Smitfraud-C infection HELP NEEDED !!!

[chryssi2001]

Hello alien2,

As for the folder you asked (c:\documents and settings\Casa\Application Data\Desktopicon ) I don't Know what is it, i went there and found it empty, if you wish i can delet it.

It looks it was an icon on your desktop which maybe removed and the folder stayed empty. I will remove it.
----------------------------------------------
We have to remove an infection from your G:\ drive.
I have included it in my fix.

If G:\ drive is a flash drive, or external drive, please plug it on the pc, when you are ready to run Combofix using my Script.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm
  C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm
  C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm
  C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM
  C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm
  C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm
  C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM
  C:\Program Files\vso\convertxtodvdv3.0.0.9 multilingual patch-tRUE.exe
  G:\i.exe
  
  Folder::
  C:\Rooter$
  c:\documents and settings\Casa\Application Data\Desktopicon
  
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6516dde0-a6e5-11dd-9a4c-00805a2069c9}]

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Run Kaspersky again.
----------------------------------------------
Post back:
Combofix report.
Kaspersky report.
A new HijackThis log.

 

[alien2]

log and report requested

HI chryssi2001,

as for G:\ drive i have no ideia what it is, i've looked into the computer and it doesn't show me any G:\ drive letter, I have a pen drive but I'm not using it wright now (at least from mid january) and as only work i've done on ppt and word, so I didn't runned it through ComboFix, but if you wish I'll run it again with the pen on.
below are the reports and logs requested, Thanks again for all the Help


ComboFix 09-02-07.01 - Casa 2009-02-08 15:18:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.324 [GMT 0:00]
Executando de: c:\documents and settings\Casa\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Casa\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Criado um novo ponto de restauro

FILE ::
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm
c:\program files\vso\convertxtodvdv3.0.0.9 multilingual patch-tRUE.exe
G:\i.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Casa\Application Data\Desktopicon
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM
c:\documents and settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm
c:\program files\vso\convertxtodvdv3.0.0.9 multilingual patch-tRUE.exe
C:\Rooter$
c:\rooter$\iNv.exe
c:\rooter$\kill.reg
c:\rooter$\List.lsd
c:\rooter$\lsTasks.exe
c:\rooter$\Orph.egd
c:\rooter$\OsV.exe
c:\rooter$\paths.bat
c:\rooter$\Rkeys.txt
c:\rooter$\RKit.lsd
c:\rooter$\RoGUeS.lsd
c:\rooter$\Rooter.txt
c:\rooter$\Rooter_1.txt
c:\rooter$\Rooter_2.txt
c:\rooter$\RooterT.cmd
c:\rooter$\RunTool.txt
c:\rooter$\sed.exe
c:\rooter$\setpath.exe

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))
.

2009-01-28 16:37 . 2009-01-28 16:37 <DIR> d-------- c:\program files\Java
2009-01-28 16:37 . 2009-01-28 16:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-28 04:04 . 2009-01-28 04:04 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-28 04:02 . 2009-01-28 04:02 <DIR> d-------- c:\documents and settings\Casa\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-01-28 03:42 . 2009-01-28 16:13 <DIR> d-------- c:\program files\NOS
2009-01-28 03:42 . 2009-01-28 16:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-26 23:36 . 2009-01-26 23:36 <DIR> d-------- c:\program files\AVG
2009-01-23 21:07 . 2009-01-23 21:07 <DIR> d-------- c:\program files\Trend Micro
2009-01-23 20:46 . 2009-01-23 20:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-23 20:46 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-23 20:46 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 22:02 . 2009-01-19 22:02 <DIR> d-------- c:\program files\ERUNT
2009-01-18 20:41 . 2009-02-08 15:13 <DIR> d-------- c:\windows\system32\NtmsData
2009-01-18 19:59 . 2009-01-18 19:59 <DIR> d-------- c:\program files\Windows Resource Kits
2009-01-18 19:41 . 2009-01-18 19:43 53,485,568 --a------ c:\windows\sectest.db
2009-01-16 03:38 . 2009-01-16 03:42 <DIR> d-------- C:\Qoofix
2009-01-13 22:30 . 1995-08-14 06:00 22,432 --a------ c:\temp\SETUP.EXE
2009-01-10 16:36 . 2003-08-20 10:51 635,012 --a------ c:\windows\system32\drivers\sonypvf2.sys
2009-01-10 16:36 . 2003-08-20 10:44 431,236 --a------ c:\windows\system32\drivers\sonypvt2.sys
2009-01-10 16:36 . 2003-06-24 10:29 64,093 --a------ c:\windows\system32\drivers\sonypvd2.sys
2009-01-10 16:36 . 2003-07-01 21:43 57,344 --a------ c:\windows\system32\sonypvi2.dll
2009-01-10 16:36 . 2003-07-25 15:02 19,478 --a------ c:\windows\system32\drivers\sonypvl2.sys
2009-01-10 16:36 . 2003-03-19 11:36 4,458 --a------ c:\windows\system32\SonyPVC2.dll
2009-01-10 16:12 . 2009-01-10 16:12 <DIR> d-------- c:\program files\Keyware
2009-01-10 16:12 . 2009-01-10 16:12 <DIR> d-------- c:\program files\Common Files\Keyware
2009-01-10 16:12 . 2001-06-13 10:31 6,000,640 --a------ c:\windows\system32\Biometric Screensaver.scr
2009-01-10 16:10 . 2009-01-10 16:10 <DIR> d-------- c:\program files\SONYUSBCamera

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 15:19 --------- d-----w c:\program files\vso
2009-02-08 14:59 7,886,336 ----a-w c:\windows\system32\logonuiX.exe
2009-02-08 03:12 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-06 22:27 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-03 15:17 --------- d-----w c:\program files\IncrediMail
2009-02-03 04:07 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-29 03:46 --------- d-----w c:\program files\SpywareBlaster
2009-01-28 16:37 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-28 03:51 --------- d-----w c:\program files\Common Files\Adobe
2009-01-27 03:38 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-27 03:29 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-27 01:28 --------- d-----w c:\program files\MagicISO
2009-01-26 23:37 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-26 23:37 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-26 23:36 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-26 23:36 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-26 19:58 --------- d-----w c:\program files\Freeciv-2.0.9-gtk2
2009-01-26 19:46 --------- d-----w c:\program files\CCleaner
2009-01-10 16:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-29 22:28 --------- d-----w c:\program files\KraiSoft Games
2008-12-27 15:20 --------- d-----w c:\documents and settings\All Users\Application Data\WhiteCap (Holiday Edition)
2008-12-23 20:26 --------- d-----w c:\documents and settings\Mãe\Application Data\Simple Sudoku
2008-12-22 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-22 19:40 --------- d-----w c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2008-12-20 01:56 --------- d-----w c:\documents and settings\Casa\Application Data\Screenshot Sender
2008-12-09 04:00 --------- d-----w c:\program files\DivX
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-07 05:59 47,360 ----a-w c:\documents and settings\Casa\Application Data\pcouffin.sys
2008-04-14 05:27 81,920 ----a-w c:\documents and settings\Casa\Application Data\ezpinst.exe
2008-04-04 02:51 14,290 ----a-w c:\program files\settings.dat
2008-03-21 16:12 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-02-21 21:51 66,672 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-02-21 21:51 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-21 21:51 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-02-21 21:51 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-02-21 21:51 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2005-03-02 00:36 2056832 d8aba3eab509627e707a3b14f00fbb6b c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 09:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2003-11-08 12:00 1947904 0e8efb15746878a9b256e75267337233 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 05:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 00:34 2067712 73c6d7f370eee2330162a8dd3302159c c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 08:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 05:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-13 18:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-02-28 08:38 2068480 bf7d3b9a67fdabb7ada4df7c0286b382 c:\windows\system32\ntkrnlpa.exe
2007-02-28 08:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\system32\dllcache\ntkrnlpa.exe
2007-02-28 08:38 2057600 515d30e2c90a3665a2739309334c9283 c:\windows\system32\VITrans\ntkrnlpa.exe

2005-03-02 01:04 2179456 28187802b7c368c0d3aef7d4c382aabb c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 09:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2003-11-08 12:00 2042240 b9080d97dbd631aadf9128f7316958d2 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 06:20 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 00:59 2190208 ba9c5fd985ba9de863f482b892b0e4ad c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 09:10 2180352 582a8dbaa58c3b1f176eb2817daee77c c:\windows\Driver Cache\i386\ntoskrnl.exe
2004-08-04 06:20 2180992 ce218bc7088681faa06633e218596ca7 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-04-13 19:27 2188928 0c89243c7c3ee199b96fcc16990e0679 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-02-28 09:10 2191232 cc208534f5463d154da324ae9eceac78 c:\windows\system32\ntoskrnl.exe
2007-02-28 09:10 2180352 582a8dbaa58c3b1f176eb2817daee77c c:\windows\system32\dllcache\ntoskrnl.exe
2007-02-28 09:10 2180352 582a8dbaa58c3b1f176eb2817daee77c c:\windows\system32\VITrans\ntoskrnl.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-06_14.21.20.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-06 14:14:32 67,814 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-08 15:01:43 67,814 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-06 14:14:32 421,644 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-08 15:01:43 421,644 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-08 14:57:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b4.dat
+ 2009-02-08 15:11:15 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6e4.dat
+ 2009-02-08 14:57:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_75c.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 12:04 97064 --a------ c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"ViOrb"="c:\program files\ViOrb\ViOrb.exe" [2008-05-22 167936]
"LClock"="c:\program files\LClock\lclock.exe" [2004-09-20 65536]
"VisualTaskTips"="c:\program files\VisualTaskTips\VisualTaskTips.exe" [2008-02-19 61440]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-01-27 251264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Opware12"="c:\program files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2003-05-20 49152]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-04 987187]
"BootSkin Startup Jobs"="c:\program files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IME JPN 2007 Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE" [2007-08-23 66936]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-26 32560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\Casa\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-04-04 575488]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm
"VIDC.PIM1"= PCLEPIM1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2009-01-10 19478]
R0 u1pvdbs;SONY USB CAMERA Base Driver;c:\windows\system32\drivers\u1pvdbs.sys [2001-07-18 6224]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-04 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-04 107272]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2009-01-10 635012]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2009-01-10 431236]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51:58 13560]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-26 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-26 298264]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2008-02-28 53032]
R3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2006-09-29 6400]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S3 tbHD;Philips PSC705 WDM Driver;c:\windows\system32\drivers\TBirdHD.sys [2006-09-29 336066]
S3 u1pvdsm;SONY USB CAMERA Video Capture Device;c:\windows\system32\drivers\u1pvdsm.sys [2001-07-18 322066]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-02-07 c:\windows\Tasks\User_Feed_Synchronization-{058E424E-DC69-4EB8-97E2-3E9F03E90005}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.netcabo.pt/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: + &Download Express: download this file - c:\program files\Download Express\Add_Url.htm
IE: Add to Local Website Archive - c:\documents and settings\Casa\Application Data\aignes\Local Website Archive\config\iearc.htm
IE: Add to WebSite-Watcher - c:\documents and settings\Casa\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\progra~1\DOWNLO~1\mdpph.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 15:21:49
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-1060284298-854245398-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\cscui.dll
.
Tempo para conclusão: 2009-02-08 15:26:09
ComboFix-quarantined-files.txt 2009-02-08 15:25:52
ComboFix2.txt 2009-02-06 14:24:04

Pré-execução: 9.403.031.552 bytes free
Pós execução: 9,389,457,408 bytes free

299 --- E O F --- 2008-09-11 05:37:15


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 08, 2009 16:28:38
Records in database: 1769373
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 102894
Threat name: 2
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 02:45:11


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm.vir Infected: Trojan.JS.Redirector.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm.vir Infected: Trojan.JS.Redirector.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm.vir Infected: Trojan.JS.Redirector.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM.vir Infected: Trojan.JS.Redirector.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm.vir Infected: Trojan.JS.Redirector.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm.vir Infected: Trojan.JS.Redirector.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM.vir Infected: Trojan.JS.Redirector.b 1
C:\Qoobox\Quarantine\C\Program Files\vso\convertxtodvdv3.0.0.9 multilingual patch-tRUE.exe.vir Infected: Trojan.Win32.Genome.aduq 1

The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41:07, on 08-02-2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netcabo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000013.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to Local Website Archive - C:\Documents and Settings\Casa\Application Data\aignes\Local Website Archive\config\iearc.htm
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Casa\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra 'Tools' menuitem: Add to Local Website Archive - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {651B27BB-07F3-46F6-91E2-73F48BDC7525} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {BAD3887C-C44F-436A-BE7E-184C47E66D09} - C:\Program Files\Local Website Archive\wsarc.exe (HKCU)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11090 bytes

Thanks for all the Help you have been given to me

 

[chryssi2001]

Hello alien2,

as for G:\ drive i have no ideia what it is, i've looked into the computer and it doesn't show me any G:\ drive letter, I have a pen drive but I'm not using it wright now (at least from mid january) and as only work i've done on ppt and word, so I didn't runned it through ComboFix, but if you wish I'll run it again with the pen on.

G drive can be a pen drive or your sony usb camera, if you can plug it your pc.

Please follow this step for both devices.
----------------------------------------------
Flash_Disinfector FOR XP

• Please download Flash_Disinfector and save it to your desktop.
• Double click to run it.
• You will be prompted to plug in your flash drive. Plug it in.
• Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
• When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
• Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

----------------------------------------------
Let me know when you are done.

 

[alien2]

re: flash disinfector

HI chryssi2001,

I've done all the steps and evrythig runned acordingly to your instructions, I didn't had to run the Task Manager.

Thanks

 

[chryssi2001]

Hi alien2,

Good, is the pc running ok?

 

[alien2]

re

HI chryssi2001,

Thanks for all the Help, for the moment and as far as i can tell the pc is running ok thanks what should I do next?

 

[chryssi2001]

Hello alien2,

I am glad the pc is working fine. :bigthumb:
----------------------------------------------
I can't see any firewall in your HijackThis log, so i assume you use windows firewall.

FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. It's preferable to install one of the suggested firewalls.
Vista users, must check compatibility with Vista before installation.

FREE FIREWALLS

• Sunbelt Kerio
• Outpost
• Jetico Personal Firewall

Tutorial about Firewalls can be found here
----------------------------------------------
Please remove Flash Disinfector.
----------------------------------------------
Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 

The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.
----------------------------------------------
Congratulations your machine appears to be clean!

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 and newer versions should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!

 

[chryssi2001]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.