PDA

View Full Version : Need Advice please : Trojan.Vundo



sopoku
2008-06-13, 15:11
Hi All,

Last month, my pc was infected with Virtumond, but thanks to the help of Rorschach112 i was able to fix it.
Following his advice i have installed Malwarebytes and today when i've run the program he found a file infected with Vundo.
Here is the log:

Malwarebytes' Anti-Malware 1.17
Versão do banco de dados: 851

10:51:12 13-06-2008
mbam-log-6-13-2008 (10-51-12).txt

Tipo de Verificação: Completa (C:\|D:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|O:\|)
Objetos verificados: 160385
Tempo decorrido: 1 hour(s), 6 minute(s), 58 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 1
Pastas infectadas: 0
Arquivos infectados: 1

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Then he asked me for restart, which i did, and after restart i've run it again and nothing was found. After that also run HJT.
Here are the logs:

Malwarebytes' Anti-Malware 1.17
Versão do banco de dados: 851

12:44:32 13-06-2008
mbam-log-6-13-2008 (12-44-32).txt

Tipo de Verificação: Completa (C:\|D:\|H:\|I:\|J:\|K:\|L:\|M:\|N:\|O:\|)
Objetos verificados: 159839
Tempo decorrido: 58 minute(s), 13 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:51, on 13-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Symantec AntiVirus\DefWatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Symantec AntiVirus\Rtvscan.exe
C:\Programas\Java\jre1.6.0_06\bin\jusched.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\AveDesk\AveDesk.exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\Programas\uTorrent\uTorrent.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\spider.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clix.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Programas\AveDesk\AveDesk.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Programas\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ATI Tray Tools.lnk = C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196441605638
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D986BA-1CA8-44ED-8C69-536635C23B47}: NameServer = 195.23.129.126,194.79.69.222
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programas\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programas\Ficheiros comuns\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8964 bytes


My question is, i'm safe for now or need to do something more?

Thanks

Shaba
2008-06-15, 12:18
Hi sopoku

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

sopoku
2008-06-16, 01:49
Hi Shaba,

Before everything i want to thank you for your help.
Ok, I've run the Dss as told an here are the logs:

Deckard's System Scanner v20071014.68
Run by Helder Dias on 2008-06-15 23:38:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-06-15 22:38:53 UTC - RP1 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Helder Dias.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:40:21, on 15-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Symantec AntiVirus\DefWatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Symantec AntiVirus\Rtvscan.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\Programas\Java\jre1.6.0_06\bin\jusched.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\Documents and Settings\Helder Dias\Ambiente de trabalho\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Helder Dias.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clix.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Programas\AveDesk\AveDesk.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Programas\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ATI Tray Tools.lnk = C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196441605638
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D986BA-1CA8-44ED-8C69-536635C23B47}: NameServer = 195.23.129.126,194.79.69.222
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programas\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programas\Ficheiros comuns\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8919 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080513-144038-594 O2 - BHO: (no name) - {A0EAE3D0-8B40-4CDA-A2B9-2CFE6E41712D} - C:\WINDOWS\system32\qoMdCTJc.dll (file missing)
backup-20080513-144038-597 O2 - BHO: (no name) - {FC4A36C9-D7DC-4E7D-82AF-68A62BC04356} - C:\WINDOWS\system32\cbXQhGAT.dll (file missing)
backup-20080513-144038-806 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20080513-144038-879 O2 - BHO: (no name) - {AE6F8D85-21E5-47EF-AA9B-C434E188DEB9} - C:\WINDOWS\system32\efcdEVpp.dll (file missing)
backup-20080513-144038-992 O4 - HKCU\..\Policies\Explorer\Run: [NTSecurity] NTSecurity.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 viasraid - c:\windows\system32\drivers\viasraid.sys <Not Verified; VIA Technologies inc,.ltd; Raid controller 6420 driver>
R1 atitray - c:\programas\ray adams\ati tray tools\atitray.sys
R2 LBeepKE - c:\windows\system32\drivers\lbeepke.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
R2 U3sHlpDr - c:\windows\system32\drivers\u3shlpdr.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 giveio - c:\windows\system32\giveio.sys
S3 LHidUsbK (SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech Inc.; Logitech SetPoint>
S3 RushTopDevice - c:\programas\msi\core center\rushtop.sys <Not Verified; MICRO-STAR INT'L CO., LTD.; MSI CoreCenter>
S3 SunkFilt (Alcor Micro Corp Reader) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
S3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 EPSON_PM_RPCV4_01 (EPSON V3 Service4(01)) - c:\documents and settings\all users\application data\epson\epw!3 ssrp\e_s30rp1.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Status Monitor 3>
S3 ServiceLayer - "c:\programas\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>
S3 StarWindServiceAE (StarWind AE Service) - c:\programas\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia N73
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia N73
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-06-15 23:38:02 322 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-06-15 23:35:16 494 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-06-15 08:10:00 322 --a------ C:\WINDOWS\Tasks\emulext.job
2008-06-11 03:44:56 276 --a------ C:\WINDOWS\Tasks\µTorrent.job
2008-06-09 20:45:54 336 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-05-15 and 2008-06-15 -----------------------------

2008-06-15 23:31:30 0 dr-h----- C:\Documents and Settings\Helder Dias\Recent
2008-06-15 01:10:13 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-07 05:12:04 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\InstallShield
2008-06-03 13:56:34 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-06-03 13:56:31 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-06-03 13:56:31 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-06-03 13:56:31 39936 --a------ C:\WINDOWS\system32\huffyuv.dll <Not Verified; Disappearing Inc.; Huffyuv>
2008-06-03 13:56:30 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-03 13:56:30 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-03 13:56:30 2121235 --a------ C:\WINDOWS\system32\x264vfw.dll
2008-06-03 13:56:30 630784 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-06-03 13:56:30 438272 --a------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2008-06-03 13:56:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-03 13:56:29 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-03 13:56:28 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-03 13:56:27 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-03 13:56:25 0 d-------- C:\Programas\K-Lite Codec Pack
2008-06-03 13:56:25 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Real
2008-06-03 13:56:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-05-28 02:51:27 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Mesa Dynamics, LLC
2008-05-28 02:46:42 0 d-------- C:\Programas\VisualTaskTips
2008-05-27 22:47:44 0 d-------- C:\Programas\Alky for Applications
2008-05-27 22:38:12 162816 --a------ C:\WINDOWS\system32\fmod.dll <Not Verified; Firelight Technologies Pty, Ltd; FMOD>
2008-05-27 22:37:31 102400 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>


-- Find3M Report ---------------------------------------------------------------

2008-06-15 23:37:06 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\uTorrent
2008-06-15 23:36:39 0 d-------- C:\Programas\Symantec AntiVirus
2008-06-15 22:05:17 0 d-------- C:\Programas\emule0.48a-Xtreme6.1
2008-06-15 03:13:16 0 d--h----- C:\Programas\InstallShield Installation Information
2008-06-14 22:28:59 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Vso
2008-06-14 22:28:55 0 d-------- C:\Programas\DVDFab 5
2008-06-14 16:24:54 0 d-------- C:\Programas\eMule
2008-06-13 01:27:01 0 d-------- C:\Programas\SpywareBlaster
2008-06-13 00:54:09 0 d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-06-03 13:34:02 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\URSoft
2008-06-03 13:34:00 0 d-------- C:\Programas\Your Uninstaller 2008
2008-06-03 13:29:56 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Thinstall
2008-05-30 14:44:28 0 d-------- C:\Programas\TuneUp Utilities 2008
2008-05-27 22:41:31 0 d-------- C:\Programas\UltraISO
2008-05-27 22:41:28 0 d-------- C:\Programas\Ficheiros comuns\EZB Systems
2008-05-27 22:37:02 0 d-------- C:\Programas\eXtreme Movie Manager
2008-05-21 10:53:32 0 d-------- C:\Programas\Microsoft Silverlight
2008-05-14 13:17:45 492802 --a------ C:\WINDOWS\system32\perfh016.dat
2008-05-14 13:17:45 83934 --a------ C:\WINDOWS\system32\perfc016.dat
2008-05-14 13:03:59 0 d-------- C:\Programas\Messenger
2008-05-14 13:03:42 0 d-------- C:\Programas\Movie Maker
2008-05-13 16:05:15 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Malwarebytes
2008-05-12 12:29:34 34 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.log
2008-05-12 12:26:38 47360 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-12 12:26:38 1144 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.inf
2008-05-12 12:26:38 7887 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.cat
2008-05-09 12:42:07 0 d-------- C:\Programas\Aicon121
2008-05-06 15:42:09 0 d-------- C:\Programas\ATI Technologies
2008-05-06 15:38:33 0 d-------- C:\Programas\DIFX
2008-05-06 15:33:15 0 d-------- C:\Programas\Paint.NET
2008-05-06 12:43:50 0 d-------- C:\Programas\Ficheiros comuns\Symantec Shared
2008-05-06 12:43:16 0 d-------- C:\Programas\Symantec
2008-05-03 16:35:14 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Acronis
2008-05-03 15:22:25 0 d-------- C:\Programas\Ficheiros comuns\Acronis
2008-05-03 15:22:13 0 d-------- C:\Programas\Ficheiros comuns
2008-05-03 15:22:13 0 d-------- C:\Programas\Acronis
2008-05-01 16:40:08 3541 --a------ C:\WINDOWS\mozver.dat
2008-05-01 16:06:27 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\vlc
2008-05-01 15:01:48 0 d-------- C:\Programas\DAEMON Tools Lite
2008-05-01 14:59:07 0 d-------- C:\Programas\Winamp
2008-05-01 14:48:52 0 d-------- C:\Programas\Java
2008-03-28 21:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Programas\Windows Defender\MSASCui.exe" [03-11-2006 19:20]
"!AVG Anti-Spyware"="C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" [13-02-2008 12:36]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_06\bin\jusched.exe" [25-03-2008 04:28]
"ccApp"="C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe" [29-05-2007 16:33]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [07-10-2007 20:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [14-04-2008 17:09]
"AVEDESK"="C:\Programas\AveDesk\AveDesk.exe" [26-10-2005 00:44]
"DAEMON Tools Lite"="C:\Programas\DAEMON Tools Lite\daemon.exe" [01-04-2008 10:39]
"uTorrent"="C:\Programas\uTorrent\uTorrent.exe" [30-01-2008 13:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Helder Dias\Menu Iniciar\Programas\Arranque\
ATI Tray Tools.lnk - C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe [22-05-2007 10:04:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=11 (0xb)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\programas\ficheiros comuns\logitech\bluetooth\LBTWlgn.dll 09-01-2008 13:30 72208 c:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
"PC Suite Tray"="C:\Programas\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
"SpybotSD TeaTimer"=C:\Programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Sunkist2k"=C:\Programas\Multimedia Card Reader\shwicon2k.exe
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"Acronis Scheduler2 Service"="C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4566c3e8-e793-11dc-8c58-000c7691af0b}]
AutoRun\command- G:\setup\rsrc\Autorun.exe
dinstall\command- G:\Directx\dxsetup.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8729 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-15 23:42:20 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 3.0
Architecture: X86; Language: Portuguese

CPU 0: AMD Athlon(tm) 64 Processor 3400+
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 2047.48 MiB / 1392.08 MiB
Pagefile Memory (total/avail): 3427.59 MiB / 2918.72 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1913.03 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 34.18 GiB total, 12.32 GiB free.
D: is Fixed (NTFS) - 19.53 GiB total, 12.52 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (UDF)
H: is Fixed (NTFS) - 58.59 GiB total, 54.07 GiB free.
I: is Fixed (NTFS) - 58.59 GiB total, 11.33 GiB free.
J: is Fixed (NTFS) - 96.16 GiB total, 18.52 GiB free.
K: is Fixed (NTFS) - 698.64 GiB total, 127.83 GiB free.
L: is Fixed (NTFS) - 199.57 GiB total, 100.36 GiB free.
M: is Fixed (NTFS) - 279.47 GiB total, 39.78 GiB free.
N: is Fixed (NTFS) - 279.47 GiB total, 28.48 GiB free.
O: is Fixed (NTFS) - 233.76 GiB total, 104.68 GiB free.

\\.\PHYSICALDRIVE1 - HDS72252 5VLSA80 SCSI Disk Device - 232.88 GiB - 4 partitions
\PARTITION0 (bootable) - Sistema de ficheiros instalável - 19.53 GiB - D:
\PARTITION1 - Sistema de ficheiros instalável - 58.59 GiB - H:
\PARTITION2 - Sistema de ficheiros instalável - 58.59 GiB - I:
\PARTITION3 - Sistema de ficheiros instalável - 96.16 GiB - J:

\\.\PHYSICALDRIVE4 - Maxtor 6V300F0 SCSI Disk Device - 279.47 GiB - 1 partition
\PARTITION0 - Sistema de ficheiros instalável - 279.47 GiB - M:

\\.\PHYSICALDRIVE0 - Maxtor 6 L250S0 SCSI Disk Device - 233.76 GiB - 1 partition
\PARTITION0 - Sistema de ficheiros instalável - 233.76 GiB - O:

\\.\PHYSICALDRIVE3 - Unidade - 279.47 GiB - 1 partition
\PARTITION0 - Sistema de ficheiros instalável - 279.47 GiB - N:

\\.\PHYSICALDRIVE2 - Maxtor 7 Y250M0 SCSI Disk Device - 233.76 GiB - 2 partitions
\PARTITION0 (bootable) - Sistema de ficheiros instalável - 34.18 GiB - C:
\PARTITION1 - Expandido com Int 13 expandido - 199.57 GiB - L:

\\.\PHYSICALDRIVE5 - SAMSUNG HD753LJ SCSI Disk Device - 698.64 GiB - 1 partition
\PARTITION0 - Sistema de ficheiros instalável - 698.64 GiB - K:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALKY=C:\Programas\Alky for Applications\Libraries\
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Helder Dias\Application Data
CommonProgramFiles=C:\Programas\Ficheiros comuns
COMPUTERNAME=HELDER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Helder Dias
LOGONSERVER=\\HELDER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Programas\PC Connectivity Solution;C:\Programas\ATI Technologies\ATI.ACE\Core-Static;C:\Programas\Alky for Applications\Libraries\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 8, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0408
ProgramFiles=C:\Programas
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HELDER~1\DEFINI~1\Temp
TMP=C:\DOCUME~1\HELDER~1\DEFINI~1\Temp
USERDOMAIN=HELDER
USERNAME=Helder Dias
USERPROFILE=C:\Documents and Settings\Helder Dias
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Helder Dias (admin)
Administrador (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Programas\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
162x driver v1.22 --> C:\Programas\InstallShield Installation Information\{34A13B6B-512C-45E7-A3D0-7771C2D5B895}\setup.exe -runfromtemp -l0x0009 -removeonly
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0816-0000-0000000FF1CE} /uninstall {C450104C-4F9F-4924-8B97-92FB09DE9A92}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0816-0000-0000000FF1CE} /uninstall {6C04B8BC-6DC4-422F-B871-0236D11C50AB}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0816-0000-0000000FF1CE} /uninstall {A0926DF5-19BB-448D-B8AA-7B1E321F48CF}
Acronis True Image Home --> MsiExec.exe /X{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}
Actualização de segurança para Windows XP (KB913433) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
Administrador PRIMAVERA v4.0 --> C:\WINDOWS\IsUn0816.exe -f"C:\Programas\PRIMAVERA Software\SGP\COMuninst.isu"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Alky for Applications (Windows XP) --> MsiExec.exe /X{BB05D173-9681-4812-A7FA-BD4042A3DA00}
AMD Processor Driver --> C:\Programas\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe -runfromtemp -l0x0816 -removeonly
Ant Movie Catalog --> "C:\Programas\Ant Movie Catalog\unins000.exe"
AntiSub Br 0.9.3 --> "C:\Programas\AntiSub Br\unins000.exe"
AnyReader 2.4 --> C:\Programas\AnyReader\uninst.exe
ATI - Software Uninstall Utility --> C:\Programas\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
µTorrent --> "C:\Programas\uTorrent\uTorrent.exe" /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Programas\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5 --> "C:\Programas\AviSynth 2.5\Uninstall.exe"
Cópia de segurança das Pastas pessoais do Microsoft Outlook --> MsiExec.exe /X{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Cliente de Gestão de Direitos do Windows - Retrocompatibilidade do SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Cliente de Gestão de Direitos do Windows com Service Pack 2 --> MsiExec.exe /X{028252D7-5DBA-4AD9-972E-6630F4B76A1D}
Command & Conquer 3 --> MsiExec.exe /I{B0C30E93-D3D9-4F04-A2AC-54749B573275}
Command & Conquer Generals --> C:\PROGRA~1\FICHEI~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Command and ConquerTM Generals Zero Hour --> C:\PROGRA~1\FICHEI~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}
Compressor WinRAR --> C:\Programas\WinRAR\uninstall.exe
Core Center --> C:\WINDOWS\IsUninst.exe -f"C:\Programas\MSI\Core Center\Uninst.isu"
DH Driver Cleaner Professional Edition --> C:\Programas\Driver Cleaner Pro\Uninstall.exe
DivXLand Media Subtitler --> C:\WINDOWS\unvise32.exe C:\Programas\DivXLand\Media Subtitler\uninstal.log
DVD Decrypter (Remove Only) --> "C:\Programas\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Programas\DVD Shrink\unins000.exe"
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.0.2.5 --> "C:\Programas\DVDFab 5\unins000.exe"
DVDFab Multi Setup --> C:\Programas\DVDFab 5\Uninstall.exe
Easy Video Joiner 5.21 --> "C:\Programas\Easy Video Joiner\unins000.exe"
Easy Video Splitter 1.28 --> "C:\Programas\Easy Video Splitter\unins000.exe"
eMule --> "C:\Programas\eMule\Uninstall.exe"
EPSON TWAIN 5 --> RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programas\InstallShield Installation Information\{9A3EABC0-CA06-11D4-BF77-00104B130C19}\SETUP.EXE" -l0x816 UNINSTALL
eXtreme Movie Manager 6.2.3.0 - Full Install! --> "C:\Programas\eXtreme Movie Manager\unins000.exe"
Gestão Comercial PRIMAVERA v4.2 --> C:\WINDOWS\IsUn0816.exe -f"C:\Programas\PRIMAVERA Software\SGP\GCPuninst.isu"
HijackThis 2.0.2 --> "C:\Programas\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IrfanView (remove only) --> C:\Programas\IrfanView\iv_uninstall.exe
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
K-Lite Mega Codec Pack 3.9.0 --> "C:\Programas\K-Lite Codec Pack\unins000.exe"
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Programas\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech SetPoint --> C:\Programas\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0816 -removeonly
Malwarebytes' Anti-Malware --> "C:\Programas\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live --> "C:\Programas\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Access MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-0015-0816-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-0016-0816-0000-0000000FF1CE}
Microsoft Office Groove MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-00BA-0816-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-0044-0816-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-00A1-0816-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-001A-0816-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-0018-0816-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-001F-0816-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-002C-0816-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-0019-0816-0000-0000000FF1CE}
Microsoft Office Shared MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-006E-0816-0000-0000000FF1CE}
Microsoft Office Word MUI (Portuguese (Portugal)) 2007 --> MsiExec.exe /X{90120000-001B-0816-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Modelo 3 v1.8 --> C:\Programas\Declarações Electrónicas\Modelo3\uninstall.exe
MozBackup 1.4.7 --> "C:\Programas\MozBackup\unins000.exe"
Mozilla Firefox (2.0.0.14) --> C:\Programas\Mozilla Firefox\uninstall\helper.exe
Mp3tag v2.38 --> C:\Programas\Mp3tag\Mp3tagUninstall.EXE
MSI Live Update 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Programas\MSI\Live Update 3\Uninst.isu"
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Multimedia Card Reader --> C:\Programas\Ficheiros comuns\InstallShield\Driver\8\Intel 32\IDriver.exe /M{07B02BD4-E799-4945-B240-166CA9A9BE2D} /l1033
Nero 8 --> MsiExec.exe /X{D6D5CB84-0E6E-4E69-B300-C690B6912070}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{0FC76B71-2534-4354-B255-3468578E3F47}\Nokia_PC_Suite_rel_6_86_9_0_por.exe
Nokia PC Suite --> MsiExec.exe /I{0FC76B71-2534-4354-B255-3468578E3F47}
Nokia Software Updater --> MsiExec.exe /X{3741689E-584D-40C9-B011-373A0371846D}
Pacote de controladores do Windows - INITIO Corp. (inic162x) SCSIAdapter (02/21/2006 5.07.06.0221) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\inic162x_73BA3E065BCE32464E8031CD3B7470058DD60434\inic162x.inf
Pacote de controladores do Windows - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Pacote de controladores do Windows - Nokia Modem (02/15/2007 3.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_F12A08B6F776984A95553486F64C541356F86E38\pccs_bluetooth.inf
Pacote de controladores do Windows - Nokia Modem (03/05/2008 3.7) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_635B28EFCFA9395123BB1C251595CB16129E2560\nokia_bluetooth.inf
Pacote de controladores do Windows - Nokia Modem (03/13/2008 6.86.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_28F2EAC406838DA65AFF6C6886FE9FE96AEF5186\nokbtmdm.inf
Pacote de controladores do Windows - Nokia Modem (05/24/2007 6.84.0.1) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_5E1541AFF1E1EA3554CE566743CCAD323ED1C108\nokbtmdm.inf
Pacote de controladores do Windows - Nokia Modem (08/03/2007 6.84.0.2) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_1EB5F2E6F54A6BEDE9F436D1BA5D830FC71739BE\nokbtmdm.inf
Pacote de controladores do Windows - Nokia Modem (08/08/2007 3.3) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_32E2E448B53EE5B28E074D88802D0BAF984038DA\pccs_bluetooth.inf
Pacote de controladores do Windows - Nokia Modem (10/12/2007 3.6) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokia_blue_0A5D98F754C6588B2E3DDE89DDEF097075ADFFB7\nokia_bluetooth.inf
Pacote de controladores do Windows - Nokia pccsmcfd (10/12/2007 6.85.4.0) --> C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
Paint.NET v3.31 --> MsiExec.exe /X{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}
PC Connectivity Solution --> MsiExec.exe /I{AC599724-5755-48C1-ABE7-ABB857652930}
Photo Toolkit 1.7 --> "C:\Programas\Photo Toolkit\unins000.exe"
Ray Adams ATI Tray Tools --> "C:\Programas\Ray Adams\ATI Tray Tools\uninstall.exe"
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programas\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x816 -removeonly
Registry Mechanic 7.0 --> "C:\Programas\Registry Mechanic\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Software para Impressoras EPSON --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Spybot - Search & Destroy --> "C:\Programas\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Programas\SpywareBlaster\unins000.exe"
SSC Service Utility v4.30 --> "C:\Programas\SSC Service Utility\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{2085C617-589C-40F8-BE40-EDBC9E2CA2EB}
The FilmMachine 1.5.4 --> "C:\Programas\The FilmMachine\unins000.exe"
Time Adjuster STANDARD 3.1 --> "C:\Programas\TimeAdjuster\Uninstall.exe"
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
UltraISO Premium V9.2 --> "C:\Programas\UltraISO\unins000.exe"
Unlocker 1.8.7 --> C:\Programas\Unlocker\uninst.exe
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
v3.9.8.5128 --> "C:\Programas\GetData\Recover My Files\unins000.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VIA Platform Device Manager --> C:\PROGRA~1\FICHEI~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VideoLAN VLC media player 0.8.6h --> C:\Programas\VideoLAN\VLC\uninstall.exe
Visual Task Tips 3.2 --> C:\Programas\VisualTaskTips\uninst.exe
Winamp --> "C:\Programas\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Live installer --> MsiExec.exe /X{0C69F74B-DA6A-4C56-8017-988B7D63993A}
Windows Live Mail --> MsiExec.exe /I{E00AE9B9-518F-42FB-987C-C4791AB42CBC}
Windows Live Messenger --> MsiExec.exe /X{B98023FD-EC2A-404B-BFC3-49E7ECE4490E}
Windows Live Sign-in Assistant --> MsiExec.exe /I{0ED47137-C071-46CC-A243-E5E33271E10E}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (PTG) --> MsiExec.exe /X{51F01230-4561-433C-AFDA-0F158F4BDC8D}
Windows Workflow Foundation PT Language Pack --> MsiExec.exe /I{D3999FDC-943A-4E0F-9B26-DE5EA2E1F8E2}
XML Paper Specification Shared Components Pack 1.0 -->
Your Uninstaller! 2008 Version 6.0 --> "C:\Programas\Your Uninstaller 2008\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type4681 / Warning
Event Submitted/Written: 06/15/2008 11:31:37 PM
Event ID/Source: 1524 / Userenv
Event Description:
Não é possível ao Windows descarregar o ficheiro de registo de classes - ainda está a ser utilizado por outras aplicações ou serviços. O ficheiro será descarregado quando já não estiver a ser utilizado.

Event Record #/Type4677 / Warning
Event Submitted/Written: 06/15/2008 10:57:41 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside J:\Música\Mp3\- Para Organizar\Ashanti-Concrete_Rose-2004-RNS-HOIM.rar due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type4676 / Warning
Event Submitted/Written: 06/15/2008 10:57:37 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 1 files inside J:\Música\Mp3\- Para Organizar\50_Cent-Disco_Inferno-VLS-2004-CMS-HOIM.rar due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type4675 / Warning
Event Submitted/Written: 06/15/2008 10:57:35 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 2 files inside J:\Música\Mp3\- Para Organizar\ Loose - Nelly Furtado [ Full Album].zip due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type4674 / Warning
Event Submitted/Written: 06/15/2008 10:42:34 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 42 files inside H:\Downloads\Software\Total Video Converter New Ultimate 2008 v3 11 Winall.rar due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5404 / Warning
Event Submitted/Written: 06/15/2008 11:40:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HELDER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HELDER27 can't undo changes that you allow.

For more information please see the following:
%HELDER275

Scan ID: {FE000C99-D467-44C2-BD23-85ABEAF73C9A}

User: HELDER\Helder Dias

Name: %HELDER271

ID: %HELDER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %HELDER276

Alert Type: %HELDER278

Detection Type: 1.1.1593.02

Event Record #/Type5403 / Warning
Event Submitted/Written: 06/15/2008 11:40:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HELDER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HELDER27 can't undo changes that you allow.

For more information please see the following:
%HELDER275

Scan ID: {EFD78E90-1388-4BB0-9DC6-463B431E93BA}

User: HELDER\Helder Dias

Name: %HELDER271

ID: %HELDER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %HELDER276

Alert Type: %HELDER278

Detection Type: 1.1.1593.02

Event Record #/Type5402 / Warning
Event Submitted/Written: 06/15/2008 11:40:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HELDER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HELDER27 can't undo changes that you allow.

For more information please see the following:
%HELDER275

Scan ID: {0DA392BF-19E9-44DD-AA81-CB08A2982F4C}

User: HELDER\Helder Dias

Name: %HELDER271

ID: %HELDER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %HELDER276

Alert Type: %HELDER278

Detection Type: 1.1.1593.02

Event Record #/Type5401 / Warning
Event Submitted/Written: 06/15/2008 11:40:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HELDER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HELDER27 can't undo changes that you allow.

For more information please see the following:
%HELDER275

Scan ID: {07276981-1C79-4703-8372-CB1640060CD9}

User: HELDER\Helder Dias

Name: %HELDER271

ID: %HELDER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %HELDER276

Alert Type: %HELDER278

Detection Type: 1.1.1593.02

Event Record #/Type5400 / Warning
Event Submitted/Written: 06/15/2008 11:40:32 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HELDER27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HELDER27 can't undo changes that you allow.

For more information please see the following:
%HELDER275

Scan ID: {F1AB6D0B-3D46-4BDB-84F3-48F5043E9F15}

User: HELDER\Helder Dias

Name: %HELDER271

ID: %HELDER272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %HELDER276

Alert Type: %HELDER278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-06-15 23:42:20 ------------

Once more thank you

Shaba
2008-06-17, 16:48
Hi and sorry for delay

Click Start and then Run to bring up the Run box.
Copy and paste the contents of this quote box into the run box:

"%userprofile%\desktop\dss.exe" /daft
Click OK.
Click OK to the prompt from Deckard's System Scanner.
Click Scan.
Place a tick next to the following entries (if they are present).
.cpl
.reg
.scr
Click Fix

Re-run dss and post back its log, please :)

sopoku
2008-06-17, 17:26
Hi Shaba,

Thanks for your reply.

I did what you told me to do, fixed those entries and rerun the dss, but it only gives me the main log. I don´t know if that's normal. Here is the log:

Deckard's System Scanner v20071014.68
Run by Helder Dias on 2008-06-17 15:16:33
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Helder Dias.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:39, on 17-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Symantec AntiVirus\DefWatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Symantec AntiVirus\Rtvscan.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\Programas\Java\jre1.6.0_06\bin\jusched.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Helder Dias\Ambiente de trabalho\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HELDER~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clix.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Programas\AveDesk\AveDesk.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Programas\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ATI Tray Tools.lnk = C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196441605638
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D986BA-1CA8-44ED-8C69-536635C23B47}: NameServer = 195.23.129.126,194.79.69.222
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programas\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programas\Ficheiros comuns\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8916 bytes

-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 15:08:53 0 dr-h----- C:\Documents and Settings\Helder Dias\Recent
2008-06-15 01:10:13 0 d--hs---- C:\WINDOWS\ftpcache
2008-06-07 05:12:04 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\InstallShield
2008-06-03 13:56:34 164352 --a------ C:\WINDOWS\system32\unrar.dll
2008-06-03 13:56:31 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-06-03 13:56:31 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software>
2008-06-03 13:56:31 39936 --a------ C:\WINDOWS\system32\huffyuv.dll <Not Verified; Disappearing Inc.; Huffyuv>
2008-06-03 13:56:30 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-03 13:56:30 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-03 13:56:30 2121235 --a------ C:\WINDOWS\system32\x264vfw.dll
2008-06-03 13:56:30 630784 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-06-03 13:56:30 438272 --a------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2008-06-03 13:56:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-06-03 13:56:29 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-06-03 13:56:28 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-06-03 13:56:27 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-06-03 13:56:25 0 d-------- C:\Programas\K-Lite Codec Pack
2008-06-03 13:56:25 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Real
2008-06-03 13:56:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Real
2008-05-28 02:51:27 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Mesa Dynamics, LLC
2008-05-28 02:46:42 0 d-------- C:\Programas\VisualTaskTips
2008-05-27 22:47:44 0 d-------- C:\Programas\Alky for Applications
2008-05-27 22:38:12 162816 --a------ C:\WINDOWS\system32\fmod.dll <Not Verified; Firelight Technologies Pty, Ltd; FMOD>
2008-05-27 22:37:31 102400 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>


-- Find3M Report ---------------------------------------------------------------

2008-06-17 15:13:16 0 d-------- C:\Programas\Symantec AntiVirus
2008-06-17 15:13:08 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\uTorrent
2008-06-16 17:28:07 0 d-------- C:\Programas\emule0.48a-Xtreme6.1
2008-06-16 12:03:32 0 d--h----- C:\Programas\InstallShield Installation Information
2008-06-16 00:34:45 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Vso
2008-06-14 22:28:55 0 d-------- C:\Programas\DVDFab 5
2008-06-14 16:24:54 0 d-------- C:\Programas\eMule
2008-06-13 01:27:01 0 d-------- C:\Programas\SpywareBlaster
2008-06-13 00:54:09 0 d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-06-03 13:34:02 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\URSoft
2008-06-03 13:34:00 0 d-------- C:\Programas\Your Uninstaller 2008
2008-06-03 13:29:56 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Thinstall
2008-05-30 14:44:28 0 d-------- C:\Programas\TuneUp Utilities 2008
2008-05-27 22:41:31 0 d-------- C:\Programas\UltraISO
2008-05-27 22:41:28 0 d-------- C:\Programas\Ficheiros comuns\EZB Systems
2008-05-27 22:37:02 0 d-------- C:\Programas\eXtreme Movie Manager
2008-05-21 10:53:32 0 d-------- C:\Programas\Microsoft Silverlight
2008-05-14 13:17:45 492802 --a------ C:\WINDOWS\system32\perfh016.dat
2008-05-14 13:17:45 83934 --a------ C:\WINDOWS\system32\perfc016.dat
2008-05-14 13:03:59 0 d-------- C:\Programas\Messenger
2008-05-14 13:03:42 0 d-------- C:\Programas\Movie Maker
2008-05-13 16:05:15 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Malwarebytes
2008-05-12 12:29:34 34 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.log
2008-05-12 12:26:38 47360 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-05-12 12:26:38 1144 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.inf
2008-05-12 12:26:38 7887 --a------ C:\Documents and Settings\Helder Dias\Application Data\pcouffin.cat
2008-05-09 12:42:07 0 d-------- C:\Programas\Aicon121
2008-05-06 15:42:09 0 d-------- C:\Programas\ATI Technologies
2008-05-06 15:38:33 0 d-------- C:\Programas\DIFX
2008-05-06 15:33:15 0 d-------- C:\Programas\Paint.NET
2008-05-06 12:43:50 0 d-------- C:\Programas\Ficheiros comuns\Symantec Shared
2008-05-06 12:43:16 0 d-------- C:\Programas\Symantec
2008-05-03 16:35:14 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\Acronis
2008-05-03 15:22:25 0 d-------- C:\Programas\Ficheiros comuns\Acronis
2008-05-03 15:22:13 0 d-------- C:\Programas\Ficheiros comuns
2008-05-03 15:22:13 0 d-------- C:\Programas\Acronis
2008-05-01 16:40:08 3541 --a------ C:\WINDOWS\mozver.dat
2008-05-01 16:06:27 0 d-------- C:\Documents and Settings\Helder Dias\Application Data\vlc
2008-05-01 15:01:48 0 d-------- C:\Programas\DAEMON Tools Lite
2008-05-01 14:59:07 0 d-------- C:\Programas\Winamp
2008-05-01 14:48:52 0 d-------- C:\Programas\Java
2008-03-28 21:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Programas\Windows Defender\MSASCui.exe" [03-11-2006 19:20]
"!AVG Anti-Spyware"="C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" [13-02-2008 12:36]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_06\bin\jusched.exe" [25-03-2008 04:28]
"ccApp"="C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe" [29-05-2007 16:33]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [07-10-2007 20:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [14-04-2008 17:09]
"AVEDESK"="C:\Programas\AveDesk\AveDesk.exe" [26-10-2005 00:44]
"DAEMON Tools Lite"="C:\Programas\DAEMON Tools Lite\daemon.exe" [01-04-2008 10:39]
"uTorrent"="C:\Programas\uTorrent\uTorrent.exe" [30-01-2008 13:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Helder Dias\Menu Iniciar\Programas\Arranque\
ATI Tray Tools.lnk - C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe [22-05-2007 10:04:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=11 (0xb)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\programas\ficheiros comuns\logitech\bluetooth\LBTWlgn.dll 09-01-2008 13:30 72208 c:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Programas\Windows Live\Messenger\MsnMsgr.Exe" /background
"PC Suite Tray"="C:\Programas\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
"SpybotSD TeaTimer"=C:\Programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Sunkist2k"=C:\Programas\Multimedia Card Reader\shwicon2k.exe
"Kernel and Hardware Abstraction Layer"=KHALMNPR.EXE
"Acronis Scheduler2 Service"="C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4566c3e8-e793-11dc-8c58-000c7691af0b}]
AutoRun\command- G:\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-06-17 15:18:31
------------

Thanks again

Shaba
2008-06-17, 17:54
Hi

That is normal and expected, yes :)

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

sopoku
2008-06-18, 12:25
Hi again Shaba,

Just did the online scan and run HJT, here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 18, 2008 10:02:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/06/2008
Kaspersky Anti-Virus database records: 877234
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\

Scan Statistics:
Total number of scanned objects: 119300
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 02:21:54

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12072006-082717.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Application Data\Microsoft\Windows Defender\FileTracker\{3817C83F-18D8-4441-B57F-92C4F24C40BA} Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\temp\Perflib_Perfdata_15d4.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\temp\Perflib_Perfdata_34c.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Helder Dias\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Programas\Symantec AntiVirus\SAVRT\0068NAV~.TMP Object is locked skipped
C:\Programas\Symantec AntiVirus\SAVRT\0419NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0F71B21E-93EE-47C0-85D9-9E565C5F29D9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Definições locais\temp\TMP000000496742140EAC8496F9 Object is locked skipped
C:\WINDOWS\system32\drivers\etc\service.exe Infected: Trojan.Win32.Agent.ree skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Updates\- Portables\WinRar Gold Edition Portable\WinRar Gold Edition Portable.exe/data0000.cab/is153548.exe Infected: Trojan.Win32.Monder.gen skipped
D:\Updates\- Portables\WinRar Gold Edition Portable\WinRar Gold Edition Portable.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
D:\Updates\- Portables\WinRar Gold Edition Portable\WinRar Gold Edition Portable.exe Rsrc-Package: infected - 2 skipped
D:\Updates\Nero 8\Nero.8.Ultra.Edition.v8.1.1.4.Multilingual.With.KeyGen..[www.sharetuga.web.pt].rar/Nero-8.1.1.4_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Updates\Nero 8\Nero.8.Ultra.Edition.v8.1.1.4.Multilingual.With.KeyGen..[www.sharetuga.web.pt].rar/Nero-8.1.1.4_all_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Updates\Nero 8\Nero.8.Ultra.Edition.v8.1.1.4.Multilingual.With.KeyGen..[www.sharetuga.web.pt].rar RAR: infected - 2 skipped
H:\Downloads\Software\Alky.Windows.Sidebar.for.XP.by.isso87.(140.Gadgets).20.12.07.[www.sharetuga.web.pt].rar/03 Gadgets/Instalar.Gadgets.Extras.20.12.07.exe/AutoShutdown.gadget/core/gadget.js Infected: not-a-virus:RiskTool.JS.Shutdown.a skipped
H:\Downloads\Software\Alky.Windows.Sidebar.for.XP.by.isso87.(140.Gadgets).20.12.07.[www.sharetuga.web.pt].rar/03 Gadgets/Instalar.Gadgets.Extras.20.12.07.exe Infected: not-a-virus:RiskTool.JS.Shutdown.a skipped
H:\Downloads\Software\Alky.Windows.Sidebar.for.XP.by.isso87.(140.Gadgets).20.12.07.[www.sharetuga.web.pt].rar RAR: infected - 2 skipped
H:\Downloads\Software\FairUse.Wizard 2.6-DVT.[www.sharetuga.web.pt].rar/FairUse.Wizard 2.6-DVT.exe Infected: not-a-virus:AdWare.Win32.Rabio.w skipped
H:\Downloads\Software\FairUse.Wizard 2.6-DVT.[www.sharetuga.web.pt].rar RAR: infected - 1 skipped
H:\Downloads\Software\Spyware.Doctor.v5.5.0.212_\sdsetup.exe/data0000.cab/is152966.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpy skipped
H:\Downloads\Software\Spyware.Doctor.v5.5.0.212_\sdsetup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpy skipped
H:\Downloads\Software\Spyware.Doctor.v5.5.0.212_\sdsetup.exe Rsrc-Package: infected - 2 skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
M:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
N:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
O:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:17, on 18-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Symantec AntiVirus\DefWatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Symantec AntiVirus\Rtvscan.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\Programas\Java\jre1.6.0_06\bin\jusched.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\Programas\AveDesk\AveDesk.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clix.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Programas\AveDesk\AveDesk.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Programas\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ATI Tray Tools.lnk = C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196441605638
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D986BA-1CA8-44ED-8C69-536635C23B47}: NameServer = 195.23.129.126,194.79.69.222
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programas\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programas\Ficheiros comuns\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9030 bytes


By the way, can you give me your opinion in which software should i use?
I´m using Anti-virus + Avg anti-spyware + windows defender, should i use also tea timer or instead should i quit avg or windows defender and use tea timer?

Thanks four your time.

Shaba
2008-06-18, 20:08
Hi

Now we found out why you got infected:

D:\Updates\- Portables\WinRar Gold Edition Portable\WinRar Gold Edition Portable.exe/data0000.cab/is153548.exe Infected: Trojan.Win32.Monder.gen skipped
D:\Updates\- Portables\WinRar Gold Edition Portable\WinRar Gold Edition Portable.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
D:\Updates\- Portables\WinRar Gold Edition Portable\WinRar Gold Edition Portable.exe Rsrc-Package: infected - 2 skipped
D:\Updates\Nero 8\Nero.8.Ultra.Edition.v8.1.1.4.Multilingual.With.KeyGen..[http://www.sharetuga.web.pt].rar/Ner...xe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Updates\Nero 8\Nero.8.Ultra.Edition.v8.1.1.4.Multilingual.With.KeyGen..[http://www.sharetuga.web.pt].rar/Ner..._all_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\Updates\Nero 8\Nero.8.Ultra.Edition.v8.1.1.4.Multilingual.With.KeyGen..[www.sharetuga.web.pt].rar RAR: infected - 2 skipped
H:\Downloads\Software\Alky.Windows.Sidebar.for.XP.by.isso87.(140.Gadgets).20.12.07.[www.sharetuga.web.pt].rar/03 Gadgets/Instalar.Gadgets.Extras.20.12.07.exe/AutoShutdown.gadget/core/gadget.js Infected: not-a-virus:RiskTool.JS.Shutdown.a skipped
H:\Downloads\Software\Alky.Windows.Sidebar.for.XP.by.isso87.(140.Gadgets).20.12.07.[www.sharetuga.web.pt].rar/03 Gadgets/Instalar.Gadgets.Extras.20.12.07.exe Infected: not-a-virus:RiskTool.JS.Shutdown.a skipped
H:\Downloads\Software\Alky.Windows.Sidebar.for.XP.by.isso87.(140.Gadgets).20.12.07.[www.sharetuga.web.pt].rar RAR: infected - 2 skipped
H:\Downloads\Software\FairUse.Wizard 2.6-DVT.[www.sharetuga.web.pt].rar/FairUse.Wizard 2.6-DVT.exe Infected: not-a-virus:AdWare.Win32.Rabio.w skipped
H:\Downloads\Software\FairUse.Wizard 2.6-DVT.[www.sharetuga.web.pt].rar RAR: infected - 1 skipped
H:\Downloads\Software\Spyware.Doctor.v5.5.0.212_\sdsetup.exe/data0000.cab/is152966.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpy skipped
H:\Downloads\Software\Spyware.Doctor.v5.5.0.212_\sdsetup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpy skipped
H:\Downloads\Software\Spyware.Doctor.v5.5.0.212_\sdsetup.exe Rsrc-Package: infected - 2 skipped

Downloading pirated software is not only illegal but stupid as well.

Delete all those files/folders listed above and this as well:

C:\WINDOWS\system32\drivers\etc\service.exe

Empty Recycle Bin.

Re-scan with kaspersky.


Post:

- a fresh HijackThis log
- kaspersky report

sopoku
2008-06-21, 14:54
Hi Shaba,

Sorry for the delay, but i went away for the last 2 days.
So, i deleted the infected files and run the Karpersky online and HJT. Here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 21, 2008 11:22:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/06/2008
Kaspersky Anti-Virus database records: 879823
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\

Scan Statistics:
Total number of scanned objects: 120428
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:10:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12072006-082717.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Application Data\Microsoft\Windows Defender\FileTracker\{CEC5EF4B-ABC1-466E-B3BA-036D5E2FDF54} Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Histórico\History.IE5\MSHist012008062020080621\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\temp\Perflib_Perfdata_af4.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\temp\Perflib_Perfdata_d0.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\temp\Perflib_Perfdata_dd0.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Helder Dias\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Helder Dias\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Programas\Symantec AntiVirus\SAVRT\0315NAV~.TMP Object is locked skipped
C:\Programas\Symantec AntiVirus\SAVRT\0745NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
M:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
N:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
O:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:46, on 21-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Symantec AntiVirus\DefWatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\Programas\Java\jre1.6.0_06\bin\jusched.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\AveDesk\AveDesk.exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\Programas\Microsoft Office\Office12\OUTLOOK.EXE
C:\Programas\uTorrent\uTorrent.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clix.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Programas\AveDesk\AveDesk.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Programas\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ATI Tray Tools.lnk = C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196441605638
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D986BA-1CA8-44ED-8C69-536635C23B47}: NameServer = 195.23.129.126,194.79.69.222
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programas\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8960 bytes

Many Thanks

Shaba
2008-06-21, 14:55
Hi

Logs look good.

Does Symantec have AV only?

sopoku
2008-06-21, 16:07
Hi again, Shaba.

Thanks for your fast reply.

Regarding your question, I'm using Symantec corporate edition(AV only), plus I'm also using AVG anti-spyware and windows defender. My firewall is from XP.
Should i use something else? For instance Tea timer instead of AVG or Windows Defender? I would appreciate your advice.

One more time, thanks for your help.

Shaba
2008-06-21, 16:28
Hi

I recommend that you then install 3rd party firewall from below:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

After that, please post back a fresh HijackThis log :)

sopoku
2008-06-21, 17:32
Hi Shaba,

Just installed comodo firewall.
Here is the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:28:09, on 21-06-2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\COMODO\Firewall\cmdagent.exe
C:\Programas\Symantec AntiVirus\DefWatch.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Symantec AntiVirus\Rtvscan.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe
C:\Programas\Java\jre1.6.0_06\bin\jusched.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Programas\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\AveDesk\AveDesk.exe
C:\Programas\uTorrent\uTorrent.exe
C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programas\Microsoft Office\Office12\OUTLOOK.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clix.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\_avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programas\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AVEDESK] "C:\Programas\AveDesk\AveDesk.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Programas\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] cmd.exe /c md "%USERPROFILE%\Definições locais\Temp" (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ATI Tray Tools.lnk = C:\Programas\Ray Adams\ATI Tray Tools\atitray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196441605638
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D986BA-1CA8-44ED-8C69-536635C23B47}: NameServer = 195.23.129.126,194.79.69.222
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Programas\COMODO\Firewall\cmdagent.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programas\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programas\Ficheiros comuns\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Nero\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programas\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programas\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9212 bytes

I've turned off windows firewall. This is right?

Thanks

Shaba
2008-06-21, 18:43
Hi

Yes :)

Log looks good.

Any issues left?

sopoku
2008-06-21, 18:50
Hi again,

Nothing more i think. Just want to thank you for your help e divine patience.:laugh:

All the best

Shaba
2008-06-21, 18:59
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

sopoku
2008-06-22, 03:53
Hi again,

Thanks for the heads up.

All the best. :bigthumb:

Shaba
2008-06-27, 19:20
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.