appears to be blocking lots of intrusers as well.

It's my first time in here, so i apologise for any inconvenience for such a huge "testimonial" posted. But i think i was able to explain all my symptoms.

I'll probably use another post to input the Spybot log file from the scan.

Thanks for any help...

Sigma6
2008-04-28, 06:23
--- Search result list ---
Smitfraud-C.: [SBI $C4E34F71] Configurações (Valor do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656A137-B161-CADD-9777-E37A75727E78}
Smitfraud-C.: [SBI $02A38733] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\HOL5_VXIEWER.FULL.1
Smitfraud-C.: [SBI $C94F51E0] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Classes\applications\accessdiver.exe
Smitfraud-C.: [SBI $684E1A57] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Classes\clsid\{9dd4258a-7138-49c4-8d34-587879a5c7a4}
Smitfraud-C.: [SBI $D3703D52] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Classes\clsid\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}
Smitfraud-C.: [SBI $58C1CACE] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\dpcproxy
Smitfraud-C.: [SBI $B2D82C44] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\fwbd
Smitfraud-C.: [SBI $29CFC69E] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\HolLol
Smitfraud-C.: [SBI $96F55F4B] Browser helper object (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000DA-0786-4633-87C6-1AA7A4429EF1}
Smitfraud-C.: [SBI $44F49678] Browser helper object (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4}
Smitfraud-C.: [SBI $692F5DEE] Browser helper object (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8C0220D-763D-49A4-95F4-61DFDEC66EE6}
Smitfraud-C.: [SBI $FFCAB17D] Browser helper object (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}
Smitfraud-C.: [SBI $CCDE5412] Biblioteca de tipos (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\TYPELIB\{D7987436-78BF-4A81-915F-4879287D2234}
Smitfraud-C.: [SBI $E37A1ACF] Biblioteca de tipos (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\TYPELIB\{daef1007-f409-426a-9e7c-cb211f2a9786}
Smitfraud-C.: [SBI $1A6F031A] Configurações (Chave do registo, nothing done)
HKEY_CLASSES_ROOT\applications\accessdiver.exe
Smitfraud-C.: [SBI $67690408] Class ID (Chave do registo, nothing done)
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4}
Smitfraud-C.: [SBI $DC57230D] Class ID (Chave do registo, nothing done)
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}
Smitfraud-C.: [SBI $DE1B371D] Dados (Arquivo, nothing done)
C:\Windows\a.bat
Smitfraud-C.: [SBI $DD155EC0] Arquivo temporário (Arquivo, nothing done)
C:\Windows\base64.tmp
Smitfraud-C.: [SBI $A6F3123A] Dados (Arquivo, nothing done)
C:\Windows\bdn.com
Smitfraud-C.: [SBI $B3D71CFF] Executável (Arquivo, nothing done)
C:\Windows\FVProtect.exe
Smitfraud-C.: [SBI $7AEEEBF5] Executável (Arquivo, nothing done)
C:\Windows\mssecu.exe
Smitfraud-C.: [SBI $21283948] Biblioteca (Arquivo, nothing done)
C:\Windows\userconfig9x.dll
Smitfraud-C.: [SBI $16AA73B7] Executável (Arquivo, nothing done)
C:\Windows\winsystem.exe
Smitfraud-C.: [SBI $A5DC8075] Arquivo temporário (Arquivo, nothing done)
C:\Windows\zip1.tmp
Smitfraud-C.: [SBI $9CA42D35] Arquivo temporário (Arquivo, nothing done)
C:\Windows\zip2.tmp
Smitfraud-C.: [SBI $8B8C49F5] Arquivo temporário (Arquivo, nothing done)
C:\Windows\zip3.tmp
Smitfraud-C.: [SBI $A78BF372] Arquivo temporário (Arquivo, nothing done)
C:\Windows\zipped.tmp
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Configurações (Modificação no registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

Virtumonde: [SBI $3BE84E58] Configurações (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\mwc
Virtumonde: [SBI $42352499] Configurações do utilizador (Chave do registo, nothing done)
HKEY_USERS\S-1-5-21-4164501370-1194186186-1006044781-1000\Software\Microsoft\rdfa
Zlob.Downloader.vcd: [SBI $D8DF6192] Configurações (Chave do registo, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin
Zlob.Downloader.vcd: [SBI $3A7819FB] Configurações de desinstalação (Chave do registo, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-04-27 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-16 Includes\Adware.sbi (*)
2008-04-24 Includes\AdwareC.sbi (*)
2008-04-24 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-04-24 Includes\DialerC.sbi (*)
2008-04-24 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-04-24 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-04-24 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-04-22 Includes\Malware.sbi (*)
2008-04-24 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-04-24 Includes\PUPSC.sbi (*)
2008-04-24 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-04-24 Includes\SecurityC.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-04-24 Includes\SpybotsC.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-04-24 Includes\SpywareC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-04-24 Includes\Trojans.sbi (*)
2008-04-24 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows Vista (Build: 6000) (6.0.6000)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB929729)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB941833)


--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F

Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 79224
MD5: E1E4780C87DACC69BE77DA4A1B3EC692

Located: HK_LM:Run, c4eff711
command: rundll32.exe "C:\Users\HUGOBA~1\AppData\Local\Temp\plwnhfwh.dll",b
file: C:\Users\HUGOBA~1\AppData\Local\Temp\plwnhfwh.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, HP Software Update
command: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
file: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 49152
MD5: B93C4070F24E46B0097648C276B5039E

Located: HK_LM:Run, NBKeyScan
command: "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
file: C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
size: 2221352
MD5: C7420E7B290E371967F59026E6B014CE

Located: HK_LM:Run, NeroCheck
command: C:\Windows\system32\NeroCheck.exe
file: C:\Windows\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7

Located: HK_LM:Run, VMware hqtray
command: "C:\Program Files\VMware\VMware Player\hqtray.exe"
file: C:\Program Files\VMware\VMware Player\hqtray.exe
size: 55856
MD5: FC0EDD78054CEA904615B1EC66F0987C

Located: HK_LM:Run, WinampAgent
command: C:\Program Files\Winamp\wianmpa.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, Windows Defender
command: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
file: C:\Program Files\Windows Defender\MSASCui.exe
size: 1006264
MD5: 9AD9E2FB2811123DA13DE84CC154AB77

Located: HK_CU:Run, 01Mess
where: PE_C_PEDRO BAPTISTA...
command: "C:\ProgramData\SixthCampCamp.qw69d"
file: C:\ProgramData\SixthCampCamp.qw69d
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Amok web bash obj
where: PE_C_PEDRO BAPTISTA...
command: "C:\ProgramData\Nurb License Soft.hzgkzsg"
file: C:\ProgramData\Nurb License Soft.hzgkzsg
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ehTray.exe
where: PE_C_PEDRO BAPTISTA...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125440
MD5: 2E0953919779A44BF9DFB7B07C58535A

Located: HK_CU:Run, msnmsgr
where: PE_C_PEDRO BAPTISTA...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: 359D9CA4A9E7A4787CA6BC77644A5CCD

Located: HK_CU:Run, Sidebar
where: PE_C_PEDRO BAPTISTA...
command: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
file: C:\Program Files\Windows Sidebar\sidebar.exe
size: 1232896
MD5: 582F3A0BA61D8F0D50C66B592808B6D6

Located: HK_CU:Run, WMPNSCFG
where: PE_C_PEDRO BAPTISTA...
command: C:\Program Files\Windows Media Player\WMPNSCFG.exe
file: C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 201728
MD5: 20EF9002CFF89C4C1077E4415EC7297B

Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1232896
MD5: 582F3A0BA61D8F0D50C66B592808B6D6

Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-19...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem
file: C:\Program Files\Windows Sidebar\Sidebar.exe
size: 1232896
MD5: 582F3A0BA61D8F0D50C66B592808B6D6

Located: HK_CU:Run, WindowsWelcomeCenter
where: S-1-5-20...
command: rundll32.exe oobefldr.dll,ShowWelcomeCenter
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, 01Mess
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: "C:\ProgramData\SixthCampCamp.qw69d"
file: C:\ProgramData\SixthCampCamp.qw69d
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Amok web bash obj
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: "C:\ProgramData\Nurb License Soft.hzgkzsg"
file: C:\ProgramData\Nurb License Soft.hzgkzsg
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, BMc7dcc48d
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: Rundll32.exe "C:\Users\HUGOBA~1\AppData\Local\Temp\kpbcnbmp.dll",s
file: C:\Users\HUGOBA~1\AppData\Local\Temp\kpbcnbmp.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, cmds
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: rundll32.exe C:\Users\HUGOBA~1\AppData\Local\Temp\wvUlifGX.dll,c
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ehTray.exe
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 125440
MD5: 2E0953919779A44BF9DFB7B07C58535A

Located: HK_CU:Run, gwrdoluk
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: C:\Windows\system32\zqvmpmby.exe
file: C:\Windows\system32\zqvmpmby.exe
size: 102400
MD5: 59995DB891CDF6A5ED5328EC78953B69

Located: HK_CU:Run, IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
file: C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
size: 1828136
MD5: E4EFC2CDC71E0698CB81A4D60C3FADFF

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: 359D9CA4A9E7A4787CA6BC77644A5CCD

Located: HK_CU:Run, MSServer
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: rundll32.exe C:\Users\HUGOBA~1\AppData\Local\Temp\hgGwWPHB.dll,#1
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Sidebar
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
file: C:\Program Files\Windows Sidebar\sidebar.exe
size: 1232896
MD5: 582F3A0BA61D8F0D50C66B592808B6D6

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F

Located: HK_CU:Run, WMPNSCFG
where: S-1-5-21-4164501370-1194186186-1006044781-1000...
command: C:\Program Files\Windows Media Player\WMPNSCFG.exe
file: C:\Program Files\Windows Media Player\WMPNSCFG.exe
size: 201728
MD5: 20EF9002CFF89C4C1077E4415EC7297B

Located: Arranque (comum), AutoCAD Startup Accelerator.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
file: C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
size: 11000
MD5: AD61C37E1D1E56FAFC5FF7E3CB2D3EFA

Located: Arranque (comum), HP Digital Imaging Monitor.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
file: C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
size: 210520
MD5: 1BA45CDEF852381DA4A95D056DDB4B48

Located: Arranque (utilizador), Adobe Gamma.lnk
where: C:\Users\Hugo Baptista\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: C2FF17734176CD15221C10044EF0BA1A

Located: Arranque (utilizador), Registration Assassin's Creed.LNK
where: C:\Users\Hugo Baptista\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe
file: C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe
size: 967304
MD5: 3C8E3EFE9435FC65C8B4E6EA4EB13890



--- Browser helper object list ---
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Skype add-on (mastermind)
CLSID name: Skype add-on (mastermind)
Path: C:\Program Files\Skype\Toolbars\Internet Explorer\
Long name: SkypeIEPlugin.dll
Short name: SKYPEI~1.DLL
Date (created): 01-02-2008 17:22:12
Date (last access): 06-04-2008 22:06:50
Date (last write): 01-02-2008 17:22:12
Filesize: 1377576
Attributes: archive
MD5: 23CD1A674E74AA4C1DAE8431E101580B
CRC32: 10D55EA0
Version: 2.2.0.147

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 14-03-2008 12:34:08
Date (last access): 22-02-2008 03:33:32
Date (last write): 22-02-2008 05:25:20
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13

{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Auxiliar de Conexão do Windows Live)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Auxiliar de Conexão do Windows Live
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 20-09-2007 11:30:18
Date (last access): 17-03-2008 14:52:08
Date (last write): 20-09-2007 11:30:18
Filesize: 328752
Attributes: archive
MD5: 59CF5BF6684AFCF906CADAD39B4214DE
CRC32: C363813C
Version: 4.200.520.1



--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 22-02-2008 03:33:32
Date (last access): 22-02-2008 03:33:32
Date (last write): 22-02-2008 05:25:20
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
Path: C:\Windows\Downloaded Program Files\
Long name: MessengerStatsPAClient.dll
Short name: MESSEN~1.DLL
Date (created): 22-02-2007 23:41:12
Date (last access): 22-02-2007 23:41:12
Date (last write): 22-02-2007 23:41:12
Filesize: 304544
Attributes: archive
MD5: 8945CCA5FC4F25168E8B6F401EFAF51F
CRC32: 0F12FD23
Version: 9.5.6907.1

{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 14-03-2008 12:34:08
Date (last access): 22-02-2008 03:33:32
Date (last write): 22-02-2008 05:25:20
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13

{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 14-03-2008 12:34:08
Date (last access): 22-02-2008 03:33:32
Date (last write): 22-02-2008 05:25:20
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: ssv.dll
Short name:
Date (created): 14-03-2008 12:34:08
Date (last access): 22-02-2008 03:33:32
Date (last write): 22-02-2008 05:25:20
Filesize: 509328
Attributes: archive
MD5: 5B42CB6A121256465B251840FDB1B2FE
CRC32: 6EF0BCE9
Version: 6.0.50.13

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_05
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_05\bin\
Long name: npjpi160_05.dll
Short name: NPJPI1~1.DLL
Date (created): 22-02-2008 03:33:32
Date (last access): 22-02-2008 03:33:32
Date (last write): 22-02-2008 05:25:20
Filesize: 132496
Attributes: archive
MD5: 4FDFB86D78994BD71CBB779A7809E9CD
CRC32: 5A0EB880
Version: 6.0.50.13

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\Windows\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\Windows\system32\Macromed\Flash\
Long name: Flash9d.ocx
Short name:
Date (created): 11-06-2007 13:04:32
Date (last access): 11-06-2007 13:04:32
Date (last write): 11-06-2007 13:04:32
Filesize: 2267368
Attributes: readonly archive
MD5: B01E2A41389FBA42B7B5A026EA88C9B7
CRC32: 8980B6EC
Version: 9.0.47.0



--- Process list ---
PID: 3016 (1072) C:\Windows\system32\Dwm.exe
size: 83456
MD5: E87B968F3D49117445893EB0503FE34F
PID: 3052 (1092) C:\Windows\system32\taskeng.exe
size: 166400
MD5: 1226E9FAE5B8508801EC974E3C9D9C14
PID: 3228 (3068) C:\Program Files\Windows Defender\MSASCui.exe
size: 1006264
MD5: 9AD9E2FB2811123DA13DE84CC154AB77
PID: 3240 (3068) C:\Program Files\Alwil Software\Avast4\ashDisp.exe
size: 79224
MD5: E1E4780C87DACC69BE77DA4A1B3EC692
PID: 3388 (3068) C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
size: 144784
MD5: 836DC47E6CAD975304D1D3EB2F516A1C
PID: 3488 (3068) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 185896
MD5: 89D583FC41D48328128A974C25AFAEB7
PID: 3612 (3068) C:\Windows\ehome\ehtray.exe
size: 125440
MD5: 2E0953919779A44BF9DFB7B07C58535A
PID: 3748 (3068) C:\Windows\System32\rundll32.exe
size: 44544
MD5: 4B555106290BD117334E9A08761C035A
PID: 3800 (3068) C:\Program Files\Windows Media Player\wmpnscfg.exe
size: 201728
MD5: 20EF9002CFF89C4C1077E4415EC7297B
PID: 2872 ( 800) C:\Windows\ehome\ehmsas.exe
size: 37376
MD5: 693E4C15CEE5D6487D7913A2701B5E40
PID: 5980 (4880) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
PID: 5420 (3280) C:\Windows\system32\conime.exe
size: 68608
MD5: 05CB3DA78A4BBD9B799A5957F9D101CC
PID: 4784 ( 800) C:\Windows\System32\mobsync.exe
size: 95232
MD5: 9C632DC0F1B6D79B05F46A4A5349CEF4
PID: 3336 (4532) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 9437CA21CD48C9B6BFD6F5AC0143D251
PID: 5676 (5520) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 9437CA21CD48C9B6BFD6F5AC0143D251
PID: 4872 (2468) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7660656
MD5: B366BB8334CDCFB5C2A58DCF5121B6BC
PID: 5508 (3068) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 5160 (3068) C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: 359D9CA4A9E7A4787CA6BC77644A5CCD
PID: 1304 ( 692) C:\Windows\explorer.exe
size: 2923520
MD5: 6D06CD98D954FE87FB2DB8108793B399
PID: 1752 (3340) C:\Program Files\Internet Explorer\ieuser.exe
size: 301568
MD5: C7E9042E06D75A70DEA2AA86C39907CB
PID: 5652 ( 800) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
size: 118336
MD5: 7FA0AA2F3DABA5BEB2C4AC1EEC054EFA
PID: 2824 ( 800) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 9437CA21CD48C9B6BFD6F5AC0143D251
PID: 0 ( 0) [System Process]
PID: 4 ( 0) System
PID: 420 ( 4) smss.exe
size: 62976
PID: 504 ( 492) csrss.exe
size: 7680
PID: 552 ( 492) wininit.exe
size: 95744
PID: 564 ( 544) csrss.exe
size: 7680
PID: 596 ( 552) services.exe
size: 279552
PID: 608 ( 552) lsass.exe
size: 7680
PID: 616 ( 552) lsm.exe
size: 210944
PID: 692 ( 544) winlogon.exe
size: 308224
PID: 800 ( 596) svchost.exe
size: 22016
PID: 868 ( 596) svchost.exe
size: 22016
PID: 912 ( 596) svchost.exe
size: 22016
PID: 992 ( 596) svchost.exe
size: 22016
PID: 1072 ( 596) svchost.exe
size: 22016
PID: 1092 ( 596) svchost.exe
size: 22016
PID: 1160 ( 992) audiodg.exe
size: 88064
PID: 1192 ( 596) SLsvc.exe
size: 2605568
PID: 1236 ( 596) svchost.exe
size: 22016
PID: 1380 ( 596) svchost.exe
size: 22016
PID: 1504 ( 596) aawservice.exe
PID: 1516 ( 596) aswUpdSv.exe
PID: 1544 ( 596) ashServ.exe
PID: 1856 ( 596) spoolsv.exe
size: 124928
PID: 1880 ( 596) svchost.exe
size: 22016
PID: 1316 ( 596) guard.exe
PID: 1428 ( 596) svchost.exe
size: 22016
PID: 308 ( 596) NBService.exe
PID: 1084 ( 596) svchost.exe
size: 22016
PID: 2060 ( 596) IoctlSvc.exe
size: 81920
PID: 2072 ( 596) svchost.exe
size: 22016
PID: 2088 ( 596) svchost.exe
size: 22016
PID: 2116 ( 596) StarWindServiceAE.exe
PID: 2140 ( 596) svchost.exe
size: 22016
PID: 2188 ( 596) vmount2.exe
PID: 2244 ( 596) vmnat.exe
size: 150064
PID: 2272 ( 596) svchost.exe
size: 22016
PID: 2308 ( 596) SearchIndexer.exe
size: 287744
PID: 2372 ( 596) vmware-authd.exe
PID: 2448 (1072) WUDFHost.exe
size: 143360
PID: 2500 ( 596) vmnetdhcp.exe
size: 121392
PID: 2584 ( 596) ashMaiSv.exe
PID: 2600 ( 596) ashWebSv.exe
PID: 2760 (1092) taskeng.exe
size: 166400
PID: 2132 ( 596) NMIndexingService.exe
PID: 3356 ( 596) wmpnetwk.exe
PID: 3324 ( 596) usnsvc.exe
PID: 2844 ( 596) SDWinSec.exe
size: 810320
MD5: A0C00A6265949AC72AB51B711743CA6D

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 28-04-2008 03:49:06

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.tele2.pt/redirect/startpage/adsl/por

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896

Sigma6
2008-04-29, 16:03
After reading some of the posts here, i decided to install SmitfraudFix and Hijackthis just to see how it goes with the scan. However, i'm not able to understand the diagnosis from this logs.
I would be thankful for any help.


Scan done at 13:33:12,16, 29-04-2008
Run from C:\Users\Hugo Baptista\Desktop\SmitfraudFix
OS: Microsoft Windows [VersÆo 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Windows\system32\vmnat.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\ProgramData\linktqri\fsvsjszq.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\zqvmpmby.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows

C:\Windows\olgdqarf.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Hugo Baptista


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\Hugo Baptista\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\HUGOBA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

[!] Suspicious: dpevflbg.dll
Toolbar: dpevflbg - {B21EAD36-EC0C-4B82-B102-1AB20B481977}
TypeLib: {DC33216E-1322-437E-9D55-2DD312F190C2}
Interface: {0263D762-B6E5-4DCF-91A5-E1283D25E850}
Classe: dpevflbg.bgdq
Classe: dpevflbg.ToolBar.1

[!] Suspicious: vadokmxt.dll
SSODL: vadokmxt - {CD7B3CBC-8FFB-4975-9BF2-D6D15930C5D4}


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E7E83B99-2E07-41B1-92B4-0B89315C481F}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E7E83B99-2E07-41B1-92B4-0B89315C481F}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E7E83B99-2E07-41B1-92B4-0B89315C481F}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37:16, on 29-04-2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\ProgramData\linktqri\fsvsjszq.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\zqvmpmby.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tele2.pt/redirect/startpage/adsl/por
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: dpevflbg - {B21EAD36-EC0C-4B82-B102-1AB20B481977} - C:\Windows\dpevflbg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [c4eff711] rundll32.exe "C:\Users\HUGOBA~1\AppData\Local\Temp\plwnhfwh.dll",b
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\HUGOBA~1\AppData\Local\Temp\hgGwWPHB.dll,#1
O4 - HKCU\..\Run: [gwrdoluk] C:\Windows\system32\zqvmpmby.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\HUGOBA~1\AppData\Local\Temp\wvUlifGX.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BMc7dcc48d] Rundll32.exe "C:\Users\HUGOBA~1\AppData\Local\Temp\kpbcnbmp.dll",s
O4 - HKCU\..\Run: [01Mess] "C:\ProgramData\SixthCampCamp.qw69d"
O4 - HKCU\..\Run: [Amok web bash obj] "C:\ProgramData\Nurb License Soft.hzgkzsg"
O4 - HKLM\..\Policies\Explorer\Run: [mb74iExu1e] C:\ProgramData\linktqri\fsvsjszq.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Serviço de rede')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Registration Assassin's Creed.LNK = C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: vadokmxt - {CD7B3CBC-8FFB-4975-9BF2-D6D15930C5D4} - C:\Windows\vadokmxt.dll
O21 - SSODL: wdpoefan - {F4D2BF12-B3C8-475F-AED5-70BB8F9E9B90} - C:\Windows\wdpoefan.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 10347 bytes

Blade81
2008-04-29, 23:04
Hi

Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Blade81
2008-05-06, 18:58
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.