View Full Version : Virtumonde
Jmartins
2008-07-26, 20:55
Hello,
After running spybot search and destroy My computer has 3 types of virtumondo: Virtumondo / Virtumondo.dll and the other I don´t remember.
Some things happened in the computer like I can´t change the background image, the windows firewall and automatic updates turn themselves off automatically and computer is runing slow when I open internet browser it opens a popup with advertising, Can you help me please?
This is the hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:18, on 2008-07-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\PHC2008\phccorporate.EXE
C:\Programas\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Microsoft Office\Office10\WINWORD.EXE
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN
Toolbar\01.02.5000.1021\pt-pt\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BMbfbca421] Rundll32.exe "C:\WINDOWS\system32\ivfnvbjf.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Programas\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: BJ Status Monitor Canon i560.lnk = C:\Documents and Settings\user\cnmss Canon i560 (Local).exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programas\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programas\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programas\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Estatísticas do Anti-vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky
Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter hijack: text/html - {DDC7BD8D-91A8-47EF-BA78-F4598ED4CC74} - (no file)
O18 - Filter: text/plain - {DDC7BD8D-91A8-47EF-BA78-F4598ED4CC74} - (no file)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros
comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 7022 bytes
Hi Jmartins
Rename HijackThis.exe to Jmartins.exe and post back a fresh hijackthis log, please :)
Jmartins
2008-07-28, 16:30
I've renamed the HijackThis.exe to Jmartins.exe and the log is this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:28, on 2008-07-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programas\Spyware Doctor\pctsAuxs.exe
C:\Programas\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Microsoft Office\Office10\WINWORD.EXE
C:\PHC2009\phccorporate.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Trend Micro\HijackThis\Jmartins.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {09A4EB08-D342-4C2A-8F26-EF80D0287759} - (no file)
O2 - BHO: (no name) - {0CBF5A0D-FA99-4947-B3FF-41195303DF74} - (no file)
O2 - BHO: (no name) - {4284F5F2-DB4D-4EF1-88D3-3A36D9545AE2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {82336A8D-6CD0-4647-B791-75FCA8CF2B39} - (no file)
O2 - BHO: (no name) - {84073892-A340-41C0-B705-F098AC425BD0} - (no file)
O2 - BHO: (no name) - {8B002C3D-5DA3-400C-8EBA-5BFF2532C834} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A4CB0911-74A7-4052-98B1-1ECECCF2F5AD} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.5000.1021\pt-pt\msntb.dll
O2 - BHO: (no name) - {C88967B4-03D4-4AB2-907A-5AFDC84556B6} - (no file)
O2 - BHO: (no name) - {DFEE1667-ED4A-4BA2-9D21-99471FC9460A} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.5000.1021\pt-pt\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ISTray] "C:\Programas\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMbfbca421] Rundll32.exe "C:\WINDOWS\system32\reeiklnt.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Programas\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: BJ Status Monitor Canon i560.lnk = C:\Documents and Settings\user\cnmss Canon i560 (Local).exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programas\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programas\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programas\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Estatísticas do Anti-vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Filter hijack: text/html - {DDC7BD8D-91A8-47EF-BA78-F4598ED4CC74} - (no file)
O18 - Filter: text/plain - {DDC7BD8D-91A8-47EF-BA78-F4598ED4CC74} - (no file)
O20 - Winlogon Notify: hgGyYSJC - hgGyYSJC.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programas\Spyware Doctor\pctsSvc.exe
--
End of file - 8220 bytes
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
Jmartins
2008-07-28, 18:04
Combofix log:
ComboFix 08-07-27.5 - user 2008-07-28 16:13:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.126 [GMT 1:00]
Executando de: C:\Documents and Settings\user\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro
* Resident AV is active
ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aqpmiouq.ini
C:\WINDOWS\system32\avcxsksi.dll
C:\WINDOWS\system32\bfxgdcrw.ini
C:\WINDOWS\system32\bnavfd.dll
C:\WINDOWS\system32\caeqsswx.ini
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\cppmduwn.dll
C:\WINDOWS\system32\cwgospyn.ini
C:\WINDOWS\system32\eilfxhrd.ini
C:\WINDOWS\system32\fddmqd.dll
C:\WINDOWS\system32\glrpub.dll
C:\WINDOWS\system32\gppaotaj.ini
C:\WINDOWS\system32\GQtvGfhk.ini
C:\WINDOWS\system32\GQtvGfhk.ini2
C:\WINDOWS\system32\hemppt.dll
C:\WINDOWS\system32\isksxcva.ini
C:\WINDOWS\system32\ityhpspn.dll
C:\WINDOWS\system32\jbsicrie.dll
C:\WINDOWS\system32\lercwwtu.ini
C:\WINDOWS\system32\ljaecsyc.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjvqhmbi.dll
C:\WINDOWS\system32\mpdeymmo.dll
C:\WINDOWS\system32\mshmurep.dll
C:\WINDOWS\system32\nwudmppc.ini
C:\WINDOWS\system32\nypsogwc.dll
C:\WINDOWS\system32\oraxkesa.dll
C:\WINDOWS\system32\qikaqdfh.dll
C:\WINDOWS\system32\rfarnrqd.dll
C:\WINDOWS\system32\slejnfdv.dll
C:\WINDOWS\system32\sxpnel.dll
C:\WINDOWS\system32\utwwcrel.dll
C:\WINDOWS\system32\xdtryaon.ini
C:\WINDOWS\system32\yxFMonnn.ini
C:\WINDOWS\system32\yxFMonnn.ini2
C:\WINDOWS\system32\zoeffy.dll
.
((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-28 ))))))))))))))))))))))))))))))))
.
2008-07-28 13:51 . 2008-07-28 14:48 <DIR> d-------- C:\PHC2009
2008-07-28 09:10 . 2008-07-28 09:10 105,472 --a------ C:\WINDOWS\system32\scpqmebq.dll
2008-07-28 09:08 . 2008-07-28 09:08 91,648 --a------ C:\WINDOWS\system32\reeiklnt.dll
2008-07-28 08:59 . 2008-07-28 08:59 83,456 --------- C:\WINDOWS\system32\wrcdgxfb.dll
2008-07-28 08:56 . 2008-07-28 08:56 105,472 --a------ C:\WINDOWS\system32\vkpagf.dll
2008-07-28 08:56 . 2008-07-28 08:56 105,472 --a------ C:\WINDOWS\system32\iaowttuu.dll
2008-07-28 08:54 . 2008-07-28 08:54 91,648 --a------ C:\WINDOWS\system32\sbgfteay.dll
2008-07-25 16:41 . 2008-07-25 16:41 177 ---hs---- C:\WINDOWS\system32\gppaotaj.tmp
2008-07-25 16:12 . 2008-07-25 16:22 <DIR> d-------- C:\Programas\Spyware Doctor
2008-07-25 16:12 . 2008-07-25 16:12 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
2008-07-25 16:12 . 2008-07-28 16:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-25 16:12 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-25 16:12 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-25 16:12 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-25 16:12 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-24 16:39 . 2008-07-24 16:39 83,456 --a------ C:\WINDOWS\system32\xwssqeac.dll
2008-07-24 16:35 . 2008-07-24 16:35 105,472 --a------ C:\WINDOWS\system32\ckkxmw.dll
2008-07-24 16:35 . 2008-07-24 16:35 105,472 --a------ C:\WINDOWS\system32\apjdjoap.dll
2008-07-24 15:40 . 2008-07-24 15:40 <DIR> d-------- C:\VundoFix Backups
2008-07-23 15:52 . 2008-07-23 15:52 <DIR> d-------- C:\Programas\Trend Micro
2008-07-22 10:46 . 2008-07-22 10:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\Uniblue
2008-07-21 11:55 . 2008-07-21 11:56 <DIR> d-------- C:\Programas\Spybot - Search & Destroy
2008-07-21 11:31 . 2008-07-21 11:31 <DIR> d-------- C:\Programas\CCleaner
2008-07-18 15:28 . 2008-07-28 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 10:34 . 2008-07-28 12:20 <DIR> dr------- C:\Jos‚ Martins
2008-07-17 18:25 . 2008-07-28 16:45 111,552 --a------ C:\WINDOWS\BMbfbca421.xml
2008-07-17 12:24 . 2008-07-17 15:06 414 ---hs---- C:\WINDOWS\system32\hxisfarh.ini
2008-07-01 15:38 . 2008-07-01 15:38 <DIR> d-------- C:\Programas\MSECache
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 15:47 17,629,728 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-28 15:45 606,496 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-28 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-28 15:42 57,764 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-28 15:42 240,008 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-28 12:52 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-07-24 10:37 96,559 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-07-24 10:37 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-07-23 15:53 --------- d-----w C:\Programas\Microsoft AntiSpyware
2008-07-17 10:45 98,376 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:48 --------- d-----w C:\Programas\PDFCreator
2008-06-14 17:59 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 15:19 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2006-12-27 09:50 1,408,021 ----a-w C:\Documents and Settings\user\Application Data\Install.dat
2003-04-21 06:00 12,800 ----a-w C:\Documents and Settings\user\cnmss Canon i560 (Local).exe
2003-04-21 06:00 12,800 ----a-w C:\Documents and Settings\LocalService\cnmss Canon i560 (Local).exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnappau"="C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe" [2004-08-13 18:41 86016]
"AdaptecDirectCD"="C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 11:15 684032]
"SunJavaUpdateSched"="C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44 32881]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-11-17 03:33 3022848]
"BMbfbca421"="C:\WINDOWS\system32\reeiklnt.dll" [2008-07-28 09:08 91648]
"nwiz"="nwiz.exe" [2003-11-17 03:33 753664 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
C:\Documents and Settings\user\Menu Iniciar\Programas\Arranque\
BJ Status Monitor Canon i560.lnk - C:\Documents and Settings\user\cnmss Canon i560 (Local).exe [2004-06-28 15:07:52 12800]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Microsoft Office.lnk - C:\Programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\Messenger\\MsMsgs.EXE"=
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\MSN Messenger\\livecall.exe"=
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-08-05 07:14]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 15:58]
S3 SNPP106;PC CAMERA DATA SOURCE(6029)1.0(32-32);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2002-11-27 08:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76c2f1b6-75bb-11dc-b682-000b6a464633}]
\Shell\Auto\command - alftynblj.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL alftynblj.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf654c40-ae3e-11dc-b6cc-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf654c42-ae3e-11dc-b6cc-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb09336-baa8-11dc-b6e1-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb09337-baa8-11dc-b6e1-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
- - - - ORFAOS REMOVIDOS - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
Notify-hgGyYSJC - hgGyYSJC.dll
.
------- Ccan Suplementar -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.pt/
R0 -: HKLM-Main,Start Page = about:blank
R0 -: HKLM-Main,Search Bar = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O8 -: &Yahoo! Search - file:///C:\Programas\Yahoo!\Common/ycsrch.htm
O8 -: E&xportar para o Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Yahoo! &Dictionary - file:///C:\Programas\Yahoo!\Common/ycdict.htm
O8 -: Yahoo! &Maps - file:///C:\Programas\Yahoo!\Common/ycmap.htm
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 16:44:41
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
------------------------ Outros Processos em Execu‡Æo ------------------------
.
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-07-28 16:52:46 - Maquina reiniciou [user]
ComboFix-quarantined-files.txt 2008-07-28 15:52:33
Pre-Run: 111,079,550,976 bytes livres
Post-Run: 110,886,572,032 bytes livres
192 --- E O F --- 2008-07-09 08:05:53
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:04:04, on 28-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PHC2009\phccorporate.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Trend Micro\HijackThis\Jmartins.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.5000.1021\pt-pt\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.5000.1021\pt-pt\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BMbfbca421] Rundll32.exe "C:\WINDOWS\system32\reeiklnt.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: BJ Status Monitor Canon i560.lnk = C:\Documents and Settings\user\cnmss Canon i560 (Local).exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programas\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programas\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programas\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Estatísticas do Anti-vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O18 - Filter: text/plain - {DDC7BD8D-91A8-47EF-BA78-F4598ED4CC74} - (no file)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programas\Spyware Doctor\pctsSvc.exe
--
End of file - 6404 bytes
Hi
Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\scpqmebq.dll
C:\WINDOWS\system32\reeiklnt.dll
C:\WINDOWS\system32\wrcdgxfb.dll
C:\WINDOWS\system32\vkpagf.dll
C:\WINDOWS\system32\iaowttuu.dll
C:\WINDOWS\system32\sbgfteay.dll
C:\WINDOWS\system32\gppaotaj.tmp
C:\WINDOWS\system32\xwssqeac.dll
C:\WINDOWS\system32\ckkxmw.dll
C:\WINDOWS\system32\apjdjoap.dll
C:\WINDOWS\BMbfbca421.xml
C:\WINDOWS\system32\hxisfarh.ini
DirLook::
C:\PHC2009
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMbfbca421"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Jmartins
2008-07-29, 12:15
Combofix log:
ComboFix 08-07-28.4 - user 2008-07-29 10:49:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.261 [GMT 1:00]
Executando de: C:\Documents and Settings\user\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Ambiente de trabalho\CFScript.txt
* Criado um novo ponto de restauro
* Resident AV is active
ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
FILE ::
C:\WINDOWS\BMbfbca421.xml
C:\WINDOWS\system32\apjdjoap.dll
C:\WINDOWS\system32\ckkxmw.dll
C:\WINDOWS\system32\gppaotaj.tmp
C:\WINDOWS\system32\hxisfarh.ini
C:\WINDOWS\system32\iaowttuu.dll
C:\WINDOWS\system32\reeiklnt.dll
C:\WINDOWS\system32\sbgfteay.dll
C:\WINDOWS\system32\scpqmebq.dll
C:\WINDOWS\system32\vkpagf.dll
C:\WINDOWS\system32\wrcdgxfb.dll
C:\WINDOWS\system32\xwssqeac.dll
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMbfbca421.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apjdjoap.dll
C:\WINDOWS\system32\ckkxmw.dll
C:\WINDOWS\system32\gppaotaj.tmp
C:\WINDOWS\system32\hxisfarh.ini
C:\WINDOWS\system32\iaowttuu.dll
C:\WINDOWS\system32\reeiklnt.dll
C:\WINDOWS\system32\sbgfteay.dll
C:\WINDOWS\system32\scpqmebq.dll
C:\WINDOWS\system32\vkpagf.dll
C:\WINDOWS\system32\wrcdgxfb.dll
C:\WINDOWS\system32\xwssqeac.dll
.
((((((((((((((((((((((( Ficheiros criados de 2008-06-28 to 2008-07-29 ))))))))))))))))))))))))))))))))
.
2008-07-28 16:52 . 2008-07-28 16:52 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definições locais
2008-07-28 16:52 . 2008-07-28 16:52 <DIR> d-------- C:\Documents and Settings\user\Definições locais
2008-07-28 16:52 . 2008-07-28 16:52 <DIR> d-------- C:\Documents and Settings\NetworkService\Definições locais
2008-07-28 16:52 . 2008-07-28 16:52 <DIR> d-------- C:\Documents and Settings\LocalService\Definições locais
2008-07-28 16:52 . 2008-07-28 16:52 <DIR> d-------- C:\Documents and Settings\Administrador\Definições locais
2008-07-28 13:51 . 2008-07-29 09:42 <DIR> d-------- C:\PHC2009
2008-07-25 16:12 . 2008-07-25 16:22 <DIR> d-------- C:\Programas\Spyware Doctor
2008-07-25 16:12 . 2008-07-25 16:12 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
2008-07-25 16:12 . 2008-07-28 16:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-25 16:12 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-25 16:12 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-25 16:12 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-25 16:12 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-23 15:52 . 2008-07-23 15:52 <DIR> d-------- C:\Programas\Trend Micro
2008-07-22 10:46 . 2008-07-22 10:46 <DIR> d-------- C:\Documents and Settings\user\Application Data\Uniblue
2008-07-21 11:55 . 2008-07-21 11:56 <DIR> d-------- C:\Programas\Spybot - Search & Destroy
2008-07-21 11:31 . 2008-07-21 11:31 <DIR> d-------- C:\Programas\CCleaner
2008-07-18 15:28 . 2008-07-28 16:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-18 10:34 . 2008-07-29 10:41 <DIR> dr------- C:\Jos‚ Martins
2008-07-01 15:38 . 2008-07-01 15:38 <DIR> d-------- C:\Programas\MSECache
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 10:05 17,928,992 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-29 10:02 618,784 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-29 10:01 60,032 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-29 10:01 244,016 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-29 09:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-28 12:52 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-07-24 10:37 96,559 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-07-24 10:37 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-07-23 15:53 --------- d-----w C:\Programas\Microsoft AntiSpyware
2008-07-17 10:45 98,376 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2008-06-20 17:41 248,320 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:48 --------- d-----w C:\Programas\PDFCreator
2008-06-14 17:59 272,640 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 15:19 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-07 05:15 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll
2006-12-27 09:50 1,408,021 ----a-w C:\Documents and Settings\user\Application Data\Install.dat
2003-04-21 06:00 12,800 ----a-w C:\Documents and Settings\user\cnmss Canon i560 (Local).exe
2003-04-21 06:00 12,800 ----a-w C:\Documents and Settings\LocalService\cnmss Canon i560 (Local).exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\PHC2009 ----
2008-07-29 10:23 3712 --a------ C:\PHC2009\Onerror.FPT
2008-07-29 10:23 333827 --a------ C:\PHC2009\df.dbf
2008-07-29 10:23 11189 --a------ C:\PHC2009\Onerror.dbf
2008-07-29 10:20 704 --a------ C:\PHC2009\FOXUSER.FPT
2008-07-29 09:08 46080 --a------ C:\PHC2009\df.CDX
2008-07-28 18:15 830771 --a------ C:\PHC2009\foxCode.app
2008-07-28 18:15 392 --a------ C:\PHC2009\ep.dbf
2008-07-28 18:15 359424 --a------ C:\PHC2009\foxcode.fpt
2008-07-28 18:15 342744 --a------ C:\PHC2009\foxcode.dbf
2008-07-28 17:55 665 --a------ C:\PHC2009\FOXUSER.DBF
2008-07-28 17:27 952273 --a------ C:\PHC2009\db_DESILIDER2003\vision.dbc
2008-07-28 17:27 6818 --a------ C:\PHC2009\db_DESILIDER2003\RCEC.dbf
2008-07-28 17:27 3012416 --a------ C:\PHC2009\db_DESILIDER2003\vision.DCT
2008-07-28 17:27 22 --a------ C:\PHC2009\spronet.dbf
2008-07-28 17:27 155648 --a------ C:\PHC2009\db_DESILIDER2003\vision.DCX
2008-07-28 17:15 4096 --a------ C:\PHC2009\db_DESILIDER2003\rcec.CDX
2008-07-28 11:40 446 --a------ C:\PHC2009\paral.dbf
2008-07-28 11:40 413 --a------ C:\PHC2009\paral.old
2008-04-27 04:48 52593385 --a------ C:\PHC2009\phccorporate.exe
2008-04-27 04:23 39715388 --a------ C:\PHC2009\acesso9.exe
2008-04-26 11:42 379559 --a------ C:\PHC2009\cexec.EXE
2008-02-12 18:17 65 --a------ C:\PHC2009\lic.win
2007-02-02 11:57 662288 --a------ C:\PHC2009\mscomct2.ocx
2007-01-06 08:44 1444352 --a------ C:\PHC2009\Redemption.dll
2006-09-19 08:05 22017 --a------ C:\PHC2009\f_act2.avi
2006-08-04 10:44 17409 --a------ C:\PHC2009\f_act.avi
2006-04-05 20:06 143360 --a------ C:\PHC2009\vfpencryption71.fll
2004-12-13 12:16 53248 --a------ C:\PHC2009\foxtools.fll
2004-10-28 18:48 94208 --a------ C:\PHC2009\hndlib.dll
2004-10-26 15:53 619656 --a------ C:\PHC2009\Cfx4032.ocx
2004-10-15 09:54 757760 --a------ C:\PHC2009\ChilkatCrypt2x.dll
2004-10-15 09:54 757760 --a------ C:\PHC2009\ChilkatCrypt2.dll
2004-10-15 09:54 614400 --a------ C:\PHC2009\ChilkatUtil.dll
2004-10-15 09:54 585728 --a------ C:\PHC2009\ChilkatCert.dll
2004-09-17 14:12 7607 --a------ C:\PHC2009\msxmlx.cat
2004-09-17 13:51 891 --a------ C:\PHC2009\msxmlx.inf
2004-09-16 13:58 28672 --a------ C:\PHC2009\xfrxlib.fll
2004-07-15 16:16 1172992 --a------ C:\PHC2009\msxml3.dll
2004-04-15 08:54 78 --a------ C:\PHC2009\config.fpw
2004-03-09 09:31 167936 --a------ C:\PHC2009\Eztwain3.dll
2004-03-09 09:30 49152 --a------ C:\PHC2009\EZPdf.dll
2004-03-09 09:30 233472 --a------ C:\PHC2009\EZTiff.dll
2004-03-09 09:30 151552 --a------ C:\PHC2009\EZPng.dll
2004-03-09 09:30 118784 --a------ C:\PHC2009\EZGif.dll
2004-03-09 09:30 106496 --a------ C:\PHC2009\EZJpeg.dll
2004-02-19 09:46 253952 --a------ C:\PHC2009\ctmday.ocx
2003-11-18 00:37 72192 --a------ C:\PHC2009\zlib.dll
2003-10-30 14:48 134144 --a------ C:\PHC2009\SfxBar.dll
2003-10-23 15:02 577536 --a------ C:\PHC2009\OCX\ctSchedule.ocx
2003-08-08 11:04 44032 --a------ C:\PHC2009\msxml3r.dll
2003-06-17 11:36 155648 --a------ C:\PHC2009\OCX\ctCombo.ocx
2003-05-07 10:16 167936 --a------ C:\PHC2009\OCX\ctlstbar.ocx
2003-04-28 15:37 282624 --a------ C:\PHC2009\OCX\cttree.ocx
2003-04-08 09:31 61440 --a------ C:\PHC2009\ctGauge.ocx
2003-03-17 10:06 184320 --a------ C:\PHC2009\ctCalendar.ocx
2003-03-12 12:30 167936 --a------ C:\PHC2009\OCX\ctToolBar.ocx
2003-03-03 15:29 258048 --a------ C:\PHC2009\OCX\ctlist.ocx
2003-02-21 04:42 348160 --a------ C:\PHC2009\msvcr71.dll
2001-01-17 16:50 344156 --a------ C:\PHC2009\sxfoxnet.dll
2000-04-03 11:06 20480 --a------ C:\PHC2009\MyLoc.dll
1999-10-21 12:21 233472 --a------ C:\PHC2009\ctschedule.ocx
1999-08-06 10:07 249856 --a------ C:\PHC2009\dzactx.dll
1999-08-06 10:07 229376 --a------ C:\PHC2009\duzactx.dll
1999-06-22 09:59 362576 --a------ C:\PHC2009\ActBar.ocx
1999-05-19 11:15 385616 --a------ C:\PHC2009\dcube.ocx
1999-05-18 11:37 99760 --a------ C:\PHC2009\MMail32.OCX
1999-05-12 15:46 90112 --a------ C:\PHC2009\ctdate.ocx
1999-05-07 12:03 229376 --a------ C:\PHC2009\cttree.ocx
1999-04-28 14:23 49152 --a------ C:\PHC2009\cthtml.ocx
1999-04-27 16:46 188416 --a------ C:\PHC2009\ctlist.ocx
1999-04-14 09:31 77824 --a------ C:\PHC2009\ctbutton.ocx
1999-04-11 16:47 61440 --a------ C:\PHC2009\cttips.ocx
1999-04-11 16:28 53248 --a------ C:\PHC2009\ctscroll.ocx
1999-04-11 15:54 114688 --a------ C:\PHC2009\ctlstbar.ocx
1999-02-14 12:23 45056 --a------ C:\PHC2009\cthyplnk.ocx
1999-02-13 10:27 45056 --a------ C:\PHC2009\ctTray.ocx
1998-04-30 12:00 84992 --a------ C:\PHC2009\HASPFP32.DLL
1997-08-26 05:00 40960 --a------ C:\PHC2009\SXFOXPRO.DLL
1997-07-08 17:49 123 --a------ C:\PHC2009\FOX.REG
1997-07-01 12:02 519440 --a------ C:\PHC2009\Cfx32.ocx
1997-06-12 14:22 118272 --a------ C:\PHC2009\NSLMS324.DLL
1996-08-20 23:00 78848 --a------ C:\PHC2009\MSOUTL32.OCX
1996-02-19 17:03 326656 --a------ C:\PHC2009\MSVCRT40.DLL
1995-10-25 12:08 37888 --a------ C:\PHC2009\SK32W.DLL
1994-12-12 08:34 215 --a------ C:\PHC2009\scri.dbf
((((((((((((((((((((((((((((( snapshot@2008-07-28_16.51.33.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-28 13:47:04 67,560 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-29 08:35:27 67,560 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-07-28 13:47:04 78,520 ----a-w C:\WINDOWS\system32\perfc016.dat
+ 2008-07-29 08:35:27 78,520 ----a-w C:\WINDOWS\system32\perfc016.dat
- 2008-07-28 13:47:04 432,856 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-29 08:35:27 432,856 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-07-28 13:47:04 480,234 ----a-w C:\WINDOWS\system32\perfh016.dat
+ 2008-07-29 08:35:27 480,234 ----a-w C:\WINDOWS\system32\perfh016.dat
+ 2008-07-28 16:47:37 10,112 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnappau"="C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe" [2004-08-13 18:41 86016]
"AdaptecDirectCD"="C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 11:15 684032]
"SunJavaUpdateSched"="C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe" [2004-02-22 23:44 32881]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-11-17 03:33 3022848]
"nwiz"="nwiz.exe" [2003-11-17 03:33 753664 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Microsoft Office.lnk - C:\Programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"SpecifyDefaultButtons"= 0 (0x0)
"Btn_Search"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\Messenger\\MsMsgs.EXE"=
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\MSN Messenger\\livecall.exe"=
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-08-05 07:14]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 15:58]
S3 SNPP106;PC CAMERA DATA SOURCE(6029)1.0(32-32);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2002-11-27 08:09]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76c2f1b6-75bb-11dc-b682-000b6a464633}]
\Shell\Auto\command - alftynblj.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL alftynblj.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf654c40-ae3e-11dc-b6cc-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf654c42-ae3e-11dc-b6cc-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb09336-baa8-11dc-b6e1-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eeb09337-baa8-11dc-b6e1-000b6a464633}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 11:02:48
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
------------------------ Outros Processos em Execu‡Æo ------------------------
.
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-07-29 11:09:56 - Maquina reiniciou
ComboFix-quarantined-files.txt 2008-07-29 10:09:48
ComboFix2.txt 2008-07-28 15:52:49
Pre-Run: 110,771,073,024 bytes livres
Post-Run: 110,817,718,272 bytes livres
256 --- E O F --- 2008-07-09 08:05:53
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:20, on 29-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PHC2009\phccorporate.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Trend Micro\HijackThis\Jmartins.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.5000.1021\pt-pt\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.5000.1021\pt-pt\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-pt\msnappau.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: BJ Status Monitor Canon i560.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programas\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programas\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programas\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Estatísticas do Anti-vírus de Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programas\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O18 - Filter: text/plain - {DDC7BD8D-91A8-47EF-BA78-F4598ED4CC74} - (no file)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programas\Spyware Doctor\pctsSvc.exe
--
End of file - 6135 bytes
Hi
Do you recognize this program?
C:\PHC2009\phccorporate.exe
Jmartins
2008-07-30, 13:36
Yes, PHC it's a program of the entreprise were I work and it's used to make invoices and other comercial things.
I've noticed that some things in that program disappeared like some boards.
Hi
Thanks for the info.
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.