PDA

View Full Version : HELP Needed with Smitfraud-C infection


tarix
2010-04-06, 04:56
Hi Everyone,
I'm starting this new thread as I was infected a few minutes ago with Smitfraud-C infection, at least is what my S&D scan shows. As you all were very helpful the last time (back in 2008) when this happened with me but with another PC I hope you guys can help me again.
below there's a S&D Log and a HTJ Log also.
Thanks again in advance for you all. :)

S&D Log:

--- Search result list ---
Smitfraud-C.: [SBI $47684081] Executable (File, nothing done)
C:\WINDOWS\system\svchost.exe
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

User abort!: Scan was not completed successfully. (Status)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-03-18 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi (*)
2010-03-30 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-03-30 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-03-30 Includes\HijackersC.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-03-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-03-02 Includes\Malware.sbi (*)
2010-03-30 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-03-30 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-03-30 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-03-02 Includes\Spyware.sbi (*)
2010-03-30 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi (*)
2010-03-30 Includes\TrojansC-02.sbi (*)
2010-03-30 Includes\TrojansC-03.sbi (*)
2010-03-30 Includes\TrojansC-04.sbi (*)
2010-03-30 Includes\TrojansC-05.sbi (*)
2010-03-30 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Security Update (KB953297)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB973688)
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Actualização de Segurança para o Windows Media Player (KB952069)
/ Windows Media Player: Actualização de Segurança para o Windows Media Player (KB954155)
/ Windows Media Player: Actualização de Segurança para o Windows Media Player (KB968816)
/ Windows Media Player: Actualização de Segurança para o Windows Media Player (KB973540)
/ Windows Media Player 11: Correcção para o Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Actualização de Segurança para o Windows Media Player 11 (KB954154)
/ Windows XP: Actualização de Segurança para Windows XP (KB941569)
/ Windows XP / SP0: Actualização de segurança para Windows Internet Explorer 8 (KB971961)
/ Windows XP / SP0: Actualização para Windows Internet Explorer 8 (KB976662)
/ Windows XP / SP0: Actualização para Windows Internet Explorer 8 (KB980182)
/ Windows XP / SP0: Actualização para Windows Internet Explorer 8 (KB980302)
/ Windows XP / SP10: Actualização para Microsoft Windows (KB971513)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Actualização para Windows XP (KB898461)
/ Windows XP / SP4: Hotfix for Windows XP (KB915800-v4)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB923561)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB946648)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB950762)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB950974)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB951066)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB951376-v2)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB951748)
/ Windows XP / SP4: Actualização para Windows XP (KB951978)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB952004)
/ Windows XP / SP4: Hotfix para Windows XP (KB952287)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB952954)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB955069)
/ Windows XP / SP4: Actualização para Windows XP (KB955759)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB956572)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB956744)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB956802)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB956803)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB956844)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB957097)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB958644)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB958687)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB958869)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB959426)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB960225)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB960803)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB960859)
/ Windows XP / SP4: Hotfix para Windows XP (KB961118)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB961501)
/ Windows XP / SP4: Actualização para Windows XP (KB961503)
/ Windows XP / SP4: Actualização para Windows XP (KB967715)
/ Windows XP / SP4: Actualização para Windows XP (KB968389)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB969059)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB969947)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB970238)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB970430)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB971468)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB971486)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB971557)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB971633)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB971657)
/ Windows XP / SP4: Actualização para Windows XP (KB971737)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB971961)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB972270)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB973354)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB973507)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB973525)
/ Windows XP / SP4: Actualização para Windows XP (KB973687)
/ Windows XP / SP4: Actualização para Windows XP (KB973815)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB973869)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB973904)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB974112)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB974318)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB974392)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB974571)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB975025)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB975467)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB975560)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB975561)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB975713)
/ Windows XP / SP4: Hotfix for Windows XP (KB976002-v5)
/ Windows XP / SP4: Hotfix para Windows XP (KB976098-v2)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB977165-v2)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB977914)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB978037)
/ Windows XP / SP4: Actualização para Windows XP (KB978207)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB978251)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB978262)
/ Windows XP / SP4: Actualização de segurança para Windows XP (KB978706)
/ Windows XP / SP4: Hotfix para Windows XP (KB979306)


--- Startup entries list ---
Located: HK_LM:Run, avast5
command: C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
file: C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
size: 2743104
MD5: F1802594C34904C57A33E0C759AEE056

Located: HK_LM:Run, reader_s
command: C:\WINDOWS\System32\reader_s.exe
file: C:\WINDOWS\System32\reader_s.exe
size: 63488
MD5: CD1097574FD54B087DD27E9679C437EF

Located: HK_LM:Run, Regedit32
command: C:\WINDOWS\system32\regedit.exe
file: C:\WINDOWS\system32\regedit.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, syncman
command: c:\windows\system32\wuaucldt.exe
file: c:\windows\system32\wuaucldt.exe
size: 29494
MD5: C0225FA07467FFCAAE38548EDD555486

Located: HK_LM:Run, Adobe ARM (DISABLED)
command: "C:\Programas\Ficheiros comuns\Adobe\ARM\1.0\AdobeARM.exe"
file: C:\Programas\Ficheiros comuns\Adobe\ARM\1.0\AdobeARM.exe
size: 948672
MD5: 73BB442A717B9BB0097C243374C14A3E

Located: HK_LM:Run, Adobe Reader Speed Launcher (DISABLED)
command: "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 40368
MD5: 07B9233D1B5554A7F3F05AA36755A8E9

Located: HK_LM:Run, Freecorder FLV Service (DISABLED)
command: "C:\Programas\Freecorder\FLVSrvc.exe" /run
file: C:\Programas\Freecorder\FLVSrvc.exe
size: 158752
MD5: C915C93773653DC2C1D206D3DD571683

Located: HK_LM:Run, GrooveMonitor (DISABLED)
command: "C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"
file: C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
size: 31072
MD5: 644795F6985C740F5E36E9336B837D0B

Located: HK_LM:Run, KernelFaultCheck (DISABLED)
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep 0 -k
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, NeroFilterCheck (DISABLED)
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, Regedit32 (DISABLED)
command: C:\WINDOWS\system32\regedit.exe
file: C:\WINDOWS\system32\regedit.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, RemoteControl (DISABLED)
command: C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
file: C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 1EEA64D8599B5B7BD8721498E4019CF0

Located: HK_LM:Run, syncman (DISABLED)
command: c:\windows\system32\wuaucldt.exe
file: c:\windows\system32\wuaucldt.exe
size: 29494
MD5: C0225FA07467FFCAAE38548EDD555486

Located: HK_LM:Run, WinPatrol (DISABLED)
command: C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
file: C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
size: 320832
MD5: 5F53750CEA64C8D5882D808718A7074A

Located: HK_CU:Run, reader_s
where: S-1-5-21-1757981266-746137067-839522115-1003...
command: C:\Documents and Settings\utilizador\reader_s.exe
file: C:\Documents and Settings\utilizador\reader_s.exe
size: 63488
MD5: CD1097574FD54B087DD27E9679C437EF

Located: HK_CU:Run, syncman
where: S-1-5-21-1757981266-746137067-839522115-1003...
command: c:\documents and settings\utilizador\wuaucldt.exe
file: c:\documents and settings\utilizador\wuaucldt.exe
size: 29494
MD5: C0225FA07467FFCAAE38548EDD555486

Located: HK_CU:Run, EPSON SX110 Series (DISABLED)
where: S-1-5-21-1757981266-746137067-839522115-1003...
command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE /FU "C:\DOCUME~1\UTILIZ~1\DEFINI~1\Temp\E_S26.tmp" /EF "HKCU"
file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFBE.EXE
size: 199680
MD5: 7AC2182FA963EFD2F72E8399BF0E67F9

Located: HK_CU:Run, Google Update (DISABLED)
where: S-1-5-21-1757981266-746137067-839522115-1003...
command: "C:\Documents and Settings\utilizador\Definições locais\Application Data\Google\Update\GoogleUpdate.exe" /c
file: C:\Documents and Settings\utilizador\Definições locais\Application Data\Google\Update\GoogleUpdate.exe
size: 136176
MD5: F02A533F517EB38333CB12A9E8963773

Located: HK_CU:Run, Rainlendar2 (DISABLED)
where: S-1-5-21-1757981266-746137067-839522115-1003...
command: C:\Programas\Rainlendar2\Rainlendar2.exe
file: C:\Programas\Rainlendar2\Rainlendar2.exe
size: 4067328
MD5: D0F6C8CA69CA3B1315C9BC9B5746ABE7

Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: S-1-5-21-1757981266-746137067-839522115-1003...
command: C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, syncman (DISABLED)
where: S-1-5-21-1757981266-746137067-839522115-1003...
command: c:\documents and settings\utilizador\wuaucldt.exe
file: c:\documents and settings\utilizador\wuaucldt.exe
size: 29494
MD5: C0225FA07467FFCAAE38548EDD555486

Located: Startup (common), WinZip Quick Pick.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque...
command: C:\Programas\WinZip\WZQKPICK.EXE
file: C:\Programas\WinZip\WZQKPICK.EXE
size: 415072
MD5: 235E9060FE95FF3E1D32AAD5AF892E71

Located: Startup (user), MagicDisc.lnk (DISABLED)
where: C:\Documents and Settings\utilizador\Menu Iniciar\Programas\Arranque...
command: C:\Programas\MagicDisc\MagicDisc.exe
file: C:\Programas\MagicDisc\MagicDisc.exe
size: 546816
MD5: FE86CA37BBB97D963D418AC0F96B8D03

Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy (DISABLED)
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon (DISABLED)
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Facilitador de Leitor de Link Adobe PDF)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Facilitador de Leitor de Link Adobe PDF
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 18-12-2009 2:16:54
Date (last access): 06-04-2010 1:24:50
Date (last write): 18-12-2009 2:16:54
Filesize: 61888
Attributes: archive
MD5: EAE7D779D59448F98B8A7F9102199DEB
CRC32: DD89A793
Version: 8.2.0.81

{346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} (Ant.com Toolbars browser helper (video detector))
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Ant.com Toolbars browser helper (video detector)
Path: C:\Programas\Ant.com\IE add-on\
Long name: Download.antplugin
Short name: DOWNLO~1.ANT
Date (created): 02-04-2010 16:56:44
Date (last access): 06-04-2010 0:49:10
Date (last write): 02-04-2010 16:56:44
Filesize: 3109888
Attributes: archive
MD5: 5F0D264714C49F462334ED431A8F4CB5
CRC32: 1D944336
Version: 1.9.26.0

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 18-03-2010 22:41:40
Date (last access): 06-04-2010 1:09:20
Date (last write): 26-01-2009 16:31:02
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{5C255C8A-E604-49b4-9D64-90988571CECB} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Programas\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 12-02-2009 16:19:32
Date (last access): 06-04-2010 1:03:28
Date (last write): 12-02-2009 16:19:32
Filesize: 2217848
Attributes: archive
MD5: A6B5A41C0ED007AB6C43CAD899E533D8
CRC32: BA078F79
Version: 12.0.6421.1000

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 22-01-2009 16:41:30
Date (last access): 06-04-2010 1:09:20
Date (last write): 22-01-2009 16:41:30
Filesize: 408448
Attributes: archive
MD5: B7899C3E21B299D7A3C0DA96CAE340BD
CRC32: 288935F8
Version: 5.0.818.5

{9421DD08-935F-4701-A9CA-22DF90AC4EA6} (Easy Photo Print)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Easy Photo Print
Path: C:\Programas\Epson Software\Easy Photo Print\
Long name: EPTBL.dll
Short name:
Date (created): 03-02-2010 12:20:26
Date (last access): 06-04-2010 1:09:20
Date (last write): 02-04-2008 14:24:02
Filesize: 266240
Attributes:
MD5: EA3329E06D7C794B788CEADA90AB7000
CRC32: AD3B39B9
Version: 1.0.0.0

{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: EpsonToolBandKicker Class
Path: C:\Programas\EPSON\EPSON Web-To-Page\
Long name: EPSON Web-To-Page.dll
Short name: EPSONW~1.DLL
Date (created): 03-02-2010 12:22:02
Date (last access): 06-04-2010 1:09:20
Date (last write): 22-02-2005 14:50:34
Filesize: 368640
Attributes: archive
MD5: 01319CF4030B3740BA8261E7024ACAD1
CRC32: D484DB79
Version: 1.1.0.0

{FCBCCB87-9224-4B8D-B117-F56D924BEB18} (TBSB00982)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: TBSB00982
CLSID name: TBSB00982 Class
Path: C:\Programas\Antbar\Ant.com Toolbar\
Long name: tbcore3.dll



--- ActiveX list ---
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264600736373
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 27-01-2010 14:10:58
Date (last access): 06-04-2010 1:22:34
Date (last write): 06-08-2009 20:23:28
Filesize: 209624
Attributes: archive
MD5: 3822C7B5AF1898991629C287C5868893
CRC32: DB749760
Version: 7.4.7600.226



--- Process list ---
PID: 0 ( 0) [System]
PID: 520 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 568 ( 520) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 592 ( 520) \??\C:\WINDOWS\system32\winlogon.exe
size: 510976
PID: 636 ( 592) C:\WINDOWS\system32\services.exe
size: 111104
MD5: 3ED25950BC4603E15CD39A9649EB178E
PID: 652 ( 592) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 3D52A3DC53DD0632850AB8AA91E4795E
PID: 812 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 860 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 924 ( 636) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 976 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 1000 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 1504 (1420) C:\WINDOWS\Explorer.exe
size: 1035776
MD5: 73BF5036A2ABA403DB078C65B1A29A99
PID: 1680 ( 636) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 3268 ( 636) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 3280 (1504) C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
size: 2743104
MD5: F1802594C34904C57A33E0C759AEE056
PID: 3292 ( 636) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 3332 ( 636) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: E8AE7ED6E9A4E3C67DA29CE9BC17784E
PID: 3344 (1504) C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
size: 31072
MD5: 644795F6985C740F5E36E9336B837D0B
PID: 3408 (1504) C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 1EEA64D8599B5B7BD8721498E4019CF0
PID: 3444 (1504) C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
size: 320832
MD5: 5F53750CEA64C8D5882D808718A7074A
PID: 3452 (1504) C:\Programas\Freecorder\FLVSrvc.exe
size: 158752
MD5: C915C93773653DC2C1D206D3DD571683
PID: 3532 (3320) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 3628 (1504) C:\windows\system32\wuaucldt.exe
size: 29494
MD5: C0225FA07467FFCAAE38548EDD555486
PID: 3636 (1504) C:\Programas\Rainlendar2\Rainlendar2.exe
size: 4067328
MD5: D0F6C8CA69CA3B1315C9BC9B5746ABE7
PID: 3972 (3684) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 4012 (1504) C:\Programas\Windows Desktop Search\WindowsSearch.exe
size: 123904
MD5: B5C9F63C01FCFEC3F64EC6A0940A1825
PID: 4076 (1504) C:\Programas\WinZip\WZQKPICK.EXE
size: 415072
MD5: 235E9060FE95FF3E1D32AAD5AF892E71
PID: 4680 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5468 (5004) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5508 (5072) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5528 ( 636) C:\Programas\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
size: 124832
MD5: E8FE4FCE23D2809BD88BCC1D0F8408CE
PID: 5572 (5120) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5680 (5160) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5748 (5212) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5924 (5276) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5928 (5340) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 5984 (5372) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6124 (5444) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 3844 (5488) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6252 ( 636) C:\Programas\Ant.com\IE add-on\AntUpdaterService.exe
size: 138240
MD5: C5756624B86B69A7A243B2B525A21BB9
PID: 6260 (5536) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6440 (5956) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6504 (5580) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6524 (5660) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6544 (5736) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6572 (5812) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6596 (5972) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6616 (6008) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6628 (6060) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6648 (1192) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 6792 ( 636) C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\mdm.exe
size: 335872
MD5: 7CF1B716372B89568AE4C0FE769F5869
PID: 6856 ( 636) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 7096 ( 636) C:\WINDOWS\system32\SearchIndexer.exe
size: 439808
MD5: 7778BDFA3F6F6FBA0E75B9594098F737
PID: 5416 ( 636) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8E4A4591879B2EB4AF817F405B436449
PID: 5456 (3548) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 9408 (1504) C:\Programas\MagicDisc\MagicDisc.exe
size: 546816
MD5: FE86CA37BBB97D963D418AC0F96B8D03
PID: 11216 (1504) C:\Programas\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 11812 ( 812) C:\Programas\Ant.com\IE add-on\AntMaintainer.exe
size: 3020288
MD5: 376FA5C17D0138FBC101E45BD1BF85AF
PID: 1548 ( 812) C:\Programas\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 12488 (1548) C:\Programas\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 11364 (1548) C:\Programas\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 4 ( 0) System
PID: 9864 ( 812) C:\Programas\Ant.com\IE add-on\AntMaintainer.exe
size: 3020288
MD5: 376FA5C17D0138FBC101E45BD1BF85AF
PID: 13776 (1548) C:\Programas\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 10988 (3628) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 9052 (10988) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912
PID: 14000 (9248) C:\WINDOWS\System32\reader_s.exe
size: 63488
MD5: CD1097574FD54B087DD27E9679C437EF
PID: 3816 (5140) C:\Documents and Settings\utilizador\reader_s.exe
size: 63488
MD5: CD1097574FD54B087DD27E9679C437EF
PID: 11192 (7096) C:\WINDOWS\system32\SearchProtocolHost.exe
size: 184832
MD5: C4894B3B448B647BEDC9E916D181BDBE
PID: 11232 (7096) C:\WINDOWS\system32\SearchFilterHost.exe
size: 87552
MD5: 87889A983C015080FA813D7E32910D1E
PID: 9004 ( 812) C:\Programas\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 9136 (9004) C:\Programas\Internet Explorer\IEXPLORE.EXE
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 13208 (10988) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 4C0F692661947B432D184EBFA2FE1912


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 06-04-2010 1:40:55

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/is&api/redir.dll?prd=iear=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05EB636D-F67F-44F3-B492-21391BE3AA05}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{05EB636D-F67F-44F3-B492-21391BE3AA05}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FB32BB7-BC82-45F1-A3B2-FD268CD848BF}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4FB32BB7-BC82-45F1-A3B2-FD268CD848BF}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{900D743F-45AA-42B4-8D61-141700006EC9}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{900D743F-45AA-42B4-8D61-141700006EC9}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Espaço de nomes para 'Identificação da localização na rede (NLA)'
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace


HTJ Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:13, on 06-04-2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Programas\Freecorder\FLVSrvc.exe
C:\windows\system32\wuaucldt.exe
C:\Programas\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Windows Desktop Search\WindowsSearch.exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ant.com\IE add-on\AntUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\MagicDisc\MagicDisc.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Ant.com\IE add-on\AntMaintainer.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\utilizador\reader_s.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\utilizador\Definições locais\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\utilizador\Definições locais\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\utilizador\Definições locais\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\utilizador\Definições locais\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe syce.xto nqxwp
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Ant.com Toolbars browser helper (video detector) - {346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} - C:\Programas\Ant.com\IE add-on\Download.antplugin
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programas\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programas\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: TBSB00982 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Programas\Antbar\Ant.com Toolbar\tbcore3.dll (file missing)
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programas\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Ant.com Download Toolbar - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Programas\Ant.com\IE add-on\AntToolbar.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [syncman] c:\documents and settings\utilizador\wuaucldt.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\utilizador\reader_s.exe
O4 - Startup: MagicDisc.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Download videos by Ant.com - {8CB20CBF-5EF7-405b-A657-7BF9FB81CFE1} - C:\Programas\Ant.com\IE add-on\Download.antplugin
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264600736373
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programas\Microsoft Office\Office12\GrooveSystemServices.dll
O21 - SSODL: GootkitSSO - {C210E490-7336-440F-8D0D-8E596CB511CB} - C:\WINDOWS\System32\msxsltsso.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Programas\Stardock\Fences\FencesMenu.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Programas\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ant Toolbar updater service (AntUpdaterService) - Ant.com - C:\Programas\Ant.com\IE add-on\AntUpdaterService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programas\WinPcap\rpcapd.exe

--
End of file - 8814 bytes


Thank You All
Shaba
2010-04-09, 07:29
Hi tarix

I don't have good news for you, unfortunately.

You have virut which is a file infector, it is able to infect most of your files.

Being buggy, disinfection causes corruption of files so most of them won't work properly afterwards.

So solution is reformat and reinstall.

If you need help with that, please let me know.
tarix
2010-04-09, 23:02
Hi Shaba,
Thanks for the help and advice once more :) , just a few questions before formating the disc:
1) you said "You have virut which is a file infector, it is able to infect most of your files" so, is it possible to make a copy (backup) of those files i have (.doc, music and films) to an USB pen for instance, without those files being infected ? or do i have to discard/delete them all including my works ?
2) When reformating...grrrr :sad: (not with you but with the virut) ;) should i delete all the partitions including the boot partition or just the windows one (i think the first solution (booth partitions) is better, no? what do advise?
3) is it possible to make a bootable Usb pen with the basic system for repair and image of the windows and programs i need (office, etc) and copy/paste to the new disc partitions? is there any good place/tutorial where i can see it? I was thinking of installing a system like this: PortableApps.com_Suite_Light_Setup_1.6_English
and then ad a image of the windows and programs needed, booted from the usb stick and paste that image in the new formated disc, what do you think? is it possible? can you help or direct me to a place/tutorial were i can learn how to do it?
Thanks again for all the help :thanks:
Shaba
2010-04-10, 09:13
1) Well for example you can't backup any .doc files or you will get reinfected.
.Exe, .scr, .rar, .html, .htm, .asp, .php are for example other filetypes which virut is able to infect. To play safe, I wouldn't backup any files.

2) We can run an online scan to see if there are infected files outside boot partition.

3) Do you have image already? You can't make it from infected system.
tarix
2010-04-10, 21:19
Hi Shaba,
thanks for your assistance, where can i do an online scan to see if i have virut infection outside the boot ? is there any way to "disinfect" at least the .doc if they're infected ?
As for the image, this computer was given to me by the university institute and i think (and hope) that if i talk to them they can arrange me a new system image. But to make things easer to them (and me to) i was thinking about that solution i've posted before (of course the image and the boot system for the pen would be done in another PC so to prevent new infections).
Thanks again
Shaba
2010-04-11, 17:38
We can run online scan but unfortunately we can't be sure if certain online scan detects virut.

Let's try this one:

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

"is there any way to "disinfect" at least the .doc if they're infected ?"

No, you will need to restore from backup.