View Full Version : Virtumonde - I cant get rid of it
Virtumonde is infecting my comp, maybe I have more threats (wgatray ?)
--------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:36:59, on 20-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\ApvxdWin.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Microsoft IntelliPoint\ipoint.exe
C:\Programas\QuickTime\QTTask.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Rokario\Bandwidth Monitor\bandmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Programas\GPSoftware\Directory Opus\dopus.exe
C:\Programas\FreeMem Standard\freemem.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\MailWasher\MailWasher.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Spybot - Search & Destroy\SpybotSD.exe
C:\Programas\GaimPortable\App\gaim\gaim.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimreal.exe
C:\Documents and Settings\User\Ambiente de trabalho\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "c:\Programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [PPFW] c:\programas\panda security\panda antivirus + firewall 2008\firewall\PPFW.EXE PPFW.EXE /cmd:allowpandarules /prod:titanium /mod:7 /flg:2 /ver:7.0.0
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programas\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Programas\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8563] command /c del "C:\WINDOWS\system32\pvfgfbmn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3742] cmd /c del "C:\WINDOWS\system32\pvfgfbmn.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bandmon] C:\Programas\Rokario\Bandwidth Monitor\bandmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [DOpus] C:\Programas\GPSoftware\Directory Opus\dopus.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Programas\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Atalho para MailWasher.lnk = C:\Programas\MailWasher\MailWasher.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programas\Ficheiros comuns\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDEE9BE4-CB47-438D-B635-1C4DE514F10A}: NameServer = 192.168.1.1,194.79.69.222
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL lrstft.dll inhoxb.dll gjdbkb.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.6.711.24354 (GoogleDesktopManager-112407-114954) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
--
End of file - 9729 bytes
pskelley
2008-08-23, 02:21
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
Hi. Thank you for your help. I had trouble using Combofix, had to do it 4 times until I closed Panda Security Firewall and programs that opened at startup. I hope its all right now.
here it is:
-----------------------------------------------------------------------------------
ComboFix 08-08-21.02 - User 2008-08-23 21:54:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.217 [GMT 1:00]
Executando de: C:\Documents and Settings\User\Ambiente de trabalho\ComboFix.exe
ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM076b96c5.txt
C:\WINDOWS\BM076b96c5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AyxEffii.ini
C:\WINDOWS\system32\AyxEffii.ini2
C:\WINDOWS\system32\gdhlhosh.dll
C:\WINDOWS\system32\gunteotl.dll
C:\WINDOWS\system32\ltoetnug.ini
C:\WINDOWS\system32\nmnuey.dll
C:\WINDOWS\system32\pdxmalxo.dll
C:\WINDOWS\system32\sbjbbmqg.exe
.
---- Previous Run -------
.
C:\Documents and Settings\User\Cookies\MM2048.DAT
C:\Documents and Settings\User\Cookies\MM256.DAT
C:\WINDOWS\BM076b96c5.txt
C:\WINDOWS\BM076b96c5.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\agecedup.dll
C:\WINDOWS\system32\allacbbu.exe
C:\WINDOWS\system32\arjqxbvo.dll
C:\WINDOWS\system32\AyxEffii.ini
C:\WINDOWS\system32\AyxEffii.ini2
C:\WINDOWS\system32\bdhqlyjh.exe
C:\WINDOWS\system32\bfwqbanp.dll
C:\WINDOWS\system32\bmrcikrj.ini
C:\WINDOWS\system32\bqpulomp.dll
C:\WINDOWS\system32\crbjdcub.exe
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\dqcyonfy.ini
C:\WINDOWS\system32\drlytfpf.ini
C:\WINDOWS\system32\ebeqjpxh.ini
C:\WINDOWS\system32\efanbmsa.dll
C:\WINDOWS\system32\eljabmou.exe
C:\WINDOWS\system32\enkokoqf.dll
C:\WINDOWS\system32\eragowrr.exe
C:\WINDOWS\system32\fjcnrq.dll
C:\WINDOWS\system32\fjmmdwmx.dll
C:\WINDOWS\system32\fqokokne.ini
C:\WINDOWS\system32\gwrmjvxc.exe
C:\WINDOWS\system32\hxpjqebe.dll
C:\WINDOWS\system32\idhdxfun.ini
C:\WINDOWS\system32\idljyauk.ini
C:\WINDOWS\system32\ietyhkap.ini
C:\WINDOWS\system32\jbyxracr.dll
C:\WINDOWS\system32\jcawkruw.dll
C:\WINDOWS\system32\kiayhbkh.exe
C:\WINDOWS\system32\kmcommgu.dll
C:\WINDOWS\system32\knnytz.dll
C:\WINDOWS\system32\maoohnsw.exe
C:\WINDOWS\system32\mddcwfsf.ini
C:\WINDOWS\system32\mecwdvis.ini
C:\WINDOWS\system32\odargxmb.exe
C:\WINDOWS\system32\omejweqf.exe
C:\WINDOWS\system32\pgeagc.dll
C:\WINDOWS\system32\pmolupqb.ini
C:\WINDOWS\system32\pnabqwfb.ini
C:\WINDOWS\system32\ppsecicy.ini
C:\WINDOWS\system32\prstv.bak1
C:\WINDOWS\system32\prstv.bak2
C:\WINDOWS\system32\prstv.ini
C:\WINDOWS\system32\prstv.ini2
C:\WINDOWS\system32\prstv.tmp
C:\WINDOWS\system32\qoyihlhd.exe
C:\WINDOWS\system32\qqwaaetp.ini
C:\WINDOWS\system32\rucrtqoy.dll
C:\WINDOWS\system32\tboothew.ini
C:\WINDOWS\system32\tvuauvao.dll
C:\WINDOWS\system32\udgwxttr.dll
C:\WINDOWS\system32\whhfxqnh.ini
C:\WINDOWS\system32\wovxgodm.dll
C:\WINDOWS\system32\xeyjicmo.exe
C:\WINDOWS\system32\xmwdmmjf.ini
C:\WINDOWS\system32\yfnoycqd.dll
G:\autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Legacy_NPF
((((((((((((((((((((((( Ficheiros criados de 2008-07-23 to 2008-08-23 ))))))))))))))))))))))))))))))))
.
2008-08-23 16:20 . 2008-08-23 16:20 106,496 --a------ C:\WINDOWS\system32\63.tmp
2008-08-23 16:18 . 2008-08-23 16:18 107,008 --a------ C:\WINDOWS\system32\60.tmp
2008-08-23 16:17 . 2008-08-23 16:17 107,520 --a------ C:\WINDOWS\system32\5F.tmp
2008-08-21 13:50 . 2008-08-21 13:50 107,520 --a------ C:\WINDOWS\system32\87.tmp
2008-08-21 13:43 . 2008-08-21 13:43 106,496 --a------ C:\WINDOWS\system32\83.tmp
2008-08-21 13:26 . 2008-08-21 13:26 107,008 --a------ C:\WINDOWS\system32\82.tmp
2008-08-17 14:46 . 2008-08-23 21:45 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys
2008-08-14 13:43 . 2008-08-14 13:41 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-14 13:41 . 2008-08-14 13:44 <DIR> d-------- C:\Documents and Settings\User\.housecall6.6
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 21:06 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-08-23 21:06 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-08-23 20:52 266,484 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-08-23 20:52 266,484 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-08-23 19:48 --------- d-----w C:\Programas\Spybot - Search & Destroy
2008-08-23 19:12 --------- d-----w C:\Documents and Settings\User\Application Data\MailWasher
2008-08-22 20:44 --------- d-----w C:\Programas\Pixel Mine
2008-08-21 13:35 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-08-20 17:47 --------- d-----w C:\Programas\XstreamRadio 3.02
2008-08-14 13:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 12:37 --------- d-----w C:\Programas\Panda Security
2008-07-22 21:44 38,408 ----a-w C:\hGi3.exe
2008-07-22 18:34 1,025 ----a-w C:\dlad.exe
2008-07-22 16:06 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-07-22 16:06 --------- d-----w C:\Programas\MODEM MF620 HSDPA EDGE USB
2008-07-22 12:33 --------- d-----w C:\Programas\Declarações Electrónicas
2008-06-30 23:21 --------- d-----w C:\Programas\Ficheiros comuns\Adobe
2008-06-30 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-05-04 23:27 13 ---h--w C:\Documents and Settings\All Users\Application Data\ÝÙÃÄ3113›.sys
2007-03-23 15:43 5,632 --sha-w C:\Programas\Thumbs.db
2007-01-29 16:51 40,096 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-01-11 23:53 30 ----a-w C:\Programas\Exiferupdate.ini
2005-04-19 16:08 33 ----a-w C:\Programas\options.dat
2003-03-21 12:45 250,544 ----a-w C:\Programas\Ficheiros comuns\keyhelp.ocx
2001-10-01 10:11 3,801 ----a-w C:\Programas\a.htm
2001-11-20 12:00 94,832 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:29 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:57 12,288 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
------- Sigcheck -------
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2001-11-20 13:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 12:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0220AD77-B95C-4BD0-9394-D498B5FF6B99}]
2008-07-22 08:43 245760 --a------ C:\WINDOWS\system32\iiffExyA.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"DOpus"="C:\Programas\GPSoftware\Directory Opus\dopus.exe" [2007-09-19 16:16 7005680]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"AdaptecDirectCD"="C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"IntelliPoint"="c:\Programas\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"QuickTime Task"="C:\Programas\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-13 18:51 29744]
"SSBkgdUpdate"="C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 14:16 185896]
"OpwareSE4"="C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 13:45 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"ScanSoft OmniPage SE 4.0-reminder"="C:\Programas\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 16:38 1410600]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AutoCAD Startup Accelerator.lnk - C:\Programas\Ficheiros comuns\Autodesk Shared\acstart16.exe [2005-03-05 14:18:22 10872]
Microsoft Office.lnk - C:\Programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
Pinnacle Scheduler.lnk - C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [2004-08-25 11:57:48 237568]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "C:\Programas\GPSoftware\Directory Opus\dopuslib.dll" [2007-09-19 15:42 693760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.PIM1"= pclepim1.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\Messenger\\msmsgs.exe"=
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\MSN Messenger\\msncall.exe"=
"C:\\Documents and Settings\\User\\Os meus documentos\\Os meus ficheiros recebidos\\wowclient-downloader.exe"=
"Ìù"= Ìù:
"<NO NAME>"= :AV Service Plugin
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33]
R1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;C:\WINDOWS\system32\drivers\DCxxMJPG.sys [2002-06-04 11:18]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33]
R1 NTGDT;NTGDT;C:\WINDOWS\System32\Drivers\NTGDT.SYS [2006-03-04 16:17]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 15:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 09:44]
R2 io.sys;IO.DLL Driver;C:\WINDOWS\System32\drivers\io.sys [2006-02-12 12:10]
R2 LF30FS;LF30FS;C:\Programas\Everstrike Software\Lock Folder XP 3.5\LF30XP.sys [2004-11-19 18:07]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 13:49]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\System32\Drivers\SBKUPNT.SYS [2001-07-13 13:56]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43]
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 19:52]
R3 ROCKEYNT;Feitian ROCKEY4 Device Service;C:\WINDOWS\system32\DRIVERS\Rockey4.sys [2006-03-04 16:16]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-03-01 04:22]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20:11]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 GoogleDesktopManager-112407-114954;Google Desktop Manager 5.6.711.24354;C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe [2007-12-13 18:51]
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67cbd0b0-a509-11d9-abfb-00c0df0e609d}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82042ea0-12dd-11dc-979b-00c0df0e609d}]
\Shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c0f070-fb74-11db-977e-00c0df0e609d}]
\Shell\AutoRun\command - K:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{996e6370-16b6-11dc-97a5-00c0df0e609d}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6e23035-551e-11da-ad14-00c0df0e609d}]
\Shell\auto\command - Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
- - - - ORFAOS REMOVIDOS - - - -
HKLM-Run-0458a559 - C:\WINDOWS\system32\gunteotl.dll
HKLM-Run-BM076b96c5 - C:\WINDOWS\system32\gdhlhosh.dll
Notify-pmnoLbxU - pmnoLbxU.dll
.
------- Ccan Suplementar -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\sfymuru0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.travian.pt/
FF -: plugin - C:\Programas\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Programas\Virtual Earth 3D\npVE3D.dll
FF -: plugin - C:\Programas\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 22:05:04
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execu‡ao ---------------------
PROCESSOS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Outros Processos em Execu‡Æo ------------------------
.
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PAVSRV51.EXE
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrlS.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\PavPrSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\FIREWALL\PSHost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\WEBPROXY.EXE
.
**************************************************************************
.
Tempo para conclusÆo: 2008-08-23 22:12:40 - Maquina reiniciou [User]
ComboFix-quarantined-files.txt 2008-08-23 21:12:30
Pre-Run: 143,004,057,600 bytes livres
Post-Run: 142,990,262,272 bytes livres
296 --- E O F --- 2007-12-22 10:51:18
___________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:16:43, on 23-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Microsoft IntelliPoint\ipoint.exe
c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\GPSoftware\Directory Opus\dopus.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\ApvxdWin.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Ambiente de trabalho\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0220AD77-B95C-4BD0-9394-D498B5FF6B99} - C:\WINDOWS\system32\iiffExyA.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "c:\Programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programas\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DOpus] C:\Programas\GPSoftware\Directory Opus\dopus.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programas\Ficheiros comuns\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDEE9BE4-CB47-438D-B635-1C4DE514F10A}: NameServer = 192.168.1.1,194.79.69.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.6.711.24354 (GoogleDesktopManager-112407-114954) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
--
End of file - 8973 bytes
pskelley
2008-08-24, 00:33
Thanks for returning your information and the feedback. At times we have to turn of other security programs, but it appears it worked ok, let's see.
We have more work to do, I am stuggling with the language.
Ambiente de trabalho <<< Desktop? That being the case, please follow these directions:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
and post that new HJT log. I need time to work on the next post so it will be after my dinner, around 7 PM EST before I can post again.
Sorry for the language. I dint dare messing with log, ofc
Ambiente de trabalho = Desktop
here is another hijackthis log: (do I need to restart computer before doing it?)
_______________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:56:47, on 23-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Microsoft IntelliPoint\ipoint.exe
c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\GPSoftware\Directory Opus\dopus.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\ApvxdWin.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\User\Ambiente de trabalho\HiJackThis.exe
C:\Programas\Pixel Mine\PixelMineLauncher.exe
c:\programas\pixel mine\Ashen Empires\data\client.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/showthread.php?p=227173&posted=1#post227173
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0220AD77-B95C-4BD0-9394-D498B5FF6B99} - C:\WINDOWS\system32\iiffExyA.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "c:\Programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programas\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DOpus] C:\Programas\GPSoftware\Directory Opus\dopus.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programas\Ficheiros comuns\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDEE9BE4-CB47-438D-B635-1C4DE514F10A}: NameServer = 192.168.1.1,194.79.69.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.6.711.24354 (GoogleDesktopManager-112407-114954) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
--
End of file - 9275 bytes
pskelley
2008-08-24, 01:59
Follow the directions carefully and in the numbered order.
1) C:\Programas\Java\jre1.6.0_05\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) C:\Documents and Settings\User\Ambiente de trabalho\HiJackThis.exe <<< delete this HiJackThis.exe
3) Empty the Recycle Bin on your Desktop
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
5) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\63.tmp
C:\WINDOWS\system32\60.tmp
C:\WINDOWS\system32\5F.tmp
C:\WINDOWS\system32\87.tmp
C:\WINDOWS\system32\83.tmp
C:\WINDOWS\system32\82.tmp
C:\WINDOWS\system32\iiffExyA.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0220AD77-B95C-4BD0-9394-D498B5FF6B99}]
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(may be gone)
O2 - BHO: (no name) - {0220AD77-B95C-4BD0-9394-D498B5FF6B99} - C:\WINDOWS\system32\iiffExyA.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
8) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the combofix log from CFScript, the log from MBAM and a new HJT log.
Please tell me how the computer is running now.
Thanks
ComboFix 08-08-21.02 - User 2008-08-24 0:56:17.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.2070.18.336 [GMT 1:00]
Executando de: C:\Documents and Settings\User\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Ambiente de trabalho\CFScript.txt
* Criado um novo ponto de restauro
ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
FILE ::
C:\WINDOWS\system32\5F.tmp
C:\WINDOWS\system32\60.tmp
C:\WINDOWS\system32\63.tmp
C:\WINDOWS\system32\82.tmp
C:\WINDOWS\system32\83.tmp
C:\WINDOWS\system32\87.tmp
C:\WINDOWS\system32\iiffExyA.dll
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\5F.tmp
C:\WINDOWS\system32\60.tmp
C:\WINDOWS\system32\63.tmp
C:\WINDOWS\system32\82.tmp
C:\WINDOWS\system32\83.tmp
C:\WINDOWS\system32\87.tmp
C:\WINDOWS\system32\AyxEffii.ini
C:\WINDOWS\system32\AyxEffii.ini2
C:\WINDOWS\system32\iiffExyA.dll
.
((((((((((((((((((((((( Ficheiros criados de 2008-07-24 to 2008-08-24 ))))))))))))))))))))))))))))))))
.
2008-08-23 22:56 . 2008-08-23 22:56 <DIR> d-------- C:\Programas\Trend Micro
2008-08-23 22:12 . 2008-08-23 22:12 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definições locais
2008-08-23 22:12 . 2008-08-23 22:12 <DIR> d-------- C:\Documents and Settings\User\Definições locais
2008-08-23 22:12 . 2008-08-23 22:12 <DIR> d-------- C:\Documents and Settings\NetworkService\Definições locais
2008-08-23 22:12 . 2008-08-23 22:12 <DIR> d-------- C:\Documents and Settings\LocalService\Definições locais
2008-08-23 22:12 . 2008-08-23 22:12 <DIR> d-------- C:\Documents and Settings\Administrador\Definições locais
2008-08-17 14:46 . 2008-08-23 22:26 13,880 --a------ C:\WINDOWS\system32\drivers\COMFiltr.sys
2008-08-14 13:43 . 2008-08-14 13:41 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-14 13:41 . 2008-08-14 13:44 <DIR> d-------- C:\Documents and Settings\User\.housecall6.6
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 00:06 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-08-24 00:06 1,204 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-08-24 00:05 266,484 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-08-24 00:05 266,484 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-08-23 23:43 --------- d-----w C:\Programas\Java
2008-08-23 21:33 --------- d-----w C:\Programas\Pixel Mine
2008-08-23 19:48 --------- d-----w C:\Programas\Spybot - Search & Destroy
2008-08-23 19:12 --------- d-----w C:\Documents and Settings\User\Application Data\MailWasher
2008-08-21 13:35 --------- d-----w C:\Documents and Settings\User\Application Data\AdobeUM
2008-08-20 17:47 --------- d-----w C:\Programas\XstreamRadio 3.02
2008-08-14 13:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-14 12:37 --------- d-----w C:\Programas\Panda Security
2008-07-22 21:44 38,408 ----a-w C:\hGi3.exe
2008-07-22 18:34 1,025 ----a-w C:\dlad.exe
2008-07-22 16:06 --------- d--h--w C:\Programas\InstallShield Installation Information
2008-07-22 16:06 --------- d-----w C:\Programas\MODEM MF620 HSDPA EDGE USB
2008-07-22 12:33 --------- d-----w C:\Programas\Declarações Electrónicas
2008-06-30 23:21 --------- d-----w C:\Programas\Ficheiros comuns\Adobe
2008-06-30 23:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-05-04 23:27 13 ---h--w C:\Documents and Settings\All Users\Application Data\ÝÙÃÄ3113›.sys
2007-03-23 15:43 5,632 --sha-w C:\Programas\Thumbs.db
2007-01-29 16:51 40,096 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-01-11 23:53 30 ----a-w C:\Programas\Exiferupdate.ini
2005-04-19 16:08 33 ----a-w C:\Programas\options.dat
2003-03-21 12:45 250,544 ----a-w C:\Programas\Ficheiros comuns\keyhelp.ocx
2001-10-01 10:11 3,801 ----a-w C:\Programas\a.htm
2001-11-20 12:00 94,832 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56 54,784 --sha-w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sha-w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:29 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sha-w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:57 12,288 --sh--w C:\WINDOWS\system32\regsvr32.exe
.
------- Sigcheck -------
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2001-11-20 13:00 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2004-08-04 07:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 12:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"DOpus"="C:\Programas\GPSoftware\Directory Opus\dopus.exe" [2007-09-19 16:16 7005680]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11 57344]
"AdaptecDirectCD"="C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"IntelliPoint"="c:\Programas\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52 849280]
"QuickTime Task"="C:\Programas\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2007-12-13 18:51 29744]
"SSBkgdUpdate"="C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 14:16 185896]
"OpwareSE4"="C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 13:45 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 09:35 20480]
"ScanSoft OmniPage SE 4.0-reminder"="C:\Programas\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 16:38 1410600]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
AutoCAD Startup Accelerator.lnk - C:\Programas\Ficheiros comuns\Autodesk Shared\acstart16.exe [2005-03-05 14:18:22 10872]
Microsoft Office.lnk - C:\Programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]
Pinnacle Scheduler.lnk - C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe [2004-08-25 11:57:48 237568]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "C:\Programas\GPSoftware\Directory Opus\dopuslib.dll" [2007-09-19 15:42 693760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-15 21:02 50736 C:\WINDOWS\system32\avldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.PIM1"= pclepim1.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programas\\Messenger\\msmsgs.exe"=
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\MSN Messenger\\msncall.exe"=
"C:\\Documents and Settings\\User\\Os meus documentos\\Os meus ficheiros recebidos\\wowclient-downloader.exe"=
"Ìù"= Ìù:
"<NO NAME>"= :AV Service Plugin
R1 APPFLT;App Filter Plugin;C:\WINDOWS\system32\Drivers\APPFLT.SYS [2007-05-11 10:33]
R1 DCxxMJPG;Pinnacle DC10plus, Motion-JPEG VideoIO Board;C:\WINDOWS\system32\drivers\DCxxMJPG.sys [2002-06-04 11:18]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\system32\Drivers\DSAFLT.SYS [2007-05-11 10:33]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\system32\Drivers\fnetmon.SYS [2007-05-11 10:33]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\system32\Drivers\IDSFLT.SYS [2007-07-11 12:39]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\system32\Drivers\NETFLTDI.SYS [2007-05-11 10:33]
R1 NTGDT;NTGDT;C:\WINDOWS\System32\Drivers\NTGDT.SYS [2006-03-04 16:17]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-05-23 15:40]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\system32\Drivers\SMSFLT.SYS [2007-05-11 10:33]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS [2007-05-11 10:33]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\drivers\cpoint.sys [2007-06-08 09:44]
R2 io.sys;IO.DLL Driver;C:\WINDOWS\System32\drivers\io.sys [2006-02-12 12:10]
R2 LF30FS;LF30FS;C:\Programas\Everstrike Software\Lock Folder XP 3.5\LF30XP.sys [2004-11-19 18:07]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-07-12 13:49]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\System32\Drivers\SBKUPNT.SYS [2001-07-13 13:56]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 16:43]
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 19:52]
R3 ROCKEYNT;Feitian ROCKEY4 Device Service;C:\WINDOWS\system32\DRIVERS\Rockey4.sys [2006-03-04 16:16]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-03-01 04:22]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20:11]
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 GoogleDesktopManager-112407-114954;Google Desktop Manager 5.6.711.24354;C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe [2007-12-13 18:51]
S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67cbd0b0-a509-11d9-abfb-00c0df0e609d}]
\Shell\Auto\command - RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82042ea0-12dd-11dc-979b-00c0df0e609d}]
\Shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c0f070-fb74-11db-977e-00c0df0e609d}]
\Shell\AutoRun\command - K:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{996e6370-16b6-11dc-97a5-00c0df0e609d}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6e23035-551e-11da-ad14-00c0df0e609d}]
\Shell\auto\command - Knight.exe open
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-24 01:04:15
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ*veis ocultas ...
Procurando ficheiros ocultos ...
Varredura completada com sucesso
Ficheiros ocultos: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execu‡ao ---------------------
PROCESSOS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Outros Processos em Execu‡Æo ------------------------
.
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PAVSRV51.EXE
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrlS.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\PavPrSrv.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\FIREWALL\PSHost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\WEBPROXY.EXE
.
**************************************************************************
.
Tempo para conclusÆo: 2008-08-24 1:11:18 - Maquina reiniciou
ComboFix-quarantined-files.txt 2008-08-24 00:11:08
ComboFix2.txt 2008-08-23 21:12:41
Pre-Run: 143,185,440,768 bytes livres
Post-Run: 143,178,457,088 bytes livres
221 --- E O F --- 2007-12-22 10:51:18
------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:07, on 24-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Microsoft IntelliPoint\ipoint.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\GPSoftware\Directory Opus\dopus.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\ApvxdWin.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\WINDOWS\explorer.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/showthread.php?p=227173&posted=1#post227173
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "c:\Programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programas\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DOpus] C:\Programas\GPSoftware\Directory Opus\dopus.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programas\Ficheiros comuns\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDEE9BE4-CB47-438D-B635-1C4DE514F10A}: NameServer = 192.168.1.1,194.79.69.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.6.711.24354 (GoogleDesktopManager-112407-114954) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
--
End of file - 8468 bytes
Computer seems to work fine already, though I havent restored Panda Security protection and Spybot. Is it possible to use Hijackthis to remove Yahoo toolbar?
I already posted the CFScript log in previous post.
Here is the log from MBAM and Hijackthis:
--------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2
3:33:53 24-08-2008
mbam-log-08-24-2008 (03-33-53).txt
Scan type: Full Scan (C:\|F:\|)
Objects scanned: 283740
Time elapsed: 1 hour(s), 49 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 34
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\User\Os meus documentos\Os meus ficheiros recebidos\adobereader\Adobe.Acrobat.v8.0.Professional.Multilanguage.Keymaker.ZWT.rar\zwt\keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\5F.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\60.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\63.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\82.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\83.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\87.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\agecedup.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bqpulomp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\enkokoqf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fjcnrq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fjmmdwmx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iiffExyA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jbyxracr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kmcommgu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pgeagc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tvuauvao.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yfnoycqd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP16\A0002470.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000009.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000010.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000028.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000030.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000032.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000033.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000035.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000037.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000039.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000040.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000041.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000042.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000080.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000090.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C73D1D3-5BB4-47A9-BBE4-56170AFBAB2E}\RP2\A0000091.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
________________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:44, on 24-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Microsoft IntelliPoint\ipoint.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\ApvxdWin.exe
C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/showthread.php?p=227173&posted=1#post227173
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "c:\Programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Programas\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Programas\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DOpus] C:\Programas\GPSoftware\Directory Opus\dopus.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Programas\Ficheiros comuns\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programas\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDEE9BE4-CB47-438D-B635-1C4DE514F10A}: NameServer = 192.168.1.1,194.79.69.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Desktop Manager 5.6.711.24354 (GoogleDesktopManager-112407-114954) - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\programas\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
--
End of file - 8496 bytes
pskelley
2008-08-24, 15:29
Thanks for returning your information, most of the stuff MBAM found are quarantined in combofix and infected System Restore files we will clean soon.
I am concerned about this item:
C:\Documents and Settings\User\Os meus documentos\Os meus ficheiros recebidos\adobereader\Adobe.Acrobat.v8.0.Professional.Multilanguage.Keymaker.ZWT.rar\zwt\keygen.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
If you have not done so yet, read carefully post #4 at the top. That looks like an illegal file? If it is you can see what came with it.
I also see you are using removable media, I suggest you scan that drive with your antivirus program and make sure it is clean. If you find any infections, let me know.
This is the next item we must complete:
I am sure you saw this:
ATENÇAO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
I deleted that file, the software is not installed as far as I know.
I have a second harddidsk inside computer, usually F:. I think thats what showed in logs.
I used antivirus and MBAM too on both disks.
CF-RC log:
______________________________________________________________________________
WindowsXP-KB310994-SP2-Home-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
pskelley
2008-08-24, 21:19
RC installed correctly, here is a little information for you:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.
Remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Run MBAM again to make sure we missed nothing, no need to post a clean scan result.
Update Panda and run a system scan to make sure it is running correctly and scanning clean.
I'll post this information for you now so you can benefit from it.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
I am not sure if RC is well installed. When I log, the menu only shows for a fraction of second, too fast to read. From what I can read it shows 2 options and text below, maybe telling to move with keys and choose.
I ran MBAM and PANDA( system scan). Nothing found.
Many thanks for the great job done here :)
pskelley
2008-08-26, 04:03
I am not sure if RC is well installed.
It is installed, all you get is a quick flash during the boot process. If you ever need to use it, you would access it just as Safe Mode. It will be one of the choices you get at that point.
Safe surfing...Phil:laugh: