View Full Version : Bifrose.LA
dorian_BR
2009-05-18, 17:33
Hello!
Please, I'd really appreciate if someone could help me, here's my problem:
I've run a scan with Spybot S&D which found Bifrose.LA, which I removed and did nothing, I restarted the computer and the registry enters which it deleted came back.
I've also searched my computer for Bifrost files, but found nothing.
I've searched the registry for Bifrost entries and deleted the ones I found but I think they were the same ones Spybot found, so they just keep coming back after restarts.
Here's the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:25, on 18/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Arquivos de programas\Avast4\aswUpdSv.exe
E:\Arquivos de programas\Avast4\ashServ.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Arquivos de programas\Google\Update\GoogleUpdate.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\svchost.exe
E:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Arquivos de programas\Bonjour\mDNSResponder.exe
E:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
E:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\svchost.exe
E:\Arquivos de programas\Avast4\ashMaiSv.exe
E:\Arquivos de programas\Avast4\ashWebSv.exe
E:\WINDOWS\System32\alg.exe
E:\ARQUIV~1\Avast4\ashDisp.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Arquivos de programas\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Arquivos de programas\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe
E:\Meus Downloads\Nova pasta (4)\HijackThis.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: run=
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Arquivos de programas\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (disabled by BHODemon)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [avast!] E:\ARQUIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [iTunesHelper] "E:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Gbieh.2] gbiehdst.dll gbppsv.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - E:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228931293562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - E:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Arquivos de programas\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Arquivos de programas\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Arquivos de programas\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Arquivos de programas\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9cc0bcccba718) (gupdate1c9cc0bcccba718) - Google Inc. - E:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
--
End of file - 7950 bytes
Hi dorian_BR
Please post next spybot report :)
dorian_BR
2009-05-19, 22:59
Hi Shaba! Thanks for your help. Kiitos.
Here's my spybot report:
--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Bifrose.LA: [SBI $D9EB7AA3] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-746137067-73586283-682003330-1003\Software\Bifrost
Bifrose.LA: [SBI $B9E7EB8B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---
2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2009-03-05 TeaTimer.exe (1.6.6.32)
2008-08-22 unins000.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-03-25 Includes\Adware.sbi (*)
2009-05-12 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-31 Includes\Dialer.sbi (*)
2009-05-12 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-04-21 Includes\Hijackers.sbi (*)
2009-05-12 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-05-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-05-13 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-12 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-05-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-12 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-05-12 Includes\Trojans.sbi (*)
2009-05-13 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Atualização de Segurança para o Windows Media Player (KB952069)
/ Windows Media Player 11: Atualização de Segurança para o Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix para o Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Atualização de Segurança para o Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Atualização Crítica para o Windows Media Player 11 (KB959772)
/ Windows XP: Atualização de Segurança para Windows XP (KB923689)
/ Windows XP: Atualização de Segurança para Windows XP (KB941569)
/ Windows XP / SP0: Atualização de Segurança para Windows Internet Explorer 7 (KB938127-v2)
/ Windows XP / SP0: Atualização de Segurança para Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Atualização de Segurança para Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Atualização de Segurança para Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Atualização de Segurança para Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Atualização de Segurança para Windows Internet Explorer 7 (KB963027)
/ Windows XP / SP0: Atualização para Windows Internet Explorer 8 (KB968220)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB923561)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB938464)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB938464-v2)
/ Windows XP / SP4: Hotfix para Windows XP (KB942288-v3)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB946648)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB950762)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB950974)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB951066)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB951376-v2)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB951698)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB951748)
/ Windows XP / SP4: Atualização para Windows XP (KB951978)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB952004)
/ Windows XP / SP4: Hotfix para Windows XP (KB952287)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB952954)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB954211)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB954600)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB955069)
/ Windows XP / SP4: Atualização para Windows XP (KB955839)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB956391)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB956572)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB956802)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB956803)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB956841)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB957095)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB957097)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB958215)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB958644)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB958687)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB958690)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB959426)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB960225)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB960715)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB960803)
/ Windows XP / SP4: Hotfix para Windows XP (KB961118)
/ Windows XP / SP4: Atualização de Segurança para Windows XP (KB961373)
/ Windows XP / SP4: Atualização para Windows XP (KB967715)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run, avast!
command: E:\ARQUIV~1\Avast4\ashDisp.exe
file: E:\ARQUIV~1\Avast4\ashDisp.exe
size: 81000
MD5: 55EBFBAB39BFAB5E62358C093F297641
Located: HK_LM:Run, GEST
command: =
file: =
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, iTunesHelper
command: "E:\Arquivos de programas\iTunes\iTunesHelper.exe"
file: E:\Arquivos de programas\iTunes\iTunesHelper.exe
size: 342312
MD5: 6B0E8DEE62C0C9695C77F14482DDF178
Located: HK_LM:Run, RTHDCPL
command: RTHDCPL.EXE
file: E:\WINDOWS\RTHDCPL.EXE
size: 18082304
MD5: F4A847AAFD31959A0A355FC927C38A56
Located: HK_LM:Run, C-Media Mixer (DISABLED)
command: Mixer.exe /startup
file: E:\WINDOWS\Mixer.exe
size: 1216512
MD5: 2CF73C525241824679A62DCCF25C8832
Located: HK_LM:Run, C-Media Speaker Configuration (DISABLED)
command: E:\Meus Downloads\Nova pasta (3)\WinXP\Setup.exe /SPEAKER
file: E:\Meus Downloads\Nova pasta (3)\WinXP\Setup.exe
size: 491520
MD5: 236CF4B7F2C6083A586DB62382A1BD96
Located: HK_LM:Run, iTunesHelper (DISABLED)
command: "E:\Arquivos de programas\iTunes\iTunesHelper.exe"
file: E:\Arquivos de programas\iTunes\iTunesHelper.exe
size: 342312
MD5: 6B0E8DEE62C0C9695C77F14482DDF178
Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "E:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
file: E:\Arquivos de programas\QuickTime\QTTask.exe
size: 413696
MD5: 0AB3C83FCB8EF6F56E4FB22089F0D3B9
Located: HK_LM:Run, VirtualCloneDrive (DISABLED)
command: "E:\Arquivos de programas\VirtualCloneDrive\VCDDaemon.exe" /s
file: E:\Arquivos de programas\VirtualCloneDrive\VCDDaemon.exe
size: 52168
MD5: 9F3287A1CAF6E365ED2B39BB8D44B0EA
Located: HK_LM:Run, VTTimer (DISABLED)
command: VTTimer.exe
file: E:\WINDOWS\system32\VTTimer.exe
size: 53248
MD5: AB973644B5CD45173915715782BBA273
Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: E:\WINDOWS\system32\CTFMON.EXE
file: E:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 4E486ADFE3A0B9ED0EB0639902E9F64F
Located: HK_CU:Run, CTFMON.EXE
where: PE_E_ADMINISTRADOR...
command: E:\WINDOWS\system32\ctfmon.exe
file: E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 4E486ADFE3A0B9ED0EB0639902E9F64F
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-19...
command: E:\WINDOWS\system32\CTFMON.EXE
file: E:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 4E486ADFE3A0B9ED0EB0639902E9F64F
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-20...
command: E:\WINDOWS\system32\CTFMON.EXE
file: E:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 4E486ADFE3A0B9ED0EB0639902E9F64F
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-746137067-73586283-682003330-1003...
command: E:\WINDOWS\system32\ctfmon.exe
file: E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 4E486ADFE3A0B9ED0EB0639902E9F64F
Located: HK_CU:RunOnce, FlashPlayerUpdate (DISABLED)
where: S-1-5-21-746137067-73586283-682003330-1003...
command: E:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
file: E:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
size: 235936
MD5: 0AE72A6CF7DA6440320BCF7241CE9ED4
Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: E:\WINDOWS\system32\CTFMON.EXE
file: E:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 4E486ADFE3A0B9ED0EB0639902E9F64F
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{000123B4-9B42-4900-B3F7-F4B073EFC214} (btorbit.com)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: btorbit.com
CLSID name: Octh Class
Path: E:\Arquivos de programas\Orbitdownloader\
Long name: orbitcth.dll
Short name:
Date (created): 2/2/2009 17:46:24
Date (last access): 19/5/2009 17:34:06
Date (last write): 27/2/2009 10:01:04
Filesize: 134344
Attributes: archive
MD5: 720D9D57F404802915B3081A231BA141
CRC32: E641F45C
Version: 2.4.0.2
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Facilitador de Leitor de Link Adobe PDF)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Facilitador de Leitor de Link Adobe PDF
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: E:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 22/10/2006 23:08:42
Date (last access): 19/5/2009 17:34:06
Date (last write): 22/10/2006 23:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456
{31FF080D-12A3-439A-A2EF-4BA95A3148E8} (bho2gr Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: bho2gr Class
description: GetRight
classification: Legitimate
known filename: msie2gr.dll
info link: http://www.getright.com/
info source: TonyKlein
Path: E:\Arquivos de programas\GetRight\
Long name: xx2gr.dll
Short name:
Date (created): 14/6/2008 09:51:46
Date (last access): 19/5/2009 17:34:06
Date (last write): 14/2/2005 12:08:50
Filesize: 233472
Attributes: archive
MD5: 06EE81C0ABBCFCD09ED3B3A9798871D3
CRC32: 752B81F8
Version: 5.2.0.3
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: E:\ARQUIV~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 18/3/2008 21:47:14
Date (last access): 19/5/2009 17:34:04
Date (last write): 15/9/2008 14:25:44
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14
{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path:
Long name: __BHODemonDisabled
{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: E:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll__BHODemonDisabled
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: E:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.3572\
Long name: swg.dll
Short name:
Date (created): 4/5/2009 15:20:36
Date (last access): 19/5/2009 17:32:44
Date (last write): 4/5/2009 15:20:36
Filesize: 668656
Attributes: archive
MD5: D1585B06DED161E13B905DC4FFBF7F12
CRC32: 88D5BAA5
Version: 5.1.1309.3572
--- ActiveX list ---
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: E:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228931293562
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: E:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 16/10/2008 14:07:48
Date (last access): 19/5/2009 17:34:06
Date (last write): 16/10/2008 14:07:48
Filesize: 208744
Attributes: archive
MD5: 90058C2AD9FC43A3B3D59F82FFC6AEA7
CRC32: 7D5F90FA
Version: 7.2.6001.788
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: E:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: E:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 24/3/2008 23:32:42
Date (last access): 19/5/2009 17:34:06
Date (last write): 24/3/2008 23:32:42
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 728 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 776 ( 728) \??\E:\WINDOWS\system32\csrss.exe
size: 6144
PID: 808 ( 728) \??\E:\WINDOWS\system32\winlogon.exe
size: 509952
PID: 852 ( 808) E:\WINDOWS\system32\services.exe
size: 111104
MD5: C52DEB6D8CD4B096BF1A9EC001F36507
PID: 864 ( 808) E:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 9607142710D3B64AB7FCCE4BE4E30D37
PID: 1040 ( 852) E:\WINDOWS\system32\Ati2evxx.exe
size: 598016
MD5: ECA673779ECD27D674953D692FE070F6
PID: 1064 ( 852) E:\WINDOWS\system32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 1132 ( 852) E:\WINDOWS\system32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 1232 ( 852) E:\WINDOWS\System32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 1356 ( 852) E:\WINDOWS\system32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 1432 ( 852) E:\WINDOWS\system32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 1476 ( 852) E:\Arquivos de programas\Avast4\aswUpdSv.exe
size: 18752
MD5: 118F964817982E771B8953DF2E99E3AB
PID: 1524 ( 852) E:\Arquivos de programas\Avast4\ashServ.exe
size: 155160
MD5: E1D075B489A5E6E294E968501184C5F6
PID: 1588 ( 808) E:\WINDOWS\system32\Ati2evxx.exe
size: 598016
MD5: ECA673779ECD27D674953D692FE070F6
PID: 1908 ( 852) E:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: AF1D9AE15C11163F576DF6ED6194B53C
PID: 424 (1232) E:\Arquivos de programas\Google\Update\GoogleUpdate.exe
size: 133104
MD5: 626A24ED1228580B9518C01930936DF9
PID: 516 ( 276) E:\WINDOWS\Explorer.EXE
size: 1035776
MD5: 064EC7FF5F58B928C3E119402977FA6D
PID: 636 ( 852) E:\WINDOWS\system32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 720 ( 852) E:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 132424
MD5: 367592EFCA7FF8B4CE11AB6B0744E1E2
PID: 124 ( 852) E:\Arquivos de programas\Bonjour\mDNSResponder.exe
size: 238888
MD5: 3F56903E124E820AEECE6D471583C6C1
PID: 1328 ( 852) E:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
size: 61440
MD5: 559C9B7800FAC92FC515CD0003D7C631
PID: 1872 ( 852) E:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
size: 836904
MD5: A0101E836D2A39682E134C47B1565256
PID: 2280 ( 852) E:\WINDOWS\system32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 2492 ( 852) E:\Arquivos de programas\Avast4\ashMaiSv.exe
size: 254040
MD5: 2D697C9C4FBDA956E4BE318C334CD95E
PID: 2516 ( 852) E:\Arquivos de programas\Avast4\ashWebSv.exe
size: 352920
MD5: B9FD2B7A954A45963C3BF932DB10A633
PID: 2820 ( 852) E:\WINDOWS\System32\alg.exe
size: 44544
MD5: 6D2018AEE93285F2A8BEF55D722187A3
PID: 3208 ( 516) E:\ARQUIV~1\Avast4\ashDisp.exe
size: 81000
MD5: 55EBFBAB39BFAB5E62358C093F297641
PID: 3216 ( 516) E:\WINDOWS\RTHDCPL.EXE
size: 18082304
MD5: F4A847AAFD31959A0A355FC927C38A56
PID: 3236 ( 516) E:\Arquivos de programas\iTunes\iTunesHelper.exe
size: 342312
MD5: 6B0E8DEE62C0C9695C77F14482DDF178
PID: 3248 ( 516) E:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 4E486ADFE3A0B9ED0EB0639902E9F64F
PID: 3644 ( 852) E:\Arquivos de programas\iPod\bin\iPodService.exe
size: 656168
MD5: F055C1760ABFA52B159985E551EA0EDC
PID: 1288 ( 852) E:\WINDOWS\System32\svchost.exe
size: 14336
MD5: ED2D69CD4B0EBE37EFE11D4DC4ABC68F
PID: 2384 ( 516) E:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe
size: 4891984
MD5: 9C8F0F34F66BB845B42F70E92A972B5F
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 19/5/2009 17:47:28
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://www.google.com/
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EE79FDD1-68B0-47EE-B73C-5F5886EE67F3}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EE79FDD1-68B0-47EE-B73C-5F5886EE67F3}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A300E0BF-9E69-4539-AD3F-97E8A69C69D4}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A300E0BF-9E69-4539-AD3F-97E8A69C69D4}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{04D8C8CC-0655-4BF7-AE18-D4946C33519E}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{04D8C8CC-0655-4BF7-AE18-D4946C33519E}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D4327875-62FD-44CB-AAD2-8F8283DBD10D}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D4327875-62FD-44CB-AAD2-8F8283DBD10D}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4ABB087A-380B-4EE3-8949-C4369D80B6BB}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4ABB087A-380B-4EE3-8949-C4369D80B6BB}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A9791FE-CD1B-40EF-8768-DB5E08BC4D09}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0A9791FE-CD1B-40EF-8768-DB5E08BC4D09}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BBC66AA6-9514-4A38-9427-B34EB1ED4E72}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BBC66AA6-9514-4A38-9427-B34EB1ED4E72}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Espaço para nome do reconhecimento de local da rede (NLA)
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: E:\Arquivos de programas\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
dorian_BR
2009-05-20, 15:34
Here's the ComboFix log:
ComboFix 09-05-19.08 - IGOR 20/05/2009 10:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3070.2582 [GMT -3:00]
Executando de: e:\documents and settings\IGOR\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090518-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Criado um novo ponto de restauro
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
e:\documents and settings\IGOR\Dados de aplicativos\addons.dat
e:\documents and settings\IGOR\e7h6t87k3.exe
e:\windows\svchost
e:\windows\system32\nsprs.dll
e:\windows\system32\serauth1.dll
e:\windows\system32\serauth2.dll
e:\windows\system32\ssprs.dll
.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-20 to 2009-05-20 ))))))))))))))))))))))))))))
.
2009-05-18 13:29 . 2009-05-18 13:30 -------- d-----w e:\arquivos de programas\ERUNT
2009-05-16 23:19 . 2009-05-16 23:19 -------- d-sh--w e:\documents and settings\Administrador\PrivacIE
2009-05-16 18:52 . 2009-05-16 19:28 -------- d-----w E:\silentrunners
2009-05-16 17:38 . 2009-05-16 17:38 -------- d--h--w e:\windows\PIF
2009-05-14 01:30 . 2009-05-14 01:30 -------- d-sh--w e:\documents and settings\Administrador\IETldCache
2009-05-12 20:40 . 2009-05-12 20:40 -------- d-----w e:\documents and settings\IGOR\Dados de aplicativos\U3
2009-05-04 18:20 . 2009-05-04 18:20 -------- d-sh--w e:\documents and settings\LocalService\IETldCache
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\arquivos de programas\iPod
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\documents and settings\All Users\Dados de aplicativos\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\arquivos de programas\iTunes
2009-05-03 16:18 . 2009-05-19 20:34 -------- d-----w e:\documents and settings\All Users\Dados de aplicativos\Google Updater
2009-04-30 14:11 . 2009-04-30 14:11 -------- d-sh--w e:\documents and settings\IGOR\IECompatCache
2009-04-30 14:05 . 2009-04-30 14:05 -------- d-sh--w e:\documents and settings\IGOR\PrivacIE
2009-04-30 14:04 . 2009-04-30 14:04 -------- d-sh--w e:\documents and settings\NetworkService\IETldCache
2009-04-30 14:04 . 2009-04-30 14:04 -------- d-sh--w e:\documents and settings\IGOR\IETldCache
2009-04-30 14:02 . 2009-04-30 14:02 -------- d-----w e:\windows\ie8updates
2009-04-30 14:02 . 2009-02-28 04:55 105984 -c----w e:\windows\system32\dllcache\iecompat.dll
2009-04-30 14:00 . 2009-04-30 14:02 -------- dc-h--w e:\windows\ie8
2009-04-22 03:20 . 2009-04-22 03:20 14311680 ----a-w e:\windows\system32\xlive.dll
2009-04-22 03:20 . 2009-04-22 03:20 13642496 ----a-w e:\windows\system32\xlivefnt.dll
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 22:45 . 2008-05-05 13:55 -------- d-----w e:\arquivos de programas\Google
2009-05-17 00:05 . 2009-02-02 20:46 -------- d-----w e:\arquivos de programas\Orbitdownloader
2009-05-16 20:41 . 2008-06-14 12:51 -------- d-----w e:\arquivos de programas\GetRight
2009-05-08 14:27 . 2008-03-22 02:26 -------- d-----w e:\arquivos de programas\eMule
2009-05-04 16:54 . 2009-02-09 01:56 -------- d-----w e:\arquivos de programas\Arquivos comuns\Apple
2009-04-19 14:07 . 2009-04-19 14:04 -------- d-----w e:\arquivos de programas\TimeAdjuster
2009-04-17 15:47 . 2009-04-17 15:46 -------- d-----w e:\arquivos de programas\FormatFactory
2009-04-17 12:16 . 2001-10-28 18:07 79240 ----a-w e:\windows\system32\perfc016.dat
2009-04-17 12:16 . 2001-10-28 18:07 468462 ----a-w e:\windows\system32\perfh016.dat
2009-03-19 19:32 . 2009-02-09 01:59 23400 ----a-w e:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 07:34 . 2004-08-04 03:45 914944 ----a-w e:\windows\system32\wininet.dll
2009-03-08 07:34 . 2004-08-04 03:45 43008 ----a-w e:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2004-08-04 03:45 18944 ----a-w e:\windows\system32\corpol.dll
2009-03-08 07:33 . 2004-08-04 03:45 420352 ----a-w e:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2004-08-04 03:45 72704 ----a-w e:\windows\system32\admparse.dll
2009-03-08 07:32 . 2004-08-04 03:45 71680 ----a-w e:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2004-08-04 03:45 34816 ----a-w e:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2004-08-04 03:44 48128 ----a-w e:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2004-08-04 03:45 45568 ----a-w e:\windows\system32\mshta.exe
2009-03-08 07:22 . 2001-10-28 18:07 156160 ----a-w e:\windows\system32\msls31.dll
2009-03-06 14:20 . 2004-08-04 03:45 286208 ----a-w e:\windows\system32\pdh.dll
2009-03-06 02:59 . 2009-02-09 01:57 36864 ----a-w e:\windows\system32\drivers\usbaapl.sys
2009-03-06 02:59 . 2008-09-10 01:47 1900544 ----a-w e:\windows\system32\usbaaplrc.dll
2008-03-23 04:22 . 2008-03-23 04:22 61 --sh--w e:\windows\cnerolf.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"avast!"="e:\arquiv~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"iTunesHelper"="e:\arquivos de programas\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.EXE [2008-12-30 18082304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Speaker Configuration"=e:\meus downloads\Nova pasta (3)\WinXP\Setup.exe /SPEAKER
"VirtualCloneDrive"="e:\arquivos de programas\VirtualCloneDrive\VCDDaemon.exe" /s
"iTunesHelper"="e:\arquivos de programas\iTunes\iTunesHelper.exe"
"C-Media Mixer"=Mixer.exe /startup
"VTTimer"=VTTimer.exe
"QuickTime Task"="e:\arquivos de programas\QuickTime\QTTask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Arquivos de programas\\eMule\\emule.exe"=
"e:\\Arquivos de programas\\EA GAMES\\Battlefield 2\\BF2.exe"=
"e:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\UT2004\\System\\UT2004.exe"=
"e:\\Arquivos de programas\\TmUnitedForever\\TmForever.exe"=
"e:\\Arquivos de programas\\Commandos II\\comm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"e:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"e:\\Arquivos de programas\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"e:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"e:\\Meus Downloads\\utorrent.exe"=
"e:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"e:\\Arquivos de programas\\Codemasters\\GRID\\GRID.exe"=
"e:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"e:\\Arquivos de programas\\Orbitdownloader\\orbitdm.exe"=
"e:\\Arquivos de programas\\Orbitdownloader\\orbitnet.exe"=
"c:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Arquivos de programas\\iTunes\\iTunes.exe"=
"e:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
R0 ViBus;ViBus;e:\windows\system32\drivers\ViBus.sys [18/3/2008 17:07 16896]
R0 ViPrt;VIA SATA IDE Device Driver;e:\windows\system32\drivers\ViPrt.sys [18/3/2008 17:07 52224]
R1 aswSP;avast! Self Protection;e:\windows\system32\drivers\aswSP.sys [30/3/2008 21:53 111184]
R1 BIOS;BIOS;e:\windows\system32\drivers\BIOS.sys [18/3/2008 17:06 13696]
R1 BS_I2cIo;BS_I2cIo;e:\windows\system32\drivers\BS_I2cIo.sys [19/3/2008 15:54 8192]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [30/3/2008 21:53 20560]
S2 gupdate1c9cc0bcccba718;Google Update Service (gupdate1c9cc0bcccba718);e:\arquivos de programas\Google\Update\GoogleUpdate.exe [3/5/2009 13:25 133104]
S3 GMFilter;GMFilter HID Filter Driver;e:\windows\system32\drivers\GMFilter.sys [23/3/2008 13:51 19840]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 S3GIGP;S3GIGP;e:\windows\system32\drivers\S3gIGPm.sys [11/7/2007 13:08 714240]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"e:\windows\system32\rundll32.exe" "e:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-33WE-AAX5-14KC2A323342}]
c:\data\DELETED\POWER.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{91F6B99D-3EDC-CBE5-41C0-F82230C16D25}]
e:\windows\system32\SV121\svchost2.exe s
.
Conteúdo da pasta 'Tarefas Agendadas'
2009-05-20 e:\windows\Tasks\Google Software Updater.job
- e:\arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-03 18:20]
2009-05-20 e:\windows\Tasks\GoogleUpdateTaskMachine.job
- e:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-05-03 16:25]
.
- - - - ORFÃOS REMOVIDOS - - - -
HKLM-Explorer_Run-Gbieh.2 - gbiehdst.dll
.
------- Scan Suplementar -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: &Download by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - e:\arquivos de programas\GetRight\GRdownload.htm
IE: E&xportar para o Microsoft Excel - e:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - e:\arquivos de programas\GetRight\GRbrowse.htm
TCP: {BBC66AA6-9514-4A38-9427-B34EB1ED4E72} = 189.1.1.10 189.1.1.249
FF - ProfilePath - e:\documents and settings\IGOR\Dados de aplicativos\Mozilla\Firefox\Profiles\1o5qyicl.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/firefox
FF - plugin: e:\arquivos de programas\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\arquivos de programas\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: e:\arquivos de programas\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: e:\arquivos de programas\Mozilla Firefox\plugins\NPGetRt.dll
---- FIREFOX POLICIES ----
e:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
.
------- Associação de arquivos/ficheiros -------
.
inffile=Notepad.exe "%1"
inifile=Notepad.exe "%1"
txtfile=Notepad.exe "%1"
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 10:10
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-746137067-73586283-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:21,27,4d,79,8f,a7,39,8b,97,94,a6,3d,d4,05,1c,fd,1f,f9,ef,64,3e,
09,f7,fa,06,6d,4d,27,71,84,fb,ca,99,de,cc,98,93,d7,b1,64,6b,25,8a,65,8b,e0,\
"rkeysecu"=hex:31,7a,d4,d4,9d,14,a8,b5,27,34,53,d3,a8,5b,20,e2
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~�*]
"6140110900063D11C8EF10054038389C"="E?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(808)
e:\windows\system32\Ati2evxx.dll
.
Tempo para conclusão: 2009-05-20 10:12
ComboFix-quarantined-files.txt 2009-05-20 13:12
Pré-execução: 23 pasta(s) 59.805.437.952 bytes disponíveis
Pós execução: 22 pasta(s) 59.819.081.728 bytes disponíveis
WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
206 --- E O F --- 2008-12-11 20:21
[B]>>>> And here's the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:30, on 20/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\Arquivos de programas\Avast4\aswUpdSv.exe
E:\Arquivos de programas\Avast4\ashServ.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\svchost.exe
E:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Arquivos de programas\Bonjour\mDNSResponder.exe
E:\Arquivos de programas\Google\Update\GoogleUpdate.exe
E:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
E:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\svchost.exe
E:\Arquivos de programas\Avast4\ashMaiSv.exe
E:\Arquivos de programas\Avast4\ashWebSv.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\Explorer.EXE
E:\ARQUIV~1\Avast4\ashDisp.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Arquivos de programas\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Arquivos de programas\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe
E:\Meus Downloads\Nova pasta (4)\HijackThis.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Arquivos de programas\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (disabled by BHODemon)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [avast!] E:\ARQUIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [iTunesHelper] "E:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - E:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228931293562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - E:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Arquivos de programas\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Arquivos de programas\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Arquivos de programas\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Arquivos de programas\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9cc0bcccba718) (gupdate1c9cc0bcccba718) - Google Inc. - E:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
--
End of file - 7932 bytes
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
dorian_BR
2009-05-20, 18:49
Here it is:
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.3 - Português
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
Arquivo do WinRAR
ATI Display Driver
Atualização Crítica para o Windows Media Player 11 (KB959772)
Atualização de Segurança para o Windows Media Player (KB952069)
Atualização de Segurança para o Windows Media Player 11 (KB936782)
Atualização de Segurança para o Windows Media Player 11 (KB954154)
Atualização de Segurança para Windows Internet Explorer 7 (KB938127-v2)
Atualização de Segurança para Windows Internet Explorer 7 (KB956390)
Atualização de Segurança para Windows Internet Explorer 7 (KB958215)
Atualização de Segurança para Windows Internet Explorer 7 (KB960714)
Atualização de Segurança para Windows Internet Explorer 7 (KB961260)
Atualização de Segurança para Windows Internet Explorer 7 (KB963027)
Atualização de Segurança para Windows XP (KB923561)
Atualização de Segurança para Windows XP (KB938464)
Atualização de Segurança para Windows XP (KB938464-v2)
Atualização de Segurança para Windows XP (KB941569)
Atualização de Segurança para Windows XP (KB946648)
Atualização de Segurança para Windows XP (KB950762)
Atualização de Segurança para Windows XP (KB950974)
Atualização de Segurança para Windows XP (KB951066)
Atualização de Segurança para Windows XP (KB951376-v2)
Atualização de Segurança para Windows XP (KB951698)
Atualização de Segurança para Windows XP (KB951748)
Atualização de Segurança para Windows XP (KB952004)
Atualização de Segurança para Windows XP (KB952954)
Atualização de Segurança para Windows XP (KB954211)
Atualização de Segurança para Windows XP (KB954459)
Atualização de Segurança para Windows XP (KB954600)
Atualização de Segurança para Windows XP (KB955069)
Atualização de Segurança para Windows XP (KB956391)
Atualização de Segurança para Windows XP (KB956572)
Atualização de Segurança para Windows XP (KB956802)
Atualização de Segurança para Windows XP (KB956803)
Atualização de Segurança para Windows XP (KB956841)
Atualização de Segurança para Windows XP (KB957095)
Atualização de Segurança para Windows XP (KB957097)
Atualização de Segurança para Windows XP (KB958215)
Atualização de Segurança para Windows XP (KB958644)
Atualização de Segurança para Windows XP (KB958687)
Atualização de Segurança para Windows XP (KB958690)
Atualização de Segurança para Windows XP (KB959426)
Atualização de Segurança para Windows XP (KB960225)
Atualização de Segurança para Windows XP (KB960715)
Atualização de Segurança para Windows XP (KB960803)
Atualização de Segurança para Windows XP (KB961373)
Atualização para Windows Internet Explorer 8 (KB968220)
Atualização para Windows XP (KB951978)
Atualização para Windows XP (KB955839)
Atualização para Windows XP (KB967715)
avast! Antivirus
AviSynth 2.5
AVS DVD Player version 2.4
Battlefield 2(TM)
Bonjour
Call of Duty(R) - World at War(TM)
Call of Duty(R) - World at War(TM) 1.2 Patch
Call of Duty(R) 2
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
Commandos 2: Men of Courage
Creative WebCam Center
Creative WebCam Instant Driver (1.01.02.0729)
DivXLand Media Subtitler
DVD Flick
eMule
ERUNT 1.1j
FLV Player 2.0 (build 25)
FormatFactory 1.80
Fraps
Futuremark SystemInfo
GetRight
Google Earth
Google Update Helper
Google Updater
Grand Theft Auto IV
GRID
Guia do Usuário da Creative WebCam Instant (Português)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix para o Windows Media Player 11 (KB939683)
Hotfix para Windows XP (KB942288-v3)
Hotfix para Windows XP (KB952287)
Hotfix para Windows XP (KB961118)
iTunes
Java(TM) 6 Update 5
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTB
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTB
Microsoft .NET Framework 3.5 Language Pack SP1 - ptb
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator X
Microsoft Flight Simulator X
Microsoft Flight Simulator X Service Pack 1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edição 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
Nero 8
Oblivion
Oblivion mod manager 1.1.12
OpenAL
Orbit Downloader
Pacote de Compatibilidade para o sistema Office 2007
Pacote de Idiomas do Microsoft .NET Framework 3.5 SP1 - PTB
PCI Audio Driver
PDF Settings
PowerISO
QuickTime
Real Alternative 1.9.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Rockstar Games Social Club
Skype™ 3.8
Sniper Elite
Space Shuttle
SPORE™
SPORE™ Coleção de Partes Medonhas & Fofinhas
Spybot - Search & Destroy
Test Drive Unlimited
The Sims 2
TmUnitedForever
Tom Clancy's Rainbow Six Vegas 2
UltraISO Premium V9.3
Unreal Tournament 2004
USB all-in-one game controller
VIA Gerenciador de dispositivo de plataforma
VIA Rhine-Family Fast-Ethernet Adapter
Videora iPod touch Converter 4.05
VirtualCloneDrive
Winamp (remove only)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Language Pack 1.0
Xvid 1.1.3 final uninstall
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
uTorrent
eMule
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please run a new uninstall log scan when finished and post the log back here.
dorian_BR
2009-05-21, 05:12
OK then, I've just uninstalled eMule and uTorrent, here's the new log:
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.3 - Português
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
Arquivo do WinRAR
ATI Display Driver
Atualização Crítica para o Windows Media Player 11 (KB959772)
Atualização de Segurança para o Windows Media Player (KB952069)
Atualização de Segurança para o Windows Media Player 11 (KB936782)
Atualização de Segurança para o Windows Media Player 11 (KB954154)
Atualização de Segurança para Windows Internet Explorer 7 (KB938127-v2)
Atualização de Segurança para Windows Internet Explorer 7 (KB956390)
Atualização de Segurança para Windows Internet Explorer 7 (KB958215)
Atualização de Segurança para Windows Internet Explorer 7 (KB960714)
Atualização de Segurança para Windows Internet Explorer 7 (KB961260)
Atualização de Segurança para Windows Internet Explorer 7 (KB963027)
Atualização de Segurança para Windows XP (KB923561)
Atualização de Segurança para Windows XP (KB938464)
Atualização de Segurança para Windows XP (KB938464-v2)
Atualização de Segurança para Windows XP (KB941569)
Atualização de Segurança para Windows XP (KB946648)
Atualização de Segurança para Windows XP (KB950762)
Atualização de Segurança para Windows XP (KB950974)
Atualização de Segurança para Windows XP (KB951066)
Atualização de Segurança para Windows XP (KB951376-v2)
Atualização de Segurança para Windows XP (KB951698)
Atualização de Segurança para Windows XP (KB951748)
Atualização de Segurança para Windows XP (KB952004)
Atualização de Segurança para Windows XP (KB952954)
Atualização de Segurança para Windows XP (KB954211)
Atualização de Segurança para Windows XP (KB954459)
Atualização de Segurança para Windows XP (KB954600)
Atualização de Segurança para Windows XP (KB955069)
Atualização de Segurança para Windows XP (KB956391)
Atualização de Segurança para Windows XP (KB956572)
Atualização de Segurança para Windows XP (KB956802)
Atualização de Segurança para Windows XP (KB956803)
Atualização de Segurança para Windows XP (KB956841)
Atualização de Segurança para Windows XP (KB957095)
Atualização de Segurança para Windows XP (KB957097)
Atualização de Segurança para Windows XP (KB958215)
Atualização de Segurança para Windows XP (KB958644)
Atualização de Segurança para Windows XP (KB958687)
Atualização de Segurança para Windows XP (KB958690)
Atualização de Segurança para Windows XP (KB959426)
Atualização de Segurança para Windows XP (KB960225)
Atualização de Segurança para Windows XP (KB960715)
Atualização de Segurança para Windows XP (KB960803)
Atualização de Segurança para Windows XP (KB961373)
Atualização para Windows Internet Explorer 8 (KB968220)
Atualização para Windows XP (KB951978)
Atualização para Windows XP (KB955839)
Atualização para Windows XP (KB967715)
avast! Antivirus
AviSynth 2.5
AVS DVD Player version 2.4
Battlefield 2(TM)
Bonjour
Call of Duty(R) - World at War(TM)
Call of Duty(R) - World at War(TM) 1.2 Patch
Call of Duty(R) 2
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
Commandos 2: Men of Courage
Creative WebCam Center
Creative WebCam Instant Driver (1.01.02.0729)
DivXLand Media Subtitler
DVD Flick
FLV Player 2.0 (build 25)
FormatFactory 1.80
Fraps
Futuremark SystemInfo
GetRight
Google Earth
Google Update Helper
Google Updater
Grand Theft Auto IV
GRID
Guia do Usuário da Creative WebCam Instant (Português)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix para o Windows Media Player 11 (KB939683)
Hotfix para Windows XP (KB942288-v3)
Hotfix para Windows XP (KB952287)
Hotfix para Windows XP (KB961118)
iTunes
Java(TM) 6 Update 5
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTB
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTB
Microsoft .NET Framework 3.5 Language Pack SP1 - ptb
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Flight Simulator X
Microsoft Flight Simulator X
Microsoft Flight Simulator X Service Pack 1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edição 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
Nero 8
Oblivion
Oblivion mod manager 1.1.12
OpenAL
Orbit Downloader
Pacote de Compatibilidade para o sistema Office 2007
Pacote de Idiomas do Microsoft .NET Framework 3.5 SP1 - PTB
PCI Audio Driver
PDF Settings
PowerISO
QuickTime
Real Alternative 1.9.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Rockstar Games Social Club
Skype™ 3.8
Sniper Elite
Space Shuttle
SPORE™
SPORE™ Coleção de Partes Medonhas & Fofinhas
Spybot - Search & Destroy
Test Drive Unlimited
The Sims 2
TmUnitedForever
Tom Clancy's Rainbow Six Vegas 2
UltraISO Premium V9.3
Unreal Tournament 2004
USB all-in-one game controller
VIA Gerenciador de dispositivo de plataforma
VIA Rhine-Family Fast-Ethernet Adapter
Videora iPod touch Converter 4.05
VirtualCloneDrive
Winamp (remove only)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Language Pack 1.0
Xvid 1.1.3 final uninstall
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
e:\Meus Downloads\utorrent.exe
Folder::
e:\arquivos de programas\eMule
e:\Arquivos de programas\uTorrent
DirLook::
e:\windows\system32\SV121
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\Arquivos de programas\\eMule\\emule.exe"=-
"e:\\Meus Downloads\\utorrent.exe"=-
"e:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=-
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
dorian_BR
2009-05-21, 15:33
Here's the ComboFix log:
ComboFix 09-05-19.08 - IGOR 21/05/2009 10:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3070.2587 [GMT -3:00]
Executando de: e:\documents and settings\IGOR\Desktop\ComboFix.exe
Comandos utilizados :: e:\documents and settings\IGOR\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090519-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
e:\meus downloads\utorrent.exe
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
e:\documents and settings\IGOR\Dados de aplicativos\addons.dat
e:\meus downloads\utorrent.exe
.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-21 to 2009-05-21 ))))))))))))))))))))))))))))
.
2009-05-16 23:19 . 2009-05-16 23:19 -------- d-sh--w e:\documents and settings\Administrador\PrivacIE
2009-05-16 18:52 . 2009-05-16 19:28 -------- d-----w E:\silentrunners
2009-05-16 17:38 . 2009-05-16 17:38 -------- d--h--w e:\windows\PIF
2009-05-14 01:30 . 2009-05-14 01:30 -------- d-sh--w e:\documents and settings\Administrador\IETldCache
2009-05-12 20:40 . 2009-05-12 20:40 -------- d-----w e:\documents and settings\IGOR\Dados de aplicativos\U3
2009-05-04 18:20 . 2009-05-04 18:20 -------- d-sh--w e:\documents and settings\LocalService\IETldCache
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\arquivos de programas\iPod
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\documents and settings\All Users\Dados de aplicativos\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\arquivos de programas\iTunes
2009-05-03 16:18 . 2009-05-20 23:45 -------- d-----w e:\documents and settings\All Users\Dados de aplicativos\Google Updater
2009-04-30 14:11 . 2009-04-30 14:11 -------- d-sh--w e:\documents and settings\IGOR\IECompatCache
2009-04-30 14:05 . 2009-04-30 14:05 -------- d-sh--w e:\documents and settings\IGOR\PrivacIE
2009-04-30 14:04 . 2009-04-30 14:04 -------- d-sh--w e:\documents and settings\NetworkService\IETldCache
2009-04-30 14:04 . 2009-04-30 14:04 -------- d-sh--w e:\documents and settings\IGOR\IETldCache
2009-04-30 14:02 . 2009-04-30 14:02 -------- d-----w e:\windows\ie8updates
2009-04-30 14:02 . 2009-02-28 04:55 105984 -c----w e:\windows\system32\dllcache\iecompat.dll
2009-04-30 14:00 . 2009-04-30 14:02 -------- dc-h--w e:\windows\ie8
2009-04-22 03:20 . 2009-04-22 03:20 14311680 ----a-w e:\windows\system32\xlive.dll
2009-04-22 03:20 . 2009-04-22 03:20 13642496 ----a-w e:\windows\system32\xlivefnt.dll
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 22:45 . 2008-05-05 13:55 -------- d-----w e:\arquivos de programas\Google
2009-05-17 00:05 . 2009-02-02 20:46 -------- d-----w e:\arquivos de programas\Orbitdownloader
2009-05-16 20:41 . 2008-06-14 12:51 -------- d-----w e:\arquivos de programas\GetRight
2009-05-04 16:54 . 2009-02-09 01:56 -------- d-----w e:\arquivos de programas\Arquivos comuns\Apple
2009-04-19 14:07 . 2009-04-19 14:04 -------- d-----w e:\arquivos de programas\TimeAdjuster
2009-04-17 15:47 . 2009-04-17 15:46 -------- d-----w e:\arquivos de programas\FormatFactory
2009-04-17 12:16 . 2001-10-28 18:07 79240 ----a-w e:\windows\system32\perfc016.dat
2009-04-17 12:16 . 2001-10-28 18:07 468462 ----a-w e:\windows\system32\perfh016.dat
2009-03-19 19:32 . 2009-02-09 01:59 23400 ----a-w e:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 07:34 . 2004-08-04 03:45 914944 ----a-w e:\windows\system32\wininet.dll
2009-03-08 07:34 . 2004-08-04 03:45 43008 ----a-w e:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2004-08-04 03:45 18944 ----a-w e:\windows\system32\corpol.dll
2009-03-08 07:33 . 2004-08-04 03:45 420352 ----a-w e:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2004-08-04 03:45 72704 ----a-w e:\windows\system32\admparse.dll
2009-03-08 07:32 . 2004-08-04 03:45 71680 ----a-w e:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2004-08-04 03:45 34816 ----a-w e:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2004-08-04 03:44 48128 ----a-w e:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2004-08-04 03:45 45568 ----a-w e:\windows\system32\mshta.exe
2009-03-08 07:22 . 2001-10-28 18:07 156160 ----a-w e:\windows\system32\msls31.dll
2009-03-06 14:20 . 2004-08-04 03:45 286208 ----a-w e:\windows\system32\pdh.dll
2009-03-06 02:59 . 2009-02-09 01:57 36864 ----a-w e:\windows\system32\drivers\usbaapl.sys
2009-03-06 02:59 . 2008-09-10 01:47 1900544 ----a-w e:\windows\system32\usbaaplrc.dll
2008-03-23 04:22 . 2008-03-23 04:22 61 --sh--w e:\windows\cnerolf.dat
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of e:\windows\system32\SV121 ----
2009-05-06 03:11 . 2009-05-21 13:13 480709 ---ha-w e:\windows\system32\SV121\logg.dat
2004-08-04 03:45 . 2008-04-13 22:21 116408 ---h--w e:\windows\system32\SV121\svchost2.exe
((((((((((((((((((((((((((((( SnapShot@2009-05-20_13.10.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 13:03 . 2009-05-21 13:03 16384 e:\windows\Temp\Perflib_Perfdata_5f4.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"avast!"="e:\arquiv~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"iTunesHelper"="e:\arquivos de programas\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.EXE [2008-12-30 18082304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Speaker Configuration"=e:\meus downloads\Nova pasta (3)\WinXP\Setup.exe /SPEAKER
"VirtualCloneDrive"="e:\arquivos de programas\VirtualCloneDrive\VCDDaemon.exe" /s
"iTunesHelper"="e:\arquivos de programas\iTunes\iTunesHelper.exe"
"C-Media Mixer"=Mixer.exe /startup
"VTTimer"=VTTimer.exe
"QuickTime Task"="e:\arquivos de programas\QuickTime\QTTask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Arquivos de programas\\EA GAMES\\Battlefield 2\\BF2.exe"=
"e:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\UT2004\\System\\UT2004.exe"=
"e:\\Arquivos de programas\\TmUnitedForever\\TmForever.exe"=
"e:\\Arquivos de programas\\Commandos II\\comm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"e:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"e:\\Arquivos de programas\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"e:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"e:\\Arquivos de programas\\Codemasters\\GRID\\GRID.exe"=
"e:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"e:\\Arquivos de programas\\Orbitdownloader\\orbitdm.exe"=
"e:\\Arquivos de programas\\Orbitdownloader\\orbitnet.exe"=
"c:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Arquivos de programas\\iTunes\\iTunes.exe"=
"e:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
R0 ViBus;ViBus;e:\windows\system32\drivers\ViBus.sys [18/3/2008 17:07 16896]
R0 ViPrt;VIA SATA IDE Device Driver;e:\windows\system32\drivers\ViPrt.sys [18/3/2008 17:07 52224]
R1 aswSP;avast! Self Protection;e:\windows\system32\drivers\aswSP.sys [30/3/2008 21:53 111184]
R1 BIOS;BIOS;e:\windows\system32\drivers\BIOS.sys [18/3/2008 17:06 13696]
R1 BS_I2cIo;BS_I2cIo;e:\windows\system32\drivers\BS_I2cIo.sys [19/3/2008 15:54 8192]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [30/3/2008 21:53 20560]
S2 gupdate1c9cc0bcccba718;Google Update Service (gupdate1c9cc0bcccba718);e:\arquivos de programas\Google\Update\GoogleUpdate.exe [3/5/2009 13:25 133104]
S3 GMFilter;GMFilter HID Filter Driver;e:\windows\system32\drivers\GMFilter.sys [23/3/2008 13:51 19840]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 S3GIGP;S3GIGP;e:\windows\system32\drivers\S3gIGPm.sys [11/7/2007 13:08 714240]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"e:\windows\system32\rundll32.exe" "e:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{91F6B99D-3EDC-CBE5-41C0-F82230C16D25}]
e:\windows\system32\SV121\svchost2.exe s
.
Conteúdo da pasta 'Tarefas Agendadas'
2009-05-21 e:\windows\Tasks\Google Software Updater.job
- e:\arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-03 18:20]
2009-05-21 e:\windows\Tasks\GoogleUpdateTaskMachine.job
- e:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-05-03 16:25]
.
.
------- Scan Suplementar -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: &Download by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - e:\arquivos de programas\GetRight\GRdownload.htm
IE: E&xportar para o Microsoft Excel - e:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - e:\arquivos de programas\GetRight\GRbrowse.htm
FF - ProfilePath - e:\documents and settings\IGOR\Dados de aplicativos\Mozilla\Firefox\Profiles\1o5qyicl.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/firefox
FF - plugin: e:\arquivos de programas\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\arquivos de programas\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: e:\arquivos de programas\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: e:\arquivos de programas\Mozilla Firefox\plugins\NPGetRt.dll
---- FIREFOX POLICIES ----
e:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 10:23
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-746137067-73586283-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:21,27,4d,79,8f,a7,39,8b,97,94,a6,3d,d4,05,1c,fd,1f,f9,ef,64,3e,
09,f7,fa,06,6d,4d,27,71,84,fb,ca,99,de,cc,98,93,d7,b1,64,6b,25,8a,65,8b,e0,\
"rkeysecu"=hex:31,7a,d4,d4,9d,14,a8,b5,27,34,53,d3,a8,5b,20,e2
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~�*]
"6140110900063D11C8EF10054038389C"="E?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(808)
e:\windows\system32\Ati2evxx.dll
.
Tempo para conclusão: 2009-05-21 10:25
ComboFix-quarantined-files.txt 2009-05-21 13:24
ComboFix2.txt 2009-05-20 13:12
Pré-execução: 23 pasta(s) 87.425.388.544 bytes disponíveis
Pós execução: 22 pasta(s) 87.410.339.840 bytes disponíveis
189 --- E O F --- 2008-12-11 20:21
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
e:\windows\system32\SV121\svchost2.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
dorian_BR
2009-05-21, 17:48
Here's the scan results by Jotti:
Jotti's malware scan
Filename: svchost2.exe
Status: Scan finished. 9 out of 20 scanners reported malware.
Scan taken on: Thu 21 May 2009 17:22:58 (CET)
[ArcaVir]
2009-05-21 Found nothing
[F-Secure Anti-Virus]
2009-05-21 Found nothing
[Emsisoft A-squared]
2009-05-21 Riskware.Win32.Vbinder!IK
[Ikarus]
2009-05-21 VirTool.Win32.Vbinder
[Avast! antivirus]
2009-05-20 Found nothing
[Kaspersky Anti-Virus]
2009-05-21 Found nothing
[Grisoft AVG Anti-Virus]
2009-05-21 Found nothing
[ESET NOD32]
2009-05-21 Found nothing
[Avira AntiVir]
2009-05-21 TR/Crypt.XPACK.Gen
[Norman Virus Control]
2009-05-20 Found nothing
[Softwin BitDefender]
2009-05-21 Gen:Trojan.Heur.7044BB9ECE
[Panda Antivirus]
2009-05-21 Trj/Buzus.AH
[ClamAV]
2009-05-21 Found nothing
[Quick Heal]
2009-05-21 Trojan.Buzus.avso
[CPsecure]
2009-05-21 Found nothing
[Sophos]
2009-05-21 Found nothing
[Dr.Web]
2009-05-21 Found nothing
[VirusBlokAda VBA32]
2009-05-20 Trojan.Win32.Buzus.awjl
[Frisk F-Prot Antivirus]
2009-05-20 W32/VB.I.gen!Eldorado
[VirusBuster]
2009-05-21 Packed/Carbon
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
e:\arquivos de programas\Mozilla Firefox\plugins\npbittorrent.dll
Folder::
e:\windows\system32\SV121
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{91F6B99D-3EDC-CBE5-41C0-F82230C16D25}]
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
dorian_BR
2009-05-21, 20:40
Here's the ComboFix log:
ComboFix 09-05-19.08 - IGOR 21/05/2009 15:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3070.2583 [GMT -3:00]
Executando de: e:\documents and settings\IGOR\Desktop\ComboFix.exe
Comandos utilizados :: e:\documents and settings\IGOR\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090520-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
e:\arquivos de programas\Mozilla Firefox\plugins\npbittorrent.dll
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
e:\arquivos de programas\Mozilla Firefox\plugins\npbittorrent.dll
e:\documents and settings\IGOR\Dados de aplicativos\addons.dat
e:\windows\system32\SV121
e:\windows\system32\SV121\logg.dat
e:\windows\system32\SV121\svchost2.exe
.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-21 to 2009-05-21 ))))))))))))))))))))))))))))
.
2009-05-16 23:19 . 2009-05-16 23:19 -------- d-sh--w e:\documents and settings\Administrador\PrivacIE
2009-05-16 18:52 . 2009-05-16 19:28 -------- d-----w E:\silentrunners
2009-05-16 17:38 . 2009-05-16 17:38 -------- d--h--w e:\windows\PIF
2009-05-14 01:30 . 2009-05-14 01:30 -------- d-sh--w e:\documents and settings\Administrador\IETldCache
2009-05-12 20:40 . 2009-05-12 20:40 -------- d-----w e:\documents and settings\IGOR\Dados de aplicativos\U3
2009-05-04 18:20 . 2009-05-04 18:20 -------- d-sh--w e:\documents and settings\LocalService\IETldCache
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\arquivos de programas\iPod
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\documents and settings\All Users\Dados de aplicativos\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-04 16:54 . 2009-05-04 16:54 -------- d-----w e:\arquivos de programas\iTunes
2009-05-03 16:18 . 2009-05-20 23:45 -------- d-----w e:\documents and settings\All Users\Dados de aplicativos\Google Updater
2009-04-30 14:11 . 2009-04-30 14:11 -------- d-sh--w e:\documents and settings\IGOR\IECompatCache
2009-04-30 14:05 . 2009-04-30 14:05 -------- d-sh--w e:\documents and settings\IGOR\PrivacIE
2009-04-30 14:04 . 2009-04-30 14:04 -------- d-sh--w e:\documents and settings\NetworkService\IETldCache
2009-04-30 14:04 . 2009-04-30 14:04 -------- d-sh--w e:\documents and settings\IGOR\IETldCache
2009-04-30 14:02 . 2009-04-30 14:02 -------- d-----w e:\windows\ie8updates
2009-04-30 14:02 . 2009-02-28 04:55 105984 -c----w e:\windows\system32\dllcache\iecompat.dll
2009-04-30 14:00 . 2009-04-30 14:02 -------- dc-h--w e:\windows\ie8
2009-04-22 03:20 . 2009-04-22 03:20 14311680 ----a-w e:\windows\system32\xlive.dll
2009-04-22 03:20 . 2009-04-22 03:20 13642496 ----a-w e:\windows\system32\xlivefnt.dll
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 22:45 . 2008-05-05 13:55 -------- d-----w e:\arquivos de programas\Google
2009-05-17 00:05 . 2009-02-02 20:46 -------- d-----w e:\arquivos de programas\Orbitdownloader
2009-05-16 20:41 . 2008-06-14 12:51 -------- d-----w e:\arquivos de programas\GetRight
2009-05-04 16:54 . 2009-02-09 01:56 -------- d-----w e:\arquivos de programas\Arquivos comuns\Apple
2009-04-19 14:07 . 2009-04-19 14:04 -------- d-----w e:\arquivos de programas\TimeAdjuster
2009-04-17 15:47 . 2009-04-17 15:46 -------- d-----w e:\arquivos de programas\FormatFactory
2009-04-17 12:16 . 2001-10-28 18:07 79240 ----a-w e:\windows\system32\perfc016.dat
2009-04-17 12:16 . 2001-10-28 18:07 468462 ----a-w e:\windows\system32\perfh016.dat
2009-03-19 19:32 . 2009-02-09 01:59 23400 ----a-w e:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 07:34 . 2004-08-04 03:45 914944 ----a-w e:\windows\system32\wininet.dll
2009-03-08 07:34 . 2004-08-04 03:45 43008 ----a-w e:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2004-08-04 03:45 18944 ----a-w e:\windows\system32\corpol.dll
2009-03-08 07:33 . 2004-08-04 03:45 420352 ----a-w e:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2004-08-04 03:45 72704 ----a-w e:\windows\system32\admparse.dll
2009-03-08 07:32 . 2004-08-04 03:45 71680 ----a-w e:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2004-08-04 03:45 34816 ----a-w e:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2004-08-04 03:44 48128 ----a-w e:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2004-08-04 03:45 45568 ----a-w e:\windows\system32\mshta.exe
2009-03-08 07:22 . 2001-10-28 18:07 156160 ----a-w e:\windows\system32\msls31.dll
2009-03-06 14:20 . 2004-08-04 03:45 286208 ----a-w e:\windows\system32\pdh.dll
2009-03-06 02:59 . 2009-02-09 01:57 36864 ----a-w e:\windows\system32\drivers\usbaapl.sys
2009-03-06 02:59 . 2008-09-10 01:47 1900544 ----a-w e:\windows\system32\usbaaplrc.dll
2008-03-23 04:22 . 2008-03-23 04:22 61 --sh--w e:\windows\cnerolf.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-05-20_13.10.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 18:25 . 2009-05-21 18:25 16384 e:\windows\Temp\Perflib_Perfdata_5f0.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"avast!"="e:\arquiv~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"iTunesHelper"="e:\arquivos de programas\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - e:\windows\RTHDCPL.EXE [2008-12-30 18082304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"C-Media Speaker Configuration"=e:\meus downloads\Nova pasta (3)\WinXP\Setup.exe /SPEAKER
"VirtualCloneDrive"="e:\arquivos de programas\VirtualCloneDrive\VCDDaemon.exe" /s
"iTunesHelper"="e:\arquivos de programas\iTunes\iTunesHelper.exe"
"C-Media Mixer"=Mixer.exe /startup
"VTTimer"=VTTimer.exe
"QuickTime Task"="e:\arquivos de programas\QuickTime\QTTask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Arquivos de programas\\EA GAMES\\Battlefield 2\\BF2.exe"=
"e:\\WINDOWS\\system32\\dpnsvr.exe"=
"e:\\UT2004\\System\\UT2004.exe"=
"e:\\Arquivos de programas\\TmUnitedForever\\TmForever.exe"=
"e:\\Arquivos de programas\\Commandos II\\comm2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"e:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"e:\\Arquivos de programas\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"e:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"e:\\Arquivos de programas\\Codemasters\\GRID\\GRID.exe"=
"e:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\Arquivos de programas\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"e:\\Arquivos de programas\\Orbitdownloader\\orbitdm.exe"=
"e:\\Arquivos de programas\\Orbitdownloader\\orbitnet.exe"=
"c:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"e:\\Arquivos de programas\\iTunes\\iTunes.exe"=
"e:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
R0 ViBus;ViBus;e:\windows\system32\drivers\ViBus.sys [18/3/2008 17:07 16896]
R0 ViPrt;VIA SATA IDE Device Driver;e:\windows\system32\drivers\ViPrt.sys [18/3/2008 17:07 52224]
R1 aswSP;avast! Self Protection;e:\windows\system32\drivers\aswSP.sys [30/3/2008 21:53 111184]
R1 BIOS;BIOS;e:\windows\system32\drivers\BIOS.sys [18/3/2008 17:06 13696]
R1 BS_I2cIo;BS_I2cIo;e:\windows\system32\drivers\BS_I2cIo.sys [19/3/2008 15:54 8192]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [30/3/2008 21:53 20560]
S2 gupdate1c9cc0bcccba718;Google Update Service (gupdate1c9cc0bcccba718);e:\arquivos de programas\Google\Update\GoogleUpdate.exe [3/5/2009 13:25 133104]
S3 GMFilter;GMFilter HID Filter Driver;e:\windows\system32\drivers\GMFilter.sys [23/3/2008 13:51 19840]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 S3GIGP;S3GIGP;e:\windows\system32\drivers\S3gIGPm.sys [11/7/2007 13:08 714240]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"e:\windows\system32\rundll32.exe" "e:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Conteúdo da pasta 'Tarefas Agendadas'
2009-05-21 e:\windows\Tasks\Google Software Updater.job
- e:\arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-03 18:20]
2009-05-21 e:\windows\Tasks\GoogleUpdateTaskMachine.job
- e:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-05-03 16:25]
.
.
------- Scan Suplementar -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/
IE: &Download by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - e:\arquivos de programas\Orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - e:\arquivos de programas\GetRight\GRdownload.htm
IE: E&xportar para o Microsoft Excel - e:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - e:\arquivos de programas\GetRight\GRbrowse.htm
FF - ProfilePath - e:\documents and settings\IGOR\Dados de aplicativos\Mozilla\Firefox\Profiles\1o5qyicl.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.br/firefox
FF - plugin: e:\arquivos de programas\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: e:\arquivos de programas\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: e:\arquivos de programas\Mozilla Firefox\plugins\NPGetRt.dll
---- FIREFOX POLICIES ----
e:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 15:33
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-746137067-73586283-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:21,27,4d,79,8f,a7,39,8b,97,94,a6,3d,d4,05,1c,fd,1f,f9,ef,64,3e,
09,f7,fa,06,6d,4d,27,71,84,fb,ca,99,de,cc,98,93,d7,b1,64,6b,25,8a,65,8b,e0,\
"rkeysecu"=hex:31,7a,d4,d4,9d,14,a8,b5,27,34,53,d3,a8,5b,20,e2
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•6~�*]
"6140110900063D11C8EF10054038389C"="E?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(808)
e:\windows\system32\Ati2evxx.dll
.
Tempo para conclusão: 2009-05-21 15:35
ComboFix-quarantined-files.txt 2009-05-21 18:34
ComboFix2.txt 2009-05-20 13:12
Pré-execução: 23 pasta(s) 87.365.984.256 bytes disponíveis
Pós execução: 22 pasta(s) 87.350.751.232 bytes disponíveis
184 --- E O F --- 2008-12-11 20:21
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
dorian_BR
2009-05-22, 16:10
Here's the Kaspersky report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 22, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 22, 2009 03:53:49
Records in database: 2213474
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 249338
Threat name: 4
Infected objects: 7
Suspicious objects: 0
Duration of the scan: 04:38:58
File name / Threat name / Threats count
C:\SYSTEM\FILES\ARMY.exe Infected: Backdoor.Win32.VB.iqo 1
C:\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe Infected: Trojan-Dropper.Win32.Agent.anud 1
E:\Qoobox\Quarantine\E\Documents and Settings\IGOR\e7h6t87k3.exe.vir Infected: Backdoor.Win32.Agent.agjr 1
E:\Qoobox\Quarantine\E\WINDOWS\system32\SV121\svchost2.exe.vir Infected: Trojan.Win32.Buzus.bapd 1
E:\System Volume Information\_restore{C398DB66-B8EB-48E4-8ED9-F460DD7661C4}\RP2\A0003298.exe Infected: Backdoor.Win32.Agent.agjr 1
E:\System Volume Information\_restore{C398DB66-B8EB-48E4-8ED9-F460DD7661C4}\RP3\A0003369.exe Infected: Backdoor.Win32.Agent.agjr 1
E:\System Volume Information\_restore{C398DB66-B8EB-48E4-8ED9-F460DD7661C4}\RP4\A0005976.exe Infected: Trojan.Win32.Buzus.bapd 1
The selected area was scanned.
And here's the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:45, on 22/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Arquivos de programas\Avast4\aswUpdSv.exe
E:\Arquivos de programas\Avast4\ashServ.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Arquivos de programas\Bonjour\mDNSResponder.exe
E:\Arquivos de programas\Google\Update\GoogleUpdate.exe
E:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
E:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\svchost.exe
E:\Arquivos de programas\Avast4\ashMaiSv.exe
E:\Arquivos de programas\Avast4\ashWebSv.exe
E:\WINDOWS\Explorer.EXE
E:\ARQUIV~1\Avast4\ashDisp.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Arquivos de programas\iTunes\iTunesHelper.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Arquivos de programas\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe
E:\Meus Downloads\Nova pasta (4)\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Arquivos de programas\GetRight\xx2gr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (disabled by BHODemon)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Arquivos de programas\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [avast!] E:\ARQUIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [iTunesHelper] "E:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - E:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://E:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - E:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228931293562
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: Dispositivo Celular da Apple (Apple Mobile Device) - Apple Inc. - E:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Arquivos de programas\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Arquivos de programas\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Arquivos de programas\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Arquivos de programas\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9cc0bcccba718) (gupdate1c9cc0bcccba718) - Google Inc. - E:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Arquivos de programas\Arquivos comuns\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Arquivos de programas\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Arquivos de programas\Arquivos comuns\Nero\Lib\NMIndexingService.exe
--
End of file - 7701 bytes
I'd like you to check some files for malware.
Go to VirusTotal (http://www.virustotal.com) or Jotti's (http://virusscan.jotti.org/)
C:\SYSTEM\FILES\ARMY.exe
C:\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe
Copy/Paste the first file on the list into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Save the complete results in a Notepad/Word document on your desktop.
Repeat for all files on the list.
Post back results here, please.
dorian_BR
2009-05-22, 20:35
Here's the Jotti scan results for C:\SYSTEM\FILES\ARMY.exe:
Jotti's malware scan
Filename: ARMY.exe
Status: Scan finished. 15 out of 20 scanners reported malware.
Scan taken on: Fri 22 May 2009 18:52:18 (CET)
[ArcaVir]
2009-05-22 Trojan.Vb.Iqo
[F-Secure Anti-Virus]
2009-05-22 Backdoor.Win32.VB.iqo
[Emsisoft A-squared]
2009-05-22 Backdoor.Rbot!IK
2009-05-22 Backdoor.Rbot
[Avast! antivirus]
2009-05-21 Found nothing
[Kaspersky Anti-Virus]
2009-05-22 Backdoor.Win32.VB.iqo
[Grisoft AVG Anti-Virus]
2009-05-22 BackDoor.VB.HEM
[ESET NOD32]
2009-05-22 Win32/AutoRun.Agent.NJ worm
[Avira AntiVir]
2009-05-22 BDS/VB.iqo
[Norman Virus Control]
2009-05-22 Found nothing
[Softwin BitDefender]
2009-05-22 Backdoor.VB.BRF
[Panda Antivirus]
2009-05-21 Trj/Agent.MCJ
[ClamAV]
2009-05-22 Found nothing
[Quick Heal]
2009-05-22 Found nothing
[CPsecure]
2009-05-22 BackDoor.W32.VB.iqo
[Sophos]
2009-05-22 Mal/Generic-A
[Dr.Web]
2009-05-22 Trojan.Packed.2457
[VirusBlokAda VBA32]
2009-05-22 Backdoor.Win32.VB.iqo
[Frisk F-Prot Antivirus]
2009-05-22 W32/Trojan3.ARO
[VirusBuster]
2009-05-22 Found nothing
It was not possible for Jotti/VirusTotal to scan the file [I]C:\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe because it's bigger than max permited size (this file is bigger than 27MB, and I think the max permited size is 15 MB).
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
dorian_BR
2009-05-24, 02:44
Hi Shaba.
I've been using a clean pc (my notebook) to talk to you during this week. The infected one is my desktop, I did every scan you asked on it, then I sent all the reports/logs through the notebook. I only used the internet on the desktop to do the online scanning of the files you asked.
I understand what you're saying about reformatting and reinstalling the OS, it's really something I should consider. But, since like two days ago, I've noticed that Bifrost registry entries are gone (it doesn't keep showing up anymore when I restart the pc); spybot scan have not detected it either (now it says that no threats were found); and before, my antivirus Avast would detect two trojans every time I tried to connect to the internet, Avast put it in quarantine and then a minute later those trojans(sometimes different ones) would show up again on the Documents and Settings folder. But now, also this problem is gone.
Well, what I'm trying to say is that at least, apparently, my desktop looks to be running well now. So it's there any other procedure that I'd need to follow? I still would like to try to solve it instead of reformatting. Whatever your answer may be, I'd like to thank you for all the help you've been giving me.
Well like I said, we can remove it but it is another story if your computer can be trusted again.
So that is a decision what you will need to make :)
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
Everyone else please begin a New Topic.