PDA

View Full Version : Slow Computer, Trojans and weird WinLogon entries?


indigoclio
2006-08-15, 00:24
Hello

On the last days, my computer is becoming very slow, for unknown reasons. I thought that it could be virus/malware, and examined it with BitDefender (log below). The online antivirus found some trojans and deleted some of them. But I want to know: is my computer clean?

For some extra information, I received some days ago a really strange popup, telling I had a Virus infection, but it wasn't a Avast popup; rather, it was a Javascript command from the page, or something like that. And on the Tools/System Startup tab on Spybot there are some WinLogon entries with really weird value names, like this:

Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Hope it helps
Thanks in Advance!

BitDefender Online Scanner
Scan report generated at: Mon, Aug 14, 2006 - 16:47:45
Scan path: A:\;C:\;D:\;E:\;F:\;
Statistics
Time

02:34:32

Files

422527

Folders

4760

Boot Sectors

2

Archives

9519

Packed Files

34729


Results

Identified Viruses


10

Infected Files


13

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


13

Engines Info

Virus Definitions


444449

Engine build


AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins


13

Archive plugins


39

Unpack plugins


5

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes



Scanned File


Status

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class


Infected with: Trojan.Downloader.Ieax.A

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip=>javainstaller/InstallerApplet.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-64a0fc63.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class


Infected with: Java.Trojan.Downloader.OpenStream.C

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Matrix.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class


Infected with: Trojan.Java.Classloader.H

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Counter.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class


Infected with: Trojan.Java.Classloader.G

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Dummy.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class


Infected with: Trojan.Java.Classloader.D

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip=>Parser.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv761.jar-d18bd5b-12a68932.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>GetAccess.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class


Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>InsecureClassLoader.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class


Infected with: Trojan.Java.Classloader.Dummy.A

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Dummy.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip


Updated

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class


Infected with: Java.Trojan.OpenConnection.F

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class


Disinfection failed

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip=>Installer.class


Deleted

C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-266268dc-61dd15a9.zip


Updated

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip)


Infected with: Trojan.Spy.Banker.HQ

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip)


Disinfection failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html=>(gzip)


Deleted

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\index[1].html


Update failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm


Infected with: Trojan.Spy.Banker.HQ

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm


Disinfection failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\09UZCHQZ\navcell-off[1].htm


Deleted

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm


Infected with: Trojan.Spy.Banker.HQ

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm


Disinfection failed

C:\Documents and Settings\asd\Configurações locais\Temporary Internet Files\Content.IE5\2TJW14R2\apardetudo.hpg.ig.com[1].htm


Deleted


C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe


Infected with: Trojan.Downloader.Banload.AOO

C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe


Disinfection failed

C:\System Volume Information\_restore{0E43D19E-22F2-4164-B6FC-BDCFFDB476D5}\RP396\A0104280.exe
indigoclio
2006-08-15, 00:25
Logfile of HijackThis v1.98.2
Scan saved at 17:52:43, on 14/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Nova pasta\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Registro da Corel.lnk.disabled
O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Analisar com LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download usando LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
LonnyRJones
2006-08-18, 02:54
Hi
You did not delete any of the files did you ?
If not re-enable all these normal windows items >
Located: WinLogon, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll
=========

then restart your PC

Post a current version Hijackthis log please
HijackThis 1.99.1
http://www.merijn.org/files/HijackThis.exe
indigoclio
2006-08-18, 05:37
Re-enabled the WinLogon entries and redid the scan with newest HijackThis.
BTW, this computer has two user profiles on WinXP: mine (the Gabi one) and the other one (asd) is used by my mother. Should I do a HJT scan from her profile too?

Logfile of HijackThis v1.99.1
Scan saved at 23:28:30, on 17/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Nova pasta\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: Registro da Corel.lnk.disabled
O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Analisar com LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download usando LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02E8671F-FAFB-483E-A18D-DBF9E22610C0}: NameServer = 200.165.132.148 200.149.55.140
O17 - HKLM\System\CS2\Services\Tcpip\..\{02E8671F-FAFB-483E-A18D-DBF9E22610C0}: NameServer = 200.165.132.148 200.149.55.140
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)
LonnyRJones
2006-08-18, 07:08
C:\Documents and Settings\Gabi\Dados de aplicativos\Sun\Java\Deployment\cache

To clear the java's cache, open the windows control panel > java and click the delete files button.
Update suns java manualy
Sun Java "Java Runtime Environment (JRE) 5.0 Update 8" is Available:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Afterwards it's important to uninstall the old version's via addremove programs.

Other than i remnant of symantec Your log looks fine, I assume it was uninstalled ?

You can post a log taken from the other profile but its not needed unless there are spyware symtoms/problem.
indigoclio
2006-08-18, 21:50
Well, I cleared the cache and updated Java as you asked, removing the old versions. About the Symantec entry, is because I used to have Norton, but not anymore. Is there a way to take off that remnant?

And I'm putting the HJT log for the other profile below, since BitDefender found a bank Trojan on it; just to be on the safe side.

Thanks for all the help!

Logfile of HijackThis v1.99.1
Scan saved at 15:40:20, on 18/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\D-Tools\daemon.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Java\jre1.5.0_08\bin\jusched.exe
C:\Arquivos de programas\Microsoft Office\Office\1046\msoffice.exe
C:\Nova pasta\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guiadoscuriosos.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.semptoshiba.com.br
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.4.1.4:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_08\bin\jusched.exe
O4 - Global Startup: Alarmes do CorelCENTRAL.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Corel Registration.lnk.disabled
O4 - Global Startup: CorelCENTRAL 9.LNK.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: Download using LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Arquivos de programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Arquivos de programas\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Arquivos de programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.semptoshiba.com.br
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlugin/cab/GbPluginUni.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe (file missing)
LonnyRJones
2006-08-19, 02:48
Looks fine.

Norton/Symantec programs are nefarious for not cleaning up after themselves
Go here and follow instructs for whatever version it was that you had
Symantec Removal: http://basconotw.mvps.org/SymRem.htm
tashi
2006-08-25, 19:59
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.