View Full Version : computer shuts down
gei07091
2009-02-10, 23:22
I've already posted this once and no one replied so i'll post it again. The problem is that sometimes when i'm doing sth in my computer sometimes it shuts down for no reason and then when i turn it back on it says sth like cpu clockwise sth (I think) and i think it's some kind of malware( I've already ran spybot and avg and they don't detect anything.
Thanks in advance
Here it is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 21:19:34, on 10-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\programas\quicktime\qttask.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programas\MODEM MF620\Modem.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\XP\Ambiente de trabalho\DOCUMENTOS DO AMBIENTE DE TRABALHO\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suporte.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programas\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programas\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAID Manager.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233575397359
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programas\Java\jre6\bin\jqs.exe" -service -config "C:\Programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
gei07091
2009-02-14, 17:16
I've already read the archives in search for sth similar and found it and followed pretty much the same steps and everything looks fine now. None the less i'll post what you asked for and a new HJTlog.(Sorry if i made you waste some time but it passed so much time since i first posted this in the thread that was already archived).
Logfile of HijackThis v1.99.1
Scan saved at 15:09:04, on 14-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\programas\quicktime\qttask.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programas\COMODO\COMODO Internet Security\cfp.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programas\MODEM MF620\Modem.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\XP\Ambiente de trabalho\DOCUMENTOS DO AMBIENTE DE TRABALHO\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suporte.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programas\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programas\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Programas\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAID Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233575397359
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programas\Java\jre6\bin\jqs.exe" -service -config "C:\Programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
I've already read the archives in search for sth similar and found it and followed pretty much the same steps and everything looks fine now.
Hi
It's one of the most common things that help seekers do and that unfortunately makes cleaning process much harder. Evidence of infection's presence may have been destroyed by the tool.
This sticky is not there without a reason:
Do NOT run 'fixes' before helpers have analyzed HJT log (http://forums.spybot.info/showthread.php?t=16806)
Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar.
You had good luck there that problem got sorted out. If it hadn't situation might be much more difficult.
Only thing I now see there is that Adobe Reader must be upgraded to the latest version.
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
gei07091
2009-02-14, 23:37
Sorry, i mislead you, but i've confused issues. This problem still persists(it reappered right after i replied to you) and the shut downs are even more frequent(like the computer is on 5 minutes and it shuts down). Await instructions.
Hi,
Search for ComboFix.txt file on your c: drive and post back it and a fresh hjt log. Also make sure automatic restart on error is disabled by doing following:
1.Right-click My Computer, and then click Properties.
2.Click the Advanced tab.
3.Under Startup and Recovery, click Settings to open the Startup and Recovery dialog box.
4.Clear the Automatically restart check box, and click OK the necessary number of times.
5.Restart your computer for the settings to take effect.
gei07091
2009-02-17, 11:09
I've done what you requested(logs and restart uncheked)
Combofix log:
ComboFix 09-02-12.02 - XP 2009-02-12 19:45:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.3071.2477 [GMT 0:00]
Executando de: c:\documents and settings\XP\Ambiente de trabalho\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Criado um novo ponto de restauro
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\install.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\wdmaud.sys
.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-12 to 2009-02-12 ))))))))))))))))))))))))))))
.
2009-02-11 17:59 . 2009-02-11 20:43 <DIR> d-------- c:\programas\Malwarebytes' Anti-Malware
2009-02-11 17:59 . 2009-02-11 17:59 <DIR> d-------- c:\documents and settings\XP\Application Data\Malwarebytes
2009-02-11 17:59 . 2009-02-11 17:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-11 17:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 17:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-11 17:18 . 2009-02-11 17:26 <DIR> d-------- c:\programas\Safer Networking
2009-02-04 13:03 . 2009-02-04 13:03 244 --ah----- C:\sqmnoopt10.sqm
2009-02-04 13:03 . 2009-02-04 13:03 232 --ah----- C:\sqmdata10.sqm
2009-02-02 11:51 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-02-02 11:51 . 2008-10-16 14:08 35,864 --a------ c:\windows\system32\wucltui.dll.mui
2009-02-02 11:51 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-02-02 11:51 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-02 11:51 . 2008-10-16 14:07 19,480 --a------ c:\windows\system32\wuaueng.dll.mui
2009-02-02 11:36 . 2009-02-12 19:29 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-02 11:36 . 2009-02-02 11:36 <DIR> d-------- c:\programas\AVG
2009-02-02 11:36 . 2009-02-04 10:18 <DIR> d-------- c:\documents and settings\XP\Application Data\AVGTOOLBAR
2009-02-02 11:36 . 2009-02-02 11:36 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-02 11:36 . 2009-02-02 11:36 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-02 11:36 . 2009-02-02 11:36 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-02 10:53 . 2009-02-02 10:53 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2009-01-30 16:15 . 2008-10-19 09:34 77,176 --a------ c:\windows\grass_1280x1024.jpg
2009-01-30 16:12 . 2008-10-19 09:40 198,119 --a------ c:\windows\vlaelef.jpg
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt09.sqm
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt08.sqm
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt07.sqm
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt06.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata09.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata08.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata07.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata06.sqm
2009-01-21 14:02 . 2009-01-28 23:03 <DIR> d-------- c:\programas\Everest Poker.net
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 19:38 --------- d-----w c:\programas\MODEM MF620
2009-02-12 19:15 --------- d-----w c:\programas\Spybot - Search & Destroy
2009-02-12 19:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-10 17:47 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-02-02 11:36 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2008-12-28 22:56 --------- d-----w c:\programas\MSN Messenger
2008-11-28 21:25 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-04-01 02:54 357 ----a-w c:\documents and settings\XP\.cb_layout.bin
2007-04-25 13:47 357 ----a-w c:\documents and settings\Gomes\.cb_layout.bin
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\programas\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MSMSGS"="c:\programas\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"HP Software Update"="c:\programas\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"Adobe Reader Speed Launcher"="c:\programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\programas\quicktime\qttask.exe" [2007-04-27 77824]
"SunJavaUpdateSched"="c:\programas\Java\jre6\bin\jusched.exe" [2008-11-28 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-02 1601304]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-12 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SAFECNMEMORY8"="c:\programas\CnMemory Safe\SAFECNMEMORY8.exe" [2006-02-28 2605056]
c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Arranque\
HP Digital Imaging Monitor.lnk - c:\programas\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
RAID Manager.lnk - c:\programas\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe [2008-08-04 724992]
c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Arranque\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\programas\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]
Adobe Reader Synchronizer.lnk - c:\programas\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-10 738968]
Diciop‚dia 2006 DVD Tray.lnk - c:\programas\Porto Editora Multimedia\Diciopedia 2006 DVD\TaskIconD2006.exe [2005-09-06 81920]
Diciop‚dia X DVD Tray.lnk - c:\programas\Porto Editora Multimedia\Diciopedia X DVD\TaskIconDiciopX.exe [2006-09-16 114688]
fortis view station.lnk.disabled [2008-03-28 1374]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\programas\Porto Editora Multimedia\Diciopedia 2006 DVD\D2006 Desktop.html
FriendlyName= Diciopédia 2006 DVD
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= d:\programas\Porto Editora Multimedia\Diciopedia 2006 DVD\D2006 Desktop.html
FriendlyName= Diciopédia 2006 DVD
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 11:36 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"= wdmaud.sys
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Porto Editora Multimedia\\Diciopedia 2006 DVD\\Diciop.exe"=
"c:\\Programas\\Porto Editora Multimedia\\Diciopedia X DVD\\diciop.exe"=
"d:\\Programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\programas\Microsoft ActiveSync\rapimgr.exe"= c:\programas\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programas\Microsoft ActiveSync\wcescomm.exe"= c:\programas\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programas\Microsoft ActiveSync\WCESMgr.exe"= c:\programas\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"d:\\Programas\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Programas\\Dreamcatcher\\Dungeon Lords\\dlords.exe"=
"c:\\Programas\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"d:\\Programas\\Activision\\Call of Duty 4-Modern Warefare\\iw3mp.exe"=
"c:\\Warcraft III\\War3.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programas\\MSN Messenger\\livecall.exe"=
"c:\\Programas\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programas\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programas\\AVG\\AVG8\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2008-08-04 24971]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-02 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-02 107272]
R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-04 16:42:36 74240]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-02 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-02 298264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fe760b6-994c-11dc-b825-00112f436475}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ea44054-ff94-11dc-b925-00112f436475}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6922352a-c549-11dc-b883-00112f436475}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6922352d-c549-11dc-b883-00112f436475}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77309f6e-a9ee-11dd-bfce-00112f436475}]
\Shell\AutoRun\command - I:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c84b921-f4c1-11db-801b-00196617e611}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93eb80b0-aff0-11dc-b854-00112f436475}]
\Shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8787ffe-d105-11dc-b89f-00112f436475}]
\Shell\AutoRun\command - G:\AutoRun.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
2009-02-12 c:\windows\Tasks\User_Feed_Synchronization-{1412B3CE-9AAD-4EFE-AB49-D6EE60B3A4E4}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
2009-02-09 c:\windows\Tasks\WebReg Photosmart C5200 series.job
- c:\programas\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-11 20:27]
.
- - - - ORFÃOS REMOVIDOS - - - -
Notify-AtiExtEvent - (no file)
Notify-crypt32chain - (no file)
Notify-cryptnet - (no file)
Notify-cscdll - (no file)
Notify-ScCertProp - (no file)
Notify-Schedule - (no file)
Notify-sclgntfy - (no file)
Notify-SensLogn - (no file)
Notify-termsrv - (no file)
Notify-wlballoon - (no file)
.
------- Scan Suplementar -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.suporte.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\XP\Application Data\Mozilla\Firefox\Profiles\0d3cegox.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.suporte.com/
FF - component: c:\programas\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\programas\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 19:47:01
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
Tempo para conclusão: 2009-02-12 19:50:18
ComboFix-quarantined-files.txt 2009-02-12 19:50:14
ComboFix2.txt 2008-03-01 23:57:23
ComboFix3.txt 2008-03-01 23:52:06
Pré-execução: 2.669.490.176 bytes livres
Pós execução: 2,716,884,992 bytes livres
WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
221
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:07:28, on 17-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\programas\quicktime\qttask.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\Programas\COMODO\COMODO Internet Security\cfp.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programas\MODEM MF620\Modem.exe
C:\Programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\internet explorer\iexplore.exe
C:\Programas\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Programas\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\XP\Ambiente de trabalho\DOCUMENTOS DO AMBIENTE DE TRABALHO\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suporte.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programas\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programas\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Programas\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAID Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233575397359
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programas\Java\jre6\bin\jqs.exe" -service -config "C:\Programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
Hi again,
Uninstall old Adobe Reader versions and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader!
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\grass_1280x1024.jpg
c:\windows\vlaelef.jpg
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c84b921-f4c1-11db-801b-00196617e611}]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif). If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.
Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
gei07091
2009-02-20, 19:01
Here it is all the logs you requested(HJT;combofix;kaspersky Online Scan)
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, February 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, February 20, 2009 13:27:47
Records in database: 1821226
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 154174
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 03:29:22
File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06000000.VBN Infected: Worm.Win32.Perlovga.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06000001.VBN Infected: Worm.Win32.Perlovga.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06000002.VBN Infected: Trojan-Dropper.Win32.Small.apl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06000003.VBN Infected: Trojan-Dropper.Win32.Small.apl 1
The selected area was scanned.
ComboFix 09-02-18.01 - XP 2009-02-20 0:18:37.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.2070.18.3071.2504 [GMT 0:00]
Executando de: c:\documents and settings\XP\Ambiente de trabalho\ComboFix.exe
Comandos utilizados :: c:\documents and settings\XP\Ambiente de trabalho\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
* Criado um novo ponto de restauro
FILE ::
c:\windows\grass_1280x1024.jpg
c:\windows\vlaelef.jpg
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\grass_1280x1024.jpg
c:\windows\system32\d3d8caps.dat
c:\windows\vlaelef.jpg
.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-20 to 2009-02-20 ))))))))))))))))))))))))))))
.
2009-02-20 00:06 . 2009-02-20 00:06 <DIR> d-------- c:\programas\Ficheiros comuns\Adobe AIR
2009-02-14 22:03 . 2009-02-14 22:03 <DIR> d-------- c:\documents and settings\XP\Application Data\Safer Networking
2009-02-13 01:09 . 2009-02-13 01:09 <DIR> d-------- c:\programas\MSXML 4.0
2009-02-13 01:08 . 2001-08-23 09:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-13 00:29 . 2007-03-08 05:12 1,036,288 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-13 00:29 . 2008-12-20 22:46 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-02-13 00:29 . 2008-12-20 22:46 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-02-13 00:29 . 2008-12-20 22:46 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-13 00:29 . 2008-12-19 09:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-02-13 00:28 . 2008-12-20 22:46 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-02-13 00:28 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-13 00:28 . 2008-12-20 22:46 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-13 00:28 . 2008-12-20 22:46 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-02-13 00:25 . 2008-06-14 17:33 272,640 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-13 00:20 . 2008-08-14 13:23 2,193,024 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-13 00:20 . 2008-08-14 13:23 2,149,376 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-13 00:20 . 2008-08-14 13:23 2,069,888 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-13 00:20 . 2008-08-14 13:23 2,028,032 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-13 00:20 . 2008-09-15 15:25 1,846,528 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-13 00:19 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-13 00:19 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-02-13 00:18 . 2008-04-11 19:05 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-02-13 00:18 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-02-13 00:18 . 2008-05-01 14:35 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-02-12 22:04 . 2008-09-04 17:16 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-02-12 22:04 . 2008-10-15 16:36 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-02-12 22:01 . 2009-02-13 01:17 1,374 --a------ c:\windows\imsins.BAK
2009-02-12 21:40 . 2009-02-12 21:40 <DIR> d-------- c:\programas\COMODO
2009-02-12 21:40 . 2009-02-13 00:06 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\comodo
2009-02-12 21:40 . 2009-02-12 21:40 147,192 --a------ c:\windows\system32\guard32.dll
2009-02-12 21:40 . 2009-02-12 21:40 101,776 --a------ c:\windows\system32\drivers\cmdguard.sys
2009-02-12 21:40 . 2009-02-12 21:40 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2009-02-12 21:13 . 2009-02-16 21:44 <DIR> d-------- c:\programas\SpywareBlaster
2009-02-11 17:59 . 2009-02-11 20:43 <DIR> d-------- c:\programas\Malwarebytes' Anti-Malware
2009-02-11 17:59 . 2009-02-11 17:59 <DIR> d-------- c:\documents and settings\XP\Application Data\Malwarebytes
2009-02-11 17:59 . 2009-02-11 17:59 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-11 17:59 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 17:59 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-11 17:18 . 2009-02-11 17:26 <DIR> d-------- c:\programas\Safer Networking
2009-02-04 13:03 . 2009-02-04 13:03 244 --ah----- C:\sqmnoopt10.sqm
2009-02-04 13:03 . 2009-02-04 13:03 232 --ah----- C:\sqmdata10.sqm
2009-02-02 11:51 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2009-02-02 11:51 . 2008-10-16 14:08 35,864 --a------ c:\windows\system32\wucltui.dll.mui
2009-02-02 11:51 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2009-02-02 11:51 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuapi.dll.mui
2009-02-02 11:51 . 2008-10-16 14:07 19,480 --a------ c:\windows\system32\wuaueng.dll.mui
2009-02-02 11:36 . 2009-02-17 19:10 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-02 11:36 . 2009-02-02 11:36 <DIR> d-------- c:\programas\AVG
2009-02-02 11:36 . 2009-02-04 10:18 <DIR> d-------- c:\documents and settings\XP\Application Data\AVGTOOLBAR
2009-02-02 11:36 . 2009-02-02 11:36 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-02 11:36 . 2009-02-02 11:36 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-02 11:36 . 2009-02-02 11:36 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-02 10:53 . 2009-02-02 10:53 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab Setup Files
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt09.sqm
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt08.sqm
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt07.sqm
2009-01-25 20:23 . 2009-01-25 20:23 244 --ah----- C:\sqmnoopt06.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata09.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata08.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata07.sqm
2009-01-25 20:23 . 2009-01-25 20:23 232 --ah----- C:\sqmdata06.sqm
2009-01-21 14:02 . 2009-01-28 23:03 <DIR> d-------- c:\programas\Everest Poker.net
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 00:04 --------- d-----w c:\programas\Ficheiros comuns\Adobe
2009-02-19 23:38 --------- d-----w c:\programas\MODEM MF620
2009-02-16 21:49 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-02-12 19:15 --------- d-----w c:\programas\Spybot - Search & Destroy
2009-02-12 19:09 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-02-10 17:47 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-02-02 11:36 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2008-12-28 22:56 --------- d-----w c:\programas\MSN Messenger
2008-12-20 22:47 826,368 ----a-w c:\windows\system32\wininet.dll
2008-11-28 21:25 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-04-01 02:54 357 ----a-w c:\documents and settings\XP\.cb_layout.bin
2007-04-25 13:47 357 ----a-w c:\documents and settings\Gomes\.cb_layout.bin
.
((((((((((((((((((((((((((((( SnapShot_2009-02-14_18.55.02,98 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-10-18 20:04:50 315,904 ----a-w c:\windows\inf\unregmp2.exe
+ 2007-06-27 16:05:44 318,976 ----a-w c:\windows\inf\unregmp2.exe
- 2009-02-11 21:58:06 593,920 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-02-19 22:49:01 593,920 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-02-11 21:58:06 12,288 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-02-19 22:49:01 12,288 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-02-11 21:58:06 86,016 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-02-19 22:49:01 86,016 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-02-11 21:58:06 135,168 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-02-19 22:49:01 135,168 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-02-11 21:58:06 11,264 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-02-19 22:49:01 11,264 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-02-11 21:58:06 27,136 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-02-19 22:49:01 27,136 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-02-11 21:58:07 4,096 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-02-19 22:49:01 4,096 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-02-11 21:58:07 794,624 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-02-19 22:49:01 794,624 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-02-11 21:58:06 249,856 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-02-19 22:49:01 249,856 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-02-11 21:58:06 61,440 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-02-19 22:49:01 61,440 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-02-11 21:58:07 23,040 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-02-19 22:49:01 23,040 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-02-11 21:58:05 286,720 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-02-19 22:49:01 286,720 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-02-11 21:58:05 409,600 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-02-19 22:49:01 409,600 ----a-r c:\windows\Installer\{90110816-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-12-12 15:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2006-10-18 20:04:50 315,904 -c----w c:\windows\system32\dllcache\unregmp2.exe
+ 2007-06-27 16:05:44 318,976 -c----w c:\windows\system32\dllcache\unregmp2.exe
+ 2009-02-19 22:30:14 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_738.dat
.
-- Snapshot resetado para data atual --
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\programas\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 1207080]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"MSMSGS"="c:\programas\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"HP Software Update"="c:\programas\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"QuickTime Task"="c:\programas\quicktime\qttask.exe" [2007-04-27 77824]
"SunJavaUpdateSched"="c:\programas\Java\jre6\bin\jusched.exe" [2008-11-28 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-02 1601304]
"COMODO Internet Security"="c:\programas\COMODO\COMODO Internet Security\cfp.exe" [2009-02-12 1797880]
"Adobe Reader Speed Launcher"="c:\programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-04-12 c:\windows\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SAFECNMEMORY8"="c:\programas\CnMemory Safe\SAFECNMEMORY8.exe" [2006-02-28 2605056]
c:\documents and settings\All Users.WINDOWS\Menu Iniciar\Programas\Arranque\
HP Digital Imaging Monitor.lnk - c:\programas\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]
RAID Manager.lnk - c:\programas\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe [2008-08-04 724992]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\programas\Porto Editora Multimedia\Diciopedia 2006 DVD\D2006 Desktop.html
FriendlyName= Diciopédia 2006 DVD
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= d:\programas\Porto Editora Multimedia\Diciopedia 2006 DVD\D2006 Desktop.html
FriendlyName= Diciopédia 2006 DVD
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-02 11:36 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programas\\Porto Editora Multimedia\\Diciopedia 2006 DVD\\Diciop.exe"=
"c:\\Programas\\Porto Editora Multimedia\\Diciopedia X DVD\\diciop.exe"=
"d:\\Programas\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\programas\Microsoft ActiveSync\rapimgr.exe"= c:\programas\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programas\Microsoft ActiveSync\wcescomm.exe"= c:\programas\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programas\Microsoft ActiveSync\WCESMgr.exe"= c:\programas\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"d:\\Programas\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"d:\\Programas\\Dreamcatcher\\Dungeon Lords\\dlords.exe"=
"c:\\Programas\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"d:\\Programas\\Activision\\Call of Duty 4-Modern Warefare\\iw3mp.exe"=
"c:\\Warcraft III\\War3.exe"=
"c:\\Warcraft III\\Warcraft III.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programas\\MSN Messenger\\livecall.exe"=
"c:\\Programas\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programas\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programas\\AVG\\AVG8\\avgnsx.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2008-08-04 24971]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-02 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-02 107272]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-02-12 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-02-12 31504]
R1 SLEE_13_DRIVER;Steganos Live Encryption Engine 13 [Driver];c:\windows\system32\drivers\slee13.sys [2005-10-04 16:42:36 74240]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-02 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-02 298264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1fe760b6-994c-11dc-b825-00112f436475}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ea44054-ff94-11dc-b925-00112f436475}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6922352a-c549-11dc-b883-00112f436475}]
\Shell\AutoRun\command - H:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6922352d-c549-11dc-b883-00112f436475}]
\Shell\AutoRun\command - F:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77309f6e-a9ee-11dd-bfce-00112f436475}]
\Shell\AutoRun\command - I:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{93eb80b0-aff0-11dc-b854-00112f436475}]
\Shell\AutoRun\command - G:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8787ffe-d105-11dc-b89f-00112f436475}]
\Shell\AutoRun\command - G:\AutoRun.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
2009-02-20 c:\windows\Tasks\User_Feed_Synchronization-{1412B3CE-9AAD-4EFE-AB49-D6EE60B3A4E4}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
2009-02-18 c:\windows\Tasks\WebReg Photosmart C5200 series.job
- c:\programas\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-11 20:27]
.
.
------- Scan Suplementar -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.suporte.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\XP\Application Data\Mozilla\Firefox\Profiles\0d3cegox.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.suporte.com/
FF - component: c:\programas\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\programas\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 00:22:59
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\guard32.dll
- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\guard32.dll
.
Tempo para conclusão: 2009-02-20 0:27:49
ComboFix-quarantined-files.txt 2009-02-20 00:27:43
ComboFix2.txt 2009-02-14 18:59:53
ComboFix3.txt 2009-02-12 20:23:21
ComboFix4.txt 2008-03-01 23:57:23
ComboFix5.txt 2009-02-20 00:14:11
Pré-execução: 3.243.552.768 bytes livres
Pós execução: 3,227,652,096 bytes livres
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
298 --- E O F --- 2009-02-17 09:26:41
Logfile of HijackThis v1.99.1
Scan saved at 17:00:01, on 20-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\programas\quicktime\qttask.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programas\COMODO\COMODO Internet Security\cfp.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programas\MODEM MF620\Modem.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Java\jre6\bin\java.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\XP\Ambiente de trabalho\DOCUMENTOS DO AMBIENTE DE TRABALHO\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suporte.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programas\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programas\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Programas\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAID Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233575397359
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programas\Java\jre6\bin\jqs.exe" -service -config "C:\Programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
Hi,
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Delete items in C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine folder.
Reboot and post a fresh hjt log. How's the system running?
gei07091
2009-02-21, 12:21
So far so good but yesterday I turned off my computer and then turned on again and there was that voice that said sth like cpu overclocking(I'm not quit sure). Therefore The computer doesn't shut down but i still get that voice when i turn on my computer.
I've made visible the system operative files and putted the HJT log below.
Logfile of HijackThis v1.99.1
Scan saved at 10:15:30, on 21-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\programas\quicktime\qttask.exe
C:\Programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programas\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\SupportAppPT\ztemon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe
C:\Programas\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\AVG\AVG8\avgcsrvx.exe
C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programas\MODEM MF620\Modem.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\XP\Ambiente de trabalho\DOCUMENTOS DO AMBIENTE DE TRABALHO\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suporte.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programas\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programas\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programas\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programas\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\programas\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Programas\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAID Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Livro de recortes HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Seleção HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programas\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233575397359
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D22CC91-96E7-4C25-96DD-394197990019}: NameServer = 212.55.154.174 10.11.12.14
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programas\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Programas\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Programas\Java\jre6\bin\jqs.exe" -service -config "C:\Programas\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ZTE CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppPT\ztemon.exe
So far so good but yesterday I turned off my computer and then turned on again and there was that voice that said sth like cpu overclocking(I'm not quit sure). Therefore The computer doesn't shut down but i still get that voice when i turn on my computer.
Hi
That voice message doesn't seem to have anything to do with malware. It's feature of Asustek motherboard. Computer hardware isn't my strongest area so I think it's better I guide you to ask help at http://forums.pcpitstop.com :)
Anyway, you didn't post your log here for nothing since we successfully removed fake wdmaud.sys :)
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
We need to re hide system files. To do so, please follow the steps below:
Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.
Put a check by
Hide file extensions for known file types.
Under the
Hidden files
folder, select
Show hidden files and folders.
Check
Hide protected operating system files.
Click Apply, and then click OK.
Now lets uninstall ComboFix:
Click START then RUN
Now type "c:\documents and settings\XP\Ambiente de trabalho\Combofix.exe" /u in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
gei07091
2009-02-22, 00:11
All systems go!
Just tell me sth. Where can I learn the kind of knowledge you have(or any malware assistant) about malware removal?
You're welcome :)
These places do teaching (list in alphabetical order):
Geeks to Go (http://www.geekstogo.com/forum/Would-you-like-to-learn-to-fight-malware-t4817.html)
Malware Removal (http://www.malwareremoval.com)
Spyware Info (http://www.spywareinfoforum.com/index.php?showtopic=34)
What the Tech (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.