Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Luder Infection


  • This topic is locked This topic is locked
59 replies to this topic

#1 Kupuham

Kupuham

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 29 March 2008 - 06:38 PM

Hi there,
Im running Windows XP SP2, and avast!, since last morning there have been multiple detections of an unspecified variation of the Luder worm. Since I saw the warning before having to leave, I couldn't do much then.
So, all I did was disconnec the computer from my home network.

As for other AV programs, I have ZoneAlarm Pro, a², Ad-Aware, Spybot, CCleaner and SpywareBlaster. Unfortunately, I haven't run active scans for 1-2 weeks, as I am not using that machine so much, after I bought a new one.

After doing a Google search for the virus, I saw that Dr.Web Scanner was quite recommended, and the results were:
6 instances of "Trojan.Starter.171", which is apparently another name for Luder.
1 Backdoor and a Dloader, apparently from a heuristic analysis (on a hidden folder which I didn't recall existing)
1 "Program.PopcapLoader (for pop-ups? None showed up)

Later that day, I did a full scan with avast! and it found 300+ detections on exes and etc.

So, After being directed by guietman7 do use a fix by Grisoft, I downloaded and ran it. But, in every one of the 5 times I ran it, it suddenly closes down, not leaving any messages or logs behind, nor repoting infections.
After I posted that information, guietman7 redirected me here.
I began to follow the instructions on what to do before posting the log.
Ad-Aware foud only 3 tracking cookies. I was unble to update Spybot, it kept saying it could not reach its update server, even though I was sure I could access the internet. The next step was to run one of 3 online scans, I chose TrendMicro, and it found "PE_LUDER.CH" 517 instances of it, but reported that it could not find the mother file. When attemping to clean it, avast kept repoting that it found the Virus in what appears to be TrendMicro's temporary folder, as it was named "housecall6.6". Attemping to heal the file yielded no results, and when asked to quarentine the file IE stoped responding. Therefore, I was not able to clean the infection with HouseCall.
I ran McAffe Rootkit Detective, I think it didn't clean anything specific, I will still post the log.
Also, I took the liberty of putting the McAfee log into a Codebox, as it is quite big. If that's somehow against the rules, I'm sorry

Anyhow, here goes the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:30, on 29/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Avast\aswUpdSv.exe
C:\Arquivos de programas\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Arquivos de programas\Avast\ashMaiSv.exe
C:\Arquivos de programas\Avast\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\ARQUIV~1\Avast\ashDisp.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Logitech\Profiler\lwemon.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\usuário\Configurações locais\Temporary Internet Files\Content.IE5\DXZ1920A\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Arquivos de programas\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [ActiveMultiwallpaper] C:\Arquivos de programas\ActiveMultiwallpaper\Changer.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - http://www.audition.com.br/activex/AuditionWeb.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188782401593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188782274187
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\ARQUIV~1\ROBOTG~1\Spyberus\RGIEMon.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashWebSv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe

--
End of file - 12682 bytes

And the McAfee Log:
McAfee® Rootkit Detective 1.1 scan reportOn 29-03-2008 at 20:23:09OS-Version 5.1.2600Service Pack 2.0====================================Object-Type: SSDT-hookObject-Name: ZwConnectPortObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwCreateFileObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwCreateKeyObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwCreatePortObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwCreateProcessObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwCreateProcessExObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwCreateSectionObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwCreateWaitablePortObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwDeleteFileObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwDeleteKeyObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwDeleteValueKeyObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwDuplicateObjectObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwEnumerateKeyObject-Path: C:\WINDOWS\system32\drivers\sptd.sysObject-Type: SSDT-hookObject-Name: ZwEnumerateValueKeyObject-Path: C:\WINDOWS\system32\drivers\sptd.sysObject-Type: SSDT-hookObject-Name: ZwLoadDriverObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwLoadKey2Object-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwMapViewOfSectionObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwOpenFileObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwOpenKeyObject-Path: C:\WINDOWS\system32\drivers\sptd.sysObject-Type: SSDT-hookObject-Name: ZwOpenProcessObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwOpenThreadObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwQueryKeyObject-Path: C:\WINDOWS\system32\drivers\sptd.sysObject-Type: SSDT-hookObject-Name: ZwQueryValueKeyObject-Path: C:\WINDOWS\system32\drivers\sptd.sysObject-Type: SSDT-hookObject-Name: ZwRenameKeyObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwReplaceKeyObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwRequestWaitReplyPortObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwRestoreKeyObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwSecureConnectPortObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwSetInformationFileObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwSetSystemInformationObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwSetValueKeyObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: SSDT-hookObject-Name: ZwTerminateProcessObject-Path: C:\Arquivos de programas\SUPERAntiSpyware\SASKUTIL.SYSObject-Type: SSDT-hookObject-Name: ZwUnloadDriverObject-Path: C:\WINDOWS\system32\vsdatant.sysObject-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_SYSTEM_CONTROLObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_POWERObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_CLEANUPObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_SHUTDOWNObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_INTERNAL_DEVICE_CONTROLObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_DEVICE_CONTROLObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_FLUSH_BUFFERSObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_WRITEObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_READObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Ftdisk->IRP_MJ_CREATEObject-Path: Object-Type: IRP-hookObject-Name: \Driver\Tcpip->IRP_MJ_CLEANUPObject-Path: \SystemRoot\System32\vsdatant.sysObject-Type: IRP-hookObject-Name: \Driver\Tcpip->IRP_MJ_INTERNAL_DEVICE_CONTROLObject-Path: \SystemRoot\System32\vsdatant.sysObject-Type: IRP-hookObject-Name: \Driver\Tcpip->IRP_MJ_DEVICE_CONTROLObject-Path: \SystemRoot\System32\vsdatant.sysObject-Type: IRP-hookObject-Name: \Driver\Tcpip->IRP_MJ_CLOSEObject-Path: \SystemRoot\System32\vsdatant.sysObject-Type: IRP-hookObject-Name: \Driver\Tcpip->IRP_MJ_CREATEObject-Path: \SystemRoot\System32\vsdatant.sysObject-Type: Registry-keyObject-Name: 19659239224E364682FA4BAF72C53EA4sObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-keyObject-Name: 00000001ontrolSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-keyObject-Name: 0Jf40M\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: Unable to access registry keyObject-Type: Registry-keyObject-Name: 0D79C293C1ED61418462E24595C90D04td\CfgObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: 00000001ontrolSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: jdgg40\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Status: Unable to access registry keyObject-Type: Registry-valueObject-Name: ujdewObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Status: HiddenObject-Type: Registry-valueObject-Name: ujdewObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: HiddenObject-Type: Registry-valueObject-Name: d0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: HiddenObject-Type: Registry-valueObject-Name: h0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: HiddenObject-Type: Registry-valueObject-Name: ujdewObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: HiddenObject-Type: Registry-keyObject-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg\0D79C293C1ED61418462E24595C90D04Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: 00000001ontrolSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: 0Jf40M\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: Unable to access registry keyObject-Type: Registry-valueObject-Name: khjehObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: HiddenObject-Type: Registry-valueObject-Name: a0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-valueObject-Name: khjehObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-valueObject-Name: h0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: khjehObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: p0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: s1Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-valueObject-Name: s2Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-valueObject-Name: g0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-valueObject-Name: h0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-keyObject-Name: 0D79C293C1ED61418462E24595C90D04td\CfgObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: HiddenObject-Type: Registry-keyObject-Name: 00000001ontrolSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: HiddenObject-Type: Registry-keyObject-Name: jdgg40\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Status: HiddenObject-Type: Registry-keyObject-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-keyObject-Name: 00000001ontrolSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-keyObject-Name: 0Jf40M\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: Unable to access registry keyObject-Type: Registry-keyObject-Name: 0D79C293C1ED61418462E24595C90D04td\CfgObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: 00000001ontrolSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: jdgg40\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Status: Unable to access registry keyObject-Type: Registry-valueObject-Name: ujdewObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40Status: HiddenObject-Type: Registry-valueObject-Name: ujdewObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: HiddenObject-Type: Registry-valueObject-Name: d0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001Status: HiddenObject-Type: Registry-valueObject-Name: h0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: HiddenObject-Type: Registry-valueObject-Name: ujdewObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04Status: HiddenObject-Type: Registry-keyObject-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg\0D79C293C1ED61418462E24595C90D04Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: 00000001ontrolSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: Unable to access registry keyObject-Type: Registry-keyObject-Name: 0Jf40M\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: HiddenObject-Type: Registry-valueObject-Name: (Default)Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: Unable to access registry keyObject-Type: Registry-valueObject-Name: khjehObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40Status: HiddenObject-Type: Registry-valueObject-Name: a0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-valueObject-Name: khjehObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001Status: HiddenObject-Type: Registry-valueObject-Name: h0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: khjehObject-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: p0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4Status: HiddenObject-Type: Registry-valueObject-Name: s1Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-valueObject-Name: s2Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-valueObject-Name: g0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-valueObject-Name: h0Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\CfgStatus: HiddenObject-Type: Registry-keyObject-Name: DataEM\ControlSet002\Services\sptd\CfgObject-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\DataStatus: HiddenObject-Type: Registry-keyObject-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\DataObject-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771Status: HiddenObject-Type: Registry-keyObject-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000Status: HiddenObject-Type: Registry-keyObject-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}Status: HiddenObject-Type: Registry-valueObject-Name: Item DataObject-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}Status: HiddenObject-Type: Registry-valueObject-Name: Display StringObject-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000Status: HiddenObject-Type: Registry-valueObject-Name: Display StringObject-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771Status: HiddenObject-Type: Registry-keyObject-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2Status: HiddenObject-Type: Registry-keyObject-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\WindowsStatus: HiddenObject-Type: Registry-valueObject-Name: ValueObject-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\WindowsStatus: HiddenObject-Type: ProcessObject-Name: svchost.exePid: 1332Object-Path: C:\WINDOWS\system32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: jusched.exePid: 2820Object-Path: C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exeStatus: VisibleObject-Type: ProcessObject-Name: System Idle ProcessPid: 0Object-Path: Status: VisibleObject-Type: ProcessObject-Name: ati2evxx.exePid: 1396Object-Path: C:\WINDOWS\system32\Ati2evxx.exeStatus: VisibleObject-Type: ProcessObject-Name: ashMaiSv.exePid: 2140Object-Path: C:\Arquivos de programas\Avast\ashMaiSv.exeStatus: VisibleObject-Type: ProcessObject-Name: LWEMon.exePid: 2884Object-Path: C:\Arquivos de programas\Logitech\Profiler\lwemon.exeStatus: VisibleObject-Type: ProcessObject-Name: ati2evxx.exePid: 932Object-Path: C:\WINDOWS\system32\Ati2evxx.exeStatus: VisibleObject-Type: ProcessObject-Name: winlogon.exePid: 716Object-Path: C:\WINDOWS\system32\winlogon.exeStatus: VisibleObject-Type: ProcessObject-Name: gbpsv.exePid: 344Object-Path: C:\Arquivos de programas\GbPlugin\GbpSv.exeStatus: VisibleObject-Type: ProcessObject-Name: SystemPid: 4Object-Path: Status: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 1120Object-Path: C:\WINDOWS\system32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: wscntfy.exePid: 2516Object-Path: C:\WINDOWS\system32\wscntfy.exeStatus: VisibleObject-Type: ProcessObject-Name: cevo.exePid: 904Object-Path: C:\Arquivos de programas\C-evo\cevo.exeStatus: VisibleObject-Type: ProcessObject-Name: spoolsv.exePid: 440Object-Path: C:\WINDOWS\system32\spoolsv.exeStatus: VisibleObject-Type: ProcessObject-Name: a2service.exePid: 688Object-Path: C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exeStatus: VisibleObject-Type: ProcessObject-Name: taskmgr.exePid: 3540Object-Path: C:\WINDOWS\system32\taskmgr.exeStatus: VisibleObject-Type: ProcessObject-Name: aswUpdSv.exePid: 1960Object-Path: C:\Arquivos de programas\Avast\aswUpdSv.exeStatus: VisibleObject-Type: ProcessObject-Name: Rootkit_DetectiPid: 2828Object-Path: C:\DOCUME~1\USURIO~1\CONFIG~1\Temp\Rar$EX00.391\Rootkit_Detective.exeStatus: VisibleObject-Type: ProcessObject-Name: ashServ.exePid: 2024Object-Path: C:\Arquivos de programas\Avast\ashServ.exeStatus: VisibleObject-Type: ProcessObject-Name: smss.exePid: 632Object-Path: C:\WINDOWS\System32\smss.exeStatus: VisibleObject-Type: ProcessObject-Name: ashWebSv.exePid: 2244Object-Path: C:\Arquivos de programas\Avast\ashWebSv.exeStatus: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 3732Object-Path: C:\WINDOWS\system32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: hpwuSchd2.exePid: 2772Object-Path: C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exeStatus: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 3640Object-Path: C:\WINDOWS\system32\drivers\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: alg.exePid: 2556Object-Path: C:\WINDOWS\System32\alg.exeStatus: VisibleObject-Type: ProcessObject-Name: MOM.exePid: 2928Object-Path: C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEStatus: VisibleObject-Type: ProcessObject-Name: services.exePid: 760Object-Path: C:\WINDOWS\system32\services.exeStatus: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 948Object-Path: C:\WINDOWS\system32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: ctfmon.exePid: 2964Object-Path: C:\WINDOWS\system32\ctfmon.exeStatus: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 1012Object-Path: C:\WINDOWS\system32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: SUPERAntiSpywarPid: 3244Object-Path: C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exeStatus: VisibleObject-Type: ProcessObject-Name: vsmon.exePid: 1448Object-Path: C:\WINDOWS\system32\ZoneLabs\vsmon.exeStatus: VisibleObject-Type: ProcessObject-Name: ashDisp.exePid: 2812Object-Path: C:\ARQUIV~1\Avast\ashDisp.exeStatus: VisibleObject-Type: ProcessObject-Name: UT1.6.1.exePid: 2936Object-Path: C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exeStatus: VisibleObject-Type: ProcessObject-Name: PnkBstrA.exePid: 1356Object-Path: C:\WINDOWS\system32\PnkBstrA.exeStatus: VisibleObject-Type: ProcessObject-Name: hpztsb10.exePid: 2752Object-Path: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exeStatus: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 1668Object-Path: C:\WINDOWS\System32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: explorer.exePid: 3652Object-Path: C:\WINDOWS\explorer.exeStatus: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 1080Object-Path: C:\WINDOWS\System32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: svchost.exePid: 1236Object-Path: C:\WINDOWS\system32\svchost.exeStatus: VisibleObject-Type: ProcessObject-Name: iexplore.exePid: 1608Object-Path: C:\Arquivos de programas\Internet Explorer\iexplore.exeStatus: VisibleObject-Type: ProcessObject-Name: lsass.exePid: 772Object-Path: C:\WINDOWS\system32\lsass.exeStatus: VisibleObject-Type: ProcessObject-Name: mdm.exePid: 1268Object-Path: C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exeStatus: VisibleObject-Type: ProcessObject-Name: CCC.exePid: 3872Object-Path: C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exeStatus: VisibleObject-Type: ProcessObject-Name: csrss.exePid: 680Object-Path: C:\WINDOWS\system32\csrss.exeStatus: VisibleObject-Type: ProcessObject-Name: notepad.exePid: 3532Object-Path: C:\WINDOWS\system32\NOTEPAD.EXEStatus: VisibleObject-Type: ProcessObject-Name: Rootkit_DetectiPid: 1796Object-Path: C:\DOCUME~1\USURIO~1\CONFIG~1\Temp\Rar$EX00.719\Rootkit_Detective.exeStatus: VisibleScan complete. Hidden registry keys/values: 61


BC AdBot (Login to Remove)

 


#2 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 11 April 2008 - 09:49 AM

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you must be checked by one of the teachers. Thus, there may be a bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

I am sorry that we were unable to reply to your post sooner. The forums have been very busy.

If you are still in need of assistance, please scan again with HijackThis and post a fresh log.

Also, please make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.

Post the fresh HijackThis log and the uninstall list in the body of your next reply.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#3 Kupuham

Kupuham
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 12 April 2008 - 06:38 PM

Here are the logs:
As there where no complaints, I'm using code boxes again, as the big logs make it hard to check the last post,
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:26:08, on 12/4/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Unable to get Internet Explorer version!Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Arquivos de programas\Avast\aswUpdSv.exeC:\Arquivos de programas\Avast\ashServ.exeC:\Arquivos de programas\GbPlugin\GbpSv.exeC:\WINDOWS\system32\spoolsv.exeC:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exeC:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Arquivos de programas\Avast\ashMaiSv.exeC:\Arquivos de programas\Avast\ashWebSv.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exeC:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exeC:\ARQUIV~1\Avast\ashDisp.exeC:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exeC:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXEC:\Arquivos de programas\Logitech\Profiler\lwemon.exeC:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exeC:\WINDOWS\system32\ctfmon.exeC:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\WINDOWS\system32\taskmgr.exeC:\Documents and Settings\usuário\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.aspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dllO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exeO4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\Avast\ashDisp.exeO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Arquivos de programas\Logitech\Profiler\lwemon.exe" /nouiO4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [url="http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab"]http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab[/url]O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - [url="http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab"]http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab[/url]O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url="http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB"]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - [url="http://www.audition.com.br/activex/AuditionWeb.cab"]http://www.audition.com.br/activex/AuditionWeb.cab[/url]O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [url="http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab"]http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab[/url]O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab[/url]O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - [url="http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab"]http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab[/url]O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url="http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab"]http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab[/url]O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - [url="http://simcity.ea.com/update/EARTPX.cab"]http://simcity.ea.com/update/EARTPX.cab[/url]O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - [url="http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab"]http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab[/url]O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - [url="http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab"]http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab[/url]O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188782401593"]http://update.microsoft.com/microsoftupdat...b?1188782401593[/url]O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url="http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab"]http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab[/url]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188782274187"]http://update.microsoft.com/microsoftupdat...b?1188782274187[/url]O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - [url="http://sympatico.zone.msn.com/bingame/zpagames/zpa_dmno.cab55579.cab"]http://sympatico.zone.msn.com/bingame/zpag...no.cab55579.cab[/url]O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - [url="http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab"]http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab[/url]O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab[/url]O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - [url="http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab"]http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab[/url]O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - [url="http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab"]http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab[/url]O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url="http://www.crucial.com/controls/cpcScanner.cab"]http://www.crucial.com/controls/cpcScanner.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url="http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab"]http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - [url="http://zone.msn.com/binframework/v10/StProxy.cab55579.cab"]http://zone.msn.com/binframework/v10/StProxy.cab55579.cab[/url]O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - [url="https://www14.bancobrasil.com.br/plugin/GbpDist.cab"]https://www14.bancobrasil.com.br/plugin/GbpDist.cab[/url]O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url="http://zone.msn.com/bingame/popcaploader_v10.cab"]http://zone.msn.com/bingame/popcaploader_v10.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [url="http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab"]http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab[/url]O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dllO21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dllO22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Avast\aswUpdSv.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Avast\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashWebSv.exeO23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exeO23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\WMPNetwk.exeO23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe--End of file - 12242 bytes

911 - First RespondersAdobe Flash Player ActiveXAdobe Flash Player PluginAdobe Reader 8.1.1Adobe Shockwave PlayerAge of Empires IIIAge of Empires III - The Asian DynastiesAge of Empires III - The WarChiefsAnt RenamerApple Software UpdateArcSoft PhotoStudio 2000a-squared Free 3.0Assistente de Conexão do Windows LiveAsusUpdateATI - Software Uninstall UtilityATI Catalyst Control CenterATI Display DriverAtualização de Segurança para o Windows Media Player (KB911564)Atualização de Segurança para o Windows Media Player 10 (KB911565)Atualização de Segurança para o Windows Media Player 10 (KB917734)Atualização de Segurança para o Windows Media Player 11 (KB936782)Atualização de Segurança para o Windows Media Player 6.4 (KB925398)Atualização de Segurança para Windows Internet Explorer 7 (KB928090)Atualização de Segurança para Windows Internet Explorer 7 (KB929969)Atualização de Segurança para Windows Internet Explorer 7 (KB931768)Atualização de Segurança para Windows Internet Explorer 7 (KB933566)Atualização de Segurança para Windows Internet Explorer 7 (KB937143)Atualização de Segurança para Windows Internet Explorer 7 (KB938127)Atualização de Segurança para Windows XP (KB890046)Atualização de Segurança para Windows XP (KB893756)Atualização de Segurança para Windows XP (KB896358)Atualização de Segurança para Windows XP (KB896423)Atualização de Segurança para Windows XP (KB896424)Atualização de Segurança para Windows XP (KB896428)Atualização de Segurança para Windows XP (KB899587)Atualização de Segurança para Windows XP (KB899591)Atualização de Segurança para Windows XP (KB900725)Atualização de Segurança para Windows XP (KB901017)Atualização de Segurança para Windows XP (KB901214)Atualização de Segurança para Windows XP (KB902400)Atualização de Segurança para Windows XP (KB904706)Atualização de Segurança para Windows XP (KB905414)Atualização de Segurança para Windows XP (KB905749)Atualização de Segurança para Windows XP (KB908519)Atualização de Segurança para Windows XP (KB911562)Atualização de Segurança para Windows XP (KB911567)Atualização de Segurança para Windows XP (KB911927)Atualização de Segurança para Windows XP (KB912919)Atualização de Segurança para Windows XP (KB913580)Atualização de Segurança para Windows XP (KB914388)Atualização de Segurança para Windows XP (KB914389)Atualização de Segurança para Windows XP (KB917344)Atualização de Segurança para Windows XP (KB917422)Atualização de Segurança para Windows XP (KB917953)Atualização de Segurança para Windows XP (KB918118)Atualização de Segurança para Windows XP (KB918439)Atualização de Segurança para Windows XP (KB918899)Atualização de Segurança para Windows XP (KB919007)Atualização de Segurança para Windows XP (KB920213)Atualização de Segurança para Windows XP (KB920214)Atualização de Segurança para Windows XP (KB920670)Atualização de Segurança para Windows XP (KB920683)Atualização de Segurança para Windows XP (KB920685)Atualização de Segurança para Windows XP (KB921398)Atualização de Segurança para Windows XP (KB921503)Atualização de Segurança para Windows XP (KB921883)Atualização de Segurança para Windows XP (KB922616)Atualização de Segurança para Windows XP (KB922819)Atualização de Segurança para Windows XP (KB923191)Atualização de Segurança para Windows XP (KB923414)Atualização de Segurança para Windows XP (KB923694)Atualização de Segurança para Windows XP (KB923980)Atualização de Segurança para Windows XP (KB924191)Atualização de Segurança para Windows XP (KB924270)Atualização de Segurança para Windows XP (KB924496)Atualização de Segurança para Windows XP (KB924667)Atualização de Segurança para Windows XP (KB925486)Atualização de Segurança para Windows XP (KB925902)Atualização de Segurança para Windows XP (KB926255)Atualização de Segurança para Windows XP (KB926436)Atualização de Segurança para Windows XP (KB927779)Atualização de Segurança para Windows XP (KB927802)Atualização de Segurança para Windows XP (KB928255)Atualização de Segurança para Windows XP (KB928843)Atualização de Segurança para Windows XP (KB929123)Atualização de Segurança para Windows XP (KB930178)Atualização de Segurança para Windows XP (KB931261)Atualização de Segurança para Windows XP (KB931784)Atualização de Segurança para Windows XP (KB932168)Atualização de Segurança para Windows XP (KB933729)Atualização de Segurança para Windows XP (KB935839)Atualização de Segurança para Windows XP (KB935840)Atualização de Segurança para Windows XP (KB936021)Atualização de Segurança para Windows XP (KB938829)Atualização de Segurança para Windows XP (KB941568)Atualização de Segurança para Windows XP (KB941569)Atualização de Segurança para Windows XP (KB941644)Atualização de Segurança para Windows XP (KB943055)Atualização de Segurança para Windows XP (KB943460)Atualização de Segurança para Windows XP (KB943485)Atualização de Segurança para Windows XP (KB944653)Atualização de Segurança para Windows XP (KB946026)Atualização para Windows XP (KB894391)Atualização para Windows XP (KB898461)Atualização para Windows XP (KB900485)Atualização para Windows XP (KB904942)Atualização para Windows XP (KB908531)Atualização para Windows XP (KB910437)Atualização para Windows XP (KB911280)Atualização para Windows XP (KB916595)Atualização para Windows XP (KB920342)Atualização para Windows XP (KB920872)Atualização para Windows XP (KB922120)Atualização para Windows XP (KB922582)Atualização para Windows XP (KB925720)Atualização para Windows XP (KB925876)Atualização para Windows XP (KB927891)Atualização para Windows XP (KB929338)Atualização para Windows XP (KB930916)Atualização para Windows XP (KB931836)Atualização para Windows XP (KB933360)Atualização para Windows XP (KB936357)Atualização para Windows XP (KB938828)Atualização para Windows XP (KB942763)Audacity 1.2.6avast! AntivirusBattlefield 2(tm)Battlefield 2: Special ForcesBlack & White® 2Canon CanoCraft CS-P 3.8Canon ScanGear Toolbox CS 2.2CCleaner (remove only)C-evoChinese Traditional Fonts Support For Adobe Reader 8City Life DeluxeCombined Community Codec Pack 2007-07-22Command & Conquer GeneralsCommunity Expansion Pack version 1.01bCoreAVC Pro (remove only)Counter-Strike: Condition ZeroDAEMON ToolsDirectVobSub (remove only)Disc2PhoneDocSmartz Pro v5.1EZ MacrosF-22 Lightning 3Galactic Civilizations IIGoogle EarthHigh Definition Audio Driver Package - KB888111HijackThis 2.0.2Hitman 2 Silent AssassinHotfix for Microsoft .NET Framework 3.0 (KB932471)Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows XP (KB915865)Hotfix for Windows XP (KB926239)Hotfix para o Windows Media Player 11 (KB939683)Hotfix para Windows XP (KB914440)HP Deskjet 3840HP L1740 Driver SoftwareHP UpdateIRPF2007 - Declaração de Ajuste AnualJava(tm) 6 Update 3L&H TTS3000 Português (Brasil)Logitech Gaming SoftwareMessenger Plus! LiveMetal Gear SolidMetalGearSolid2 SubstanceMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB928366)Microsoft .NET Framework 2.0Microsoft .NET Framework 2.0 Language Pack - PTBMicrosoft .NET Framework 3.0Microsoft .NET Framework 3.0Microsoft .NET Framework 3.0 Brazilian Portuguese Language PackMicrosoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft Office XP Professional com FrontPageMicrosoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2005 RedistributableMicrosoft Windows Journal ViewerMIKSOFT Mobile Media ConverterMozilla Firefox (2.0.0.9)Mp3tag v2.38MSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 6.0 Parser (KB933579)MSXML4 ParserNero OEMneroxmlNetwork Addon Mod Version June 2007Neverwinter Nightsoggcodecs 0.71.0946Omni EncoderPacote de Idiomas do Português (Brasil) para Microsoft .NET Framework 3.0PC Probe IIPlayNC LauncherPowerDVDPriston TaleProject64 1.6Railroad Tycoon 3RCT3 SoakedReceitanet 2007Rise of NationsRollerCoaster Tycoon® 3SAMSUNG CDMA Modem Driver SetSAMSUNG Mobile USB Modem 1.0 SoftwareSAMSUNG Mobile USB Modem SoftwareSamsung PC Studio 3 USB Driver InstallerSecurity Update para o produto Microsoft .NET Framework 2.0 (KB928365)ShiftWindow 1.02Sid Meier's Civilization 4Sid Meier's Civilization 4 - Beyond the SwordSid Meier's Civilization 4 - WarlordsSimCity 4 Rush HourSkype™ 3.6Sony Ericsson PC Suite 1.20.173SoundMAXSpyberusSpybot - Search & DestroySpybot - Search & Destroy 1.4SpywareBlaster v3.5.1Star Wars JK II Jedi OutcastSUPERAntiSpyware Free EditionSWAT 4Tom Clancy's Splinter Cell Chaos TheoryTweak UIUnlocker 1.8.5VIA Platform Device ManagerVIA Rhine-Family Fast-Ethernet AdapterVideoLAN VLC media player 0.8.6cVobSub v2.23 (Remove Only)Vodafone 804SS USB driver SoftwareWA Update v3.50 beta2Windows Communication FoundationWindows Imaging ComponentWindows Installer 3.1 (KB893803)Windows Internet Explorer 7Windows Live installerWindows Live MessengerWindows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Player 11Windows Media Player 11Windows Presentation FoundationWindows Presentation Foundation Language Pack (PTB)Windows Workflow FoundationWindows Workflow Foundation BR Language PackWindows XP Hotfix - KB873339Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB885884Windows XP Hotfix - KB886185Windows XP Hotfix - KB887472Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Windows XP Hotfix - KB891781WinRAR archiverXML Paper Specification Shared Components Language Pack 1.0XNote Stopwatch 1.40Xvid 1.1.3 final uninstallZoneAlarm Pro


#4 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 13 April 2008 - 08:42 AM

As there where no complaints, I'm using code boxes again


Yes I should have said something in my prior post. I need you to post the logs in the body of the message. Please repost the logs.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#5 Kupuham

Kupuham
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 13 April 2008 - 11:55 AM

Here they go again.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:26:08, on 12/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Avast\aswUpdSv.exe
C:\Arquivos de programas\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Arquivos de programas\Avast\ashMaiSv.exe
C:\Arquivos de programas\Avast\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exe
C:\ARQUIV~1\Avast\ashDisp.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Arquivos de programas\Logitech\Profiler\lwemon.exe
C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\usuário\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Arquivos de programas\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - http://www.audition.com.br/activex/AuditionWeb.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188782401593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188782274187
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://sympatico.zone.msn.com/bingame/zpag...no.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashWebSv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe

--
End of file - 12242 bytes



911 - First Responders
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
Ant Renamer
Apple Software Update
ArcSoft PhotoStudio 2000
a-squared Free 3.0
Assistente de Conexão do Windows Live
AsusUpdate
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Atualização de Segurança para o Windows Media Player (KB911564)
Atualização de Segurança para o Windows Media Player 10 (KB911565)
Atualização de Segurança para o Windows Media Player 10 (KB917734)
Atualização de Segurança para o Windows Media Player 11 (KB936782)
Atualização de Segurança para o Windows Media Player 6.4 (KB925398)
Atualização de Segurança para Windows Internet Explorer 7 (KB928090)
Atualização de Segurança para Windows Internet Explorer 7 (KB929969)
Atualização de Segurança para Windows Internet Explorer 7 (KB931768)
Atualização de Segurança para Windows Internet Explorer 7 (KB933566)
Atualização de Segurança para Windows Internet Explorer 7 (KB937143)
Atualização de Segurança para Windows Internet Explorer 7 (KB938127)
Atualização de Segurança para Windows XP (KB890046)
Atualização de Segurança para Windows XP (KB893756)
Atualização de Segurança para Windows XP (KB896358)
Atualização de Segurança para Windows XP (KB896423)
Atualização de Segurança para Windows XP (KB896424)
Atualização de Segurança para Windows XP (KB896428)
Atualização de Segurança para Windows XP (KB899587)
Atualização de Segurança para Windows XP (KB899591)
Atualização de Segurança para Windows XP (KB900725)
Atualização de Segurança para Windows XP (KB901017)
Atualização de Segurança para Windows XP (KB901214)
Atualização de Segurança para Windows XP (KB902400)
Atualização de Segurança para Windows XP (KB904706)
Atualização de Segurança para Windows XP (KB905414)
Atualização de Segurança para Windows XP (KB905749)
Atualização de Segurança para Windows XP (KB908519)
Atualização de Segurança para Windows XP (KB911562)
Atualização de Segurança para Windows XP (KB911567)
Atualização de Segurança para Windows XP (KB911927)
Atualização de Segurança para Windows XP (KB912919)
Atualização de Segurança para Windows XP (KB913580)
Atualização de Segurança para Windows XP (KB914388)
Atualização de Segurança para Windows XP (KB914389)
Atualização de Segurança para Windows XP (KB917344)
Atualização de Segurança para Windows XP (KB917422)
Atualização de Segurança para Windows XP (KB917953)
Atualização de Segurança para Windows XP (KB918118)
Atualização de Segurança para Windows XP (KB918439)
Atualização de Segurança para Windows XP (KB918899)
Atualização de Segurança para Windows XP (KB919007)
Atualização de Segurança para Windows XP (KB920213)
Atualização de Segurança para Windows XP (KB920214)
Atualização de Segurança para Windows XP (KB920670)
Atualização de Segurança para Windows XP (KB920683)
Atualização de Segurança para Windows XP (KB920685)
Atualização de Segurança para Windows XP (KB921398)
Atualização de Segurança para Windows XP (KB921503)
Atualização de Segurança para Windows XP (KB921883)
Atualização de Segurança para Windows XP (KB922616)
Atualização de Segurança para Windows XP (KB922819)
Atualização de Segurança para Windows XP (KB923191)
Atualização de Segurança para Windows XP (KB923414)
Atualização de Segurança para Windows XP (KB923694)
Atualização de Segurança para Windows XP (KB923980)
Atualização de Segurança para Windows XP (KB924191)
Atualização de Segurança para Windows XP (KB924270)
Atualização de Segurança para Windows XP (KB924496)
Atualização de Segurança para Windows XP (KB924667)
Atualização de Segurança para Windows XP (KB925486)
Atualização de Segurança para Windows XP (KB925902)
Atualização de Segurança para Windows XP (KB926255)
Atualização de Segurança para Windows XP (KB926436)
Atualização de Segurança para Windows XP (KB927779)
Atualização de Segurança para Windows XP (KB927802)
Atualização de Segurança para Windows XP (KB928255)
Atualização de Segurança para Windows XP (KB928843)
Atualização de Segurança para Windows XP (KB929123)
Atualização de Segurança para Windows XP (KB930178)
Atualização de Segurança para Windows XP (KB931261)
Atualização de Segurança para Windows XP (KB931784)
Atualização de Segurança para Windows XP (KB932168)
Atualização de Segurança para Windows XP (KB933729)
Atualização de Segurança para Windows XP (KB935839)
Atualização de Segurança para Windows XP (KB935840)
Atualização de Segurança para Windows XP (KB936021)
Atualização de Segurança para Windows XP (KB938829)
Atualização de Segurança para Windows XP (KB941568)
Atualização de Segurança para Windows XP (KB941569)
Atualização de Segurança para Windows XP (KB941644)
Atualização de Segurança para Windows XP (KB943055)
Atualização de Segurança para Windows XP (KB943460)
Atualização de Segurança para Windows XP (KB943485)
Atualização de Segurança para Windows XP (KB944653)
Atualização de Segurança para Windows XP (KB946026)
Atualização para Windows XP (KB894391)
Atualização para Windows XP (KB898461)
Atualização para Windows XP (KB900485)
Atualização para Windows XP (KB904942)
Atualização para Windows XP (KB908531)
Atualização para Windows XP (KB910437)
Atualização para Windows XP (KB911280)
Atualização para Windows XP (KB916595)
Atualização para Windows XP (KB920342)
Atualização para Windows XP (KB920872)
Atualização para Windows XP (KB922120)
Atualização para Windows XP (KB922582)
Atualização para Windows XP (KB925720)
Atualização para Windows XP (KB925876)
Atualização para Windows XP (KB927891)
Atualização para Windows XP (KB929338)
Atualização para Windows XP (KB930916)
Atualização para Windows XP (KB931836)
Atualização para Windows XP (KB933360)
Atualização para Windows XP (KB936357)
Atualização para Windows XP (KB938828)
Atualização para Windows XP (KB942763)
Audacity 1.2.6
avast! Antivirus
Battlefield 2™
Battlefield 2: Special Forces
Black & White® 2
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
C-evo
Chinese Traditional Fonts Support For Adobe Reader 8
City Life Deluxe
Combined Community Codec Pack 2007-07-22
Command & Conquer Generals
Community Expansion Pack version 1.01b
CoreAVC Pro (remove only)
Counter-Strike: Condition Zero
DAEMON Tools
DirectVobSub (remove only)
Disc2Phone
DocSmartz Pro v5.1
EZ Macros
F-22 Lightning 3
Galactic Civilizations II
Google Earth
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hitman 2 Silent Assassin
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix para o Windows Media Player 11 (KB939683)
Hotfix para Windows XP (KB914440)
HP Deskjet 3840
HP L1740 Driver Software
HP Update
IRPF2007 - Declaração de Ajuste Anual
Java™ 6 Update 3
L&H TTS3000 Português (Brasil)
Logitech Gaming Software
Messenger Plus! Live
Metal Gear Solid
MetalGearSolid2 Substance
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - PTB
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0 Brazilian Portuguese Language Pack
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional com FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MIKSOFT Mobile Media Converter
Mozilla Firefox (2.0.0.9)
Mp3tag v2.38
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MSXML4 Parser
Nero OEM
neroxml
Network Addon Mod Version June 2007
Neverwinter Nights
oggcodecs 0.71.0946
Omni Encoder
Pacote de Idiomas do Português (Brasil) para Microsoft .NET Framework 3.0
PC Probe II
PlayNC Launcher
PowerDVD
Priston Tale
Project64 1.6
Railroad Tycoon 3
RCT3 Soaked
Receitanet 2007
Rise of Nations
RollerCoaster Tycoon® 3
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3 USB Driver Installer
Security Update para o produto Microsoft .NET Framework 2.0 (KB928365)
ShiftWindow 1.02
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
SimCity 4 Rush Hour
Skype™ 3.6
Sony Ericsson PC Suite 1.20.173
SoundMAX
Spyberus
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Star Wars JK II Jedi Outcast
SUPERAntiSpyware Free Edition
SWAT 4
Tom Clancy's Splinter Cell Chaos Theory
Tweak UI
Unlocker 1.8.5
VIA Platform Device Manager
VIA Rhine-Family Fast-Ethernet Adapter
VideoLAN VLC media player 0.8.6c
VobSub v2.23 (Remove Only)
Vodafone 804SS USB driver Software
WA Update v3.50 beta2
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Presentation Foundation Language Pack (PTB)
Windows Workflow Foundation
Windows Workflow Foundation BR Language Pack
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
XML Paper Specification Shared Components Language Pack 1.0
XNote Stopwatch 1.40
Xvid 1.1.3 final uninstall
ZoneAlarm Pro

#6 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 14 April 2008 - 05:51 AM

Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  • Double click on mbam-setup.exe to install it.
  • Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
    • Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  • Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  • Select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Checked (ticked) all items and click on Remove Selected.
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

Please post the Malewarebytes' Anti-Malware log along with the contents of main.txt and extra.txt.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#7 Kupuham

Kupuham
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 14 April 2008 - 10:19 PM

I apologise for Malwarebytes' Anti-Malware log being in potuguese, as I accidenty accepted installation like that. As I did not have time to redo the sca I will post it like this anyway.

Malwarebytes' Anti-Malware 1.11
Versão do banco de dados: 599

Tipo de Verificação: Completa (C:\|)
Objetos verificados: 309094
Tempo decorrido: 1 hour(s), 25 minute(s), 30 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 13
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 3

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PopCapLoader.PopCapLoaderCtrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wuauserv (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.ini (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Deckard's System Scanner v20071014.68
Run by usuário on 2008-04-14 23:14:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-04-15 02:14:12 UTC - RP233 - Deckard's System Scanner Restore Point
5: 2008-03-29 22:55:54 UTC - RP232 - Software Distribution Service 3.0
4: 2008-03-29 22:44:25 UTC - RP231 - Software Distribution Service 3.0
3: 2008-03-21 04:32:21 UTC - RP230 - Ponto de verificação do sistema
2: 2008-03-20 02:14:29 UTC - RP229 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-03-20 00:52:29 UTC - RP228 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as usuário.exe) ---------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-14 23:18:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.0.5730.11)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Avast\aswUpdSv.exe
C:\Arquivos de programas\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\gbpsv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Arquivos de programas\Avast\ashMaiSv.exe
C:\Arquivos de programas\Avast\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Arquivos de programas\Avast\ashDisp.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Arquivos de programas\Logitech\Profiler\LWEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\usuário\Desktop\PC Diag\dss.exe
C:\Documents and Settings\usuário\Desktop\usuário.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Arquivos de programas\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} () - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - http://www.audition.com.br/activex/AuditionWeb.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188782401593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188782274187
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://sympatico.zone.msn.com/bingame/zpag...no.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Arquivos de programas\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Arquivos de programas\Arquivos comuns\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashWebSv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\gbpsv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\wmpnetwk.exe


--
End of file - 13078 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 d344bus - c:\windows\system32\drivers\d344bus.sys
R0 d344prt - c:\windows\system32\drivers\d344prt.sys
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 AsIO - c:\windows\system32\drivers\asio.sys
R2 atksgt - c:\windows\system32\drivers\atksgt.sys
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R2 npkcrypt - c:\arquivos de programas\jogos\priston tale\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>
R2 ScFBPNT3 (CanoScan FBP3 Port Driver) - c:\windows\system32\drivers\scfbpnt3.sys
R3 SASENUM - c:\arquivos de programas\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 ATITool (ATITool Overclocking Utility) - c:\windows\system32\drivers\atitool.sys <Not Verified; ; Low-Level Driver>
S1 RGProtect (Robot Genius System Filter Driver) - c:\arquivos de programas\robot genius\spyberus\rgprotect.sys (file missing)
S3 01b12 - c:\windows\system32\01b12.sys (file missing)
S3 1a93 - c:\windows\system32\1a93.sys (file missing)
S3 3a214 - c:\windows\system32\3a214.sys (file missing)
S3 3c81C - c:\windows\system32\3c81c.sys (file missing)
S3 4088 - c:\windows\system32\4088.sys (file missing)
S3 5931F - c:\windows\system32\5931f.sys (file missing)
S3 68a13 - c:\windows\system32\68a13.sys (file missing)
S3 70916 - c:\windows\system32\70916.sys (file missing)
S3 7eeC - c:\windows\system32\7eec.sys (file missing)
S3 90c1A - c:\windows\system32\90c1a.sys (file missing)
S3 91dF - c:\windows\system32\91df.sys (file missing)
S3 936A - c:\windows\system32\936a.sys (file missing)
S3 99b2 - c:\windows\system32\99b2.sys (file missing)
S3 a4a18 - c:\windows\system32\a4a18.sys (file missing)
S3 af11B - c:\windows\system32\af11b.sys (file missing)
S3 b1017 - c:\windows\system32\b1017.sys (file missing)
S3 b1bB - c:\windows\system32\b1bb.sys (file missing)
S3 b7a7 - c:\windows\system32\b7a7.sys (file missing)
S3 c0220 - c:\windows\system32\c0220.sys (file missing)
S3 d051E - c:\windows\system32\d051e.sys (file missing)
S3 dbustrcm - c:\docume~1\usurio~1\config~1\temp\dbustrcm.sys (file missing)
S3 e6cE - c:\windows\system32\e6ce.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ec14 - c:\windows\system32\ec14.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 f4610 - c:\windows\system32\f4610.sys (file missing)
S3 ff06 - c:\windows\system32\ff06.sys (file missing)
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys (file missing)
S3 VICESYS - c:\docume~1\usurio~1\config~1\temp\rar$ex00.734\exe\vicesys.sys (file missing)
S3 XDva031 - c:\windows\system32\xdva031.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NMIndexingService - "c:\arquivos de programas\arquivos comuns\ahead\lib\nmindexingservice.exe" (file missing)
S3 WLSetupSvc (Windows Live Setup Service) - "c:\arquivos de programas\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-07 22:00:05 3913 --a------ C:\Start_.cmd
2008-04-07 22:00:05 0 d-------- C:\327882R2FWJFW
2008-04-07 21:23:37 1613559 --a------ C:\ComboFix.exe
2008-04-07 20:57:28 0 dr-h----- C:\Documents and Settings\usuário\Recent
2008-03-20 22:41:41 0 d-------- C:\Documents and Settings\usuário\.housecall6.6
2008-03-19 23:14:31 0 d-------- C:\Arquivos de programas\SUPERAntiSpyware
2008-03-19 21:48:52 0 d-------- C:\Documents and Settings\usuário\DoctorWeb
2008-03-19 00:54:55 49152 --ahs---- C:\WINDOWS\system\qqkkm.exe


-- Find3M Report ---------------------------------------------------------------

2008-04-14 21:30:25 0 d-------- C:\Documents and Settings\usuário\Dados de aplicativos\uTorrent
2008-04-14 21:29:23 0 d-------- C:\Documents and Settings\usuário\Dados de aplicativos\Malwarebytes
2008-04-07 22:28:32 0 d-------- C:\Arquivos de programas\Avast
2008-04-07 21:42:29 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-07 20:54:56 0 d-------- C:\Arquivos de programas\CCleaner
2008-03-29 20:30:40 0 d-------- C:\Arquivos de programas\Windows Media Connect 2
2008-03-20 20:46:59 0 d-------- C:\Arquivos de programas\Ad-Aware SE Personal
2008-03-19 23:14:31 0 d-------- C:\Documents and Settings\usuário\Dados de aplicativos\SUPERAntiSpyware.com
2008-03-19 23:13:45 0 d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-03-16 23:16:54 0 d-------- C:\Arquivos de programas\Jogos
2008-03-10 16:58:06 0 d-------- C:\Documents and Settings\usuário\Dados de aplicativos\Adobe
2008-02-18 21:07:53 469136 --a------ C:\WINDOWS\system32\perfh016.dat
2008-02-18 21:07:53 78760 --a------ C:\WINDOWS\system32\perfc016.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [04/03/2004 12:46]
"HP Component Manager"="C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [22/12/2003 07:38]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [27/10/2004 14:21 C:\WINDOWS\system32\HdAShCut.exe]
"HP Software Update"="C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [16/02/2005 23:11]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12/01/2006 14:40]
"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 19:51]
"avast!"="C:\ARQUIV~1\Avast\ashDisp.exe" [04/12/2007 10:00]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 15:05]
"StartCCC"="C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [20/03/2008 16:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"="C:\Arquivos de programas\Logitech\Profiler\lwemon.exe" [09/08/2006 18:18]
"µTorrent"="C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/03/2006 09:00]
"SUPERAntiSpyware"="C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/02/2008 16:03]
"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{A3717295-941D-416F-9384-ED1736729F1C}"= C:\Arquivos de programas\Scpad\scpLIB.dll [27/03/2007 01:29 128512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\Arquivos de programas\GbPlugin\gbieh.dll [06/11/2007 10:23 209224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Arquivos de programas\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"CompIBBrd"= {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll [27/03/2007 01:29 128512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 294912 C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rgprotect.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\ARQUIV~1\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Arquivos de programas\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
"C:\Arquivos de programas\Octoshape Streaming Services\usuário\OctoshapeClient.exe" -inv:bootrun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Arquivos de programas\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Arquivos de programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Arquivos de programas\Jogos\Counter Strike\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NBService"=3 (0x3)
"InCDsrv"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
Auto\command- G:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ea88d48-4d02-11dc-9486-00064f37fd9e}]
AutoRun\command- F:\MBVolCrypt.exe




-- End of Deckard's System Scanner: finished at 2008-04-15 00:07:00 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Portuguese

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 1023.2 MiB / 535.29 MiB
Pagefile Memory (total/avail): 2463.41 MiB / 2026.55 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.99 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 152.66 GiB total, 22.36 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6L160M0 - 152.66 GiB - 1 partition
\PARTITION0 (bootable) - Sistema de arquivos instalável - 152.66 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Pro Firewall v7.0.462.000 (Check Point, LTD.)
AV: avast! antivirus 4.7.1098 [VPS 080407-1] v4.7.1098 (ALWIL Software) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Arquivos de programas\\Jogos\\Battlefield 2\\BF2.exe"="C:\\Arquivos de programas\\Jogos\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"="C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe:*:Enabled:Sid Meier's Civilization 4 Warlords"
"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"="C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Pitboss"
"C:\\Arquivos de programas\\Jogos\\Age of Empires III\\age3x.exe"="C:\\Arquivos de programas\\Jogos\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\\Arquivos de programas\\uTorrent\\utorrent.exe"="C:\\Arquivos de programas\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Arquivos de programas\\Jogos\\Rise of Nations\\thrones.exe"="C:\\Arquivos de programas\\Jogos\\Rise of Nations\\thrones.exe:*:Enabled:Rise of Nations"
"C:\\Documents and Settings\\usuário\\Desktop\\Download\\UT1.6.1.exe"="C:\\Documents and Settings\\usuário\\Desktop\\Download\\UT1.6.1.exe:*:Enabled:µTorrent"
"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"="C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword"
"C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"="C:\\Arquivos de programas\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe:*:Enabled:Sid Meier's Civilization 4 Beyond the Sword Pitboss"
"C:\\Arquivos de programas\\Jogos\\Age of Empires III\\age3y.exe"="C:\\Arquivos de programas\\Jogos\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"="C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\usu rio\Dados de aplicativos
CLIENTNAME=Console
CommonProgramFiles=C:\Arquivos de programas\Arquivos comuns
COMPUTERNAME=JEFFERSON-PC
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\usu rio
LOGONSERVER=\\JEFFERSON-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Arquivos de programas\Arquivos comuns\Teleca Shared;C:\Arquivos de programas\Samsung\Samsung PC Studio 3;C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static;C:\WINDOWS\system32\gs\gs7.05\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Arquivos de programas
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\USURIO~1\CONFIG~1\Temp
TMP=C:\DOCUME~1\USURIO~1\CONFIG~1\Temp
tvdumpflags=8
USERDOMAIN=JEFFERSON-PC
USERNAME=usu rio
USERPROFILE=C:\Documents and Settings\usu rio
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

usuário (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
911 - First Responders --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{80AE0E0A-5579-4015-9C1A-35F2F2CE5673}\setup.exe" -l0x9
a-squared Free 3.0 --> "C:\Arquivos de programas\Anti Spyware\a-squared Free\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Empires III --> C:\ARQUIV~1\ARQUIV~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Age of Empires III - The Asian Dynasties --> C:\Arquivos de programas\InstallShield Installation Information\{C43C1415-3DFC-4089-9A32-0BECF28A6046}\setup.exe -runfromtemp -l0x0409
Age of Empires III - The WarChiefs --> C:\ARQUIV~1\ARQUIV~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1C08A24C-B168-407E-A826-68FAF5F20710}
Ant Renamer --> "C:\Arquivos de programas\Ant Renamer\unins000.exe"
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
ArcSoft PhotoStudio 2000 --> C:\WINDOWS\IsUn0416.exe -f"C:\Arquivos de programas\Scanner\PhotoStudio 2000\Uninst.isu"
Assistente de Conexão do Windows Live --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
AsusUpdate --> C:\WINDOWS\IsUninst.exe -f"C:\Arquivos de programas\ASUS\AsusUpdate\Uninst.isu"
ATI - Software Uninstall Utility --> C:\Arquivos de programas\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x5357
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Atualização de Segurança para Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911567) --> "C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918899) --> "C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920214) --> "C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB921398) --> "C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB921883) --> "C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB922616) --> "C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB925486) --> "C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Atualização para Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Atualização para Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Atualização para Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Atualização para Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Atualização para Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Atualização para Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Atualização para Windows XP (KB911164) -->
Atualização para Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Atualização para Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Atualização para Windows XP (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Atualização para Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Atualização para Windows XP (KB922120) --> "C:\WINDOWS\$NtUninstallKB922120$\spuninst\spuninst.exe"
Atualização para Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Atualização para Windows XP (KB925720) --> "C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Atualização para Windows XP (KB925876) --> "C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Atualização para Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Atualização para Windows XP (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Atualização para Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Atualização para Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Atualização para Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Atualização para Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Atualização para Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Atualização para Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Audacity 1.2.6 --> "C:\Arquivos de programas\Audacity\unins000.exe"
avast! Antivirus --> rundll32 C:\ARQUIV~1\Avast\Setup\setiface.dll,RunSetup
Battlefield 2™ --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}\setup.exe" -l0x9 -removeonly
Battlefield 2: Special Forces --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{50D4CB89-AF34-4978-96DC-C3034062E901}\setup.exe" -l0x9 -removeonly
Black & White® 2 --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{D9E52CD1-9DF1-4A8A-9BDC-1E5E53982F2B}\setup.exe" -l0x9 -removeonly
C-evo --> C:\WINDOWS\system32\UniClear.exe -f"C:\Arquivos de programas\C-evo" -f"C:\Documents and Settings\usuário\Menu Iniciar\Programas\C-evo.lnk" -u"Software\cevo" -m"Software\Microsoft\Windows\CurrentVersion\Uninstall\C-evo" -c".cEvo" -c"cEvoBook"
Canon CanoCraft CS-P 3.8 --> C:\WINDOWS\IsUn0416.exe -f"C:\Arquivos de programas\Scanner\CanoCraft CS-P 3.8\Uninst.isu" -c"C:\Arquivos de programas\Scanner\CanoCraft CS-P 3.8\scuninst.dll"
Canon ScanGear Toolbox CS 2.2 --> C:\WINDOWS\IsUn0416.exe -f"C:\Arquivos de programas\Scanner\ScanGear Toolbox CS\Uninst.isu" -c"C:\Arquivos de programas\Scanner\ScanGear Toolbox CS\uninst.dll"
CCleaner (remove only) --> "C:\Arquivos de programas\CCleaner\uninst.exe"
Chinese Traditional Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-2448-0000-800000000003}
City Life Deluxe --> C:\Arquivos de programas\Jogos\City Life Deluxe\uninst.exe
Combined Community Codec Pack 2007-07-22 --> "C:\Arquivos de programas\Combined Community Codec Pack\unins000.exe"
Command & Conquer Generals --> C:\ARQUIV~1\ARQUIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Community Expansion Pack version 1.01b --> "C:\Arquivos de programas\Jogos\Neverwinter Nights\unins000.exe"
CoreAVC Pro (remove only) --> "C:\Arquivos de programas\CoreAVC Pro\CoreAVC Pro-uninstall.exe"
Counter-Strike: Condition Zero --> C:\ARQUIV~1\Jogos\COUNTE~1\CONDIT~1\UNWISE.EXE C:\ARQUIV~1\Jogos\COUNTE~1\CONDIT~1\INSTALL.LOG
DAEMON Tools --> MsiExec.exe /I{83895843-3A51-4C93-9DF3-2BDB65C7E54A}
DirectVobSub (remove only) --> "C:\Arquivos de programas\DirectVobSub\uninstall.exe"
Disc2Phone --> MsiExec.exe /I{6E65247F-58F9-41CA-BE69-0316F7907170}
DocSmartz Pro v5.1 --> C:\ARQUIV~1\DOCSMA~1\UNWISE.EXE /A C:\ARQUIV~1\DOCSMA~1\INSTALL.LOG
EZ Macros --> C:\WINDOWS\amuninst.exe -fC:\WINDOWS\unezmac.ini
F-22 Lightning 3 --> C:\WINDOWS\IsUninst.exe -f"C:\Arquivos de programas\NovaLogic\F-22 Lightning 3\Uninst.isu"
Galactic Civilizations II --> C:\ARQUIV~1\Jogos\GALACT~1\UNWISE.EXE C:\ARQUIV~1\Jogos\GALACT~1\INSTALL.LOG
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\usuário\Desktop\HijackThis.exe" /uninstall
Hitman 2 Silent Assassin --> C:\ARQUIVOS DE PROGRAMAS\JOGOS\Hitman 2\Uninstal.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix para Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
HP Deskjet 3840 --> msiexec /x{B1591C79-1C35-4E09-AA15-F7D6923AFB96}
HP L1740 Driver Software --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{B7799EB2-9F02-4C55-BD63-109501FB321E}\setup.exe" -l0x416
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
IRPF2007 - Declaração de Ajuste Anual --> C:\ARQUIV~1\PROGRA~1\IRPF2007\UNWISE.EXE C:\ARQUIV~1\PROGRA~1\IRPF2007\INSTALL.LOG
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
L&H TTS3000 Português (Brasil) --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSPTB.inf, Uninstall
Logitech Gaming Software --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{13AA6556-BA96-4468-A8B4-1AD4A75AD5A0}\setup.exe" -l0x9 -removeonly
Malwarebytes' Anti-Malware --> "C:\Documents and Settings\Default User\Desktop\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live --> "C:\Arquivos de programas\Messenger Plus! Live\Uninstall.exe"
Metal Gear Solid --> C:\Arquivos de programas\Jogos\Metal Gear Solid\Uninstal.exe
MetalGearSolid2 Substance --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{2184D9EA-4E5B-43FD-914E-4563CF028C94}\setup.exe" -l0x9
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional com FrontPage --> MsiExec.exe /I{90280416-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
MIKSOFT Mobile Media Converter --> "C:\Arquivos de programas\Mobile Media Converter\unins000.exe"
Mozilla Firefox (2.0.0.9) --> C:\Arquivos de programas\Mozilla Firefox\uninstall\helper.exe
Mp3tag v2.38 --> C:\Arquivos de programas\Mp3tag\Mp3tagUninstall.EXE
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nero OEM --> C:\Arquivos de programas\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Network Addon Mod Version June 2007 --> C:\Documents and Settings\usuário\Meus documentos\SimCity 4\Plugins\Network Addon Mod\uninst.exe
Neverwinter Nights --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{7C503E58-B2BC-11D5-978A-0050BA84F5F7}\Setup.exe" -l0x9
oggcodecs 0.71.0946 --> C:\Arquivos de programas\Oggcodecs\uninst.exe
Omni Encoder --> MsiExec.exe /I{9D7F44AB-D882-4C38-A8B1-3127A07A1DBA}
PC Probe II --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
PlayNC Launcher --> C:\Arquivos de programas\InstallShield Installation Information\{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}\setup.exe -runfromtemp -l0x0009 -removeonly
PowerDVD --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Priston Tale --> C:\Arquivos de programas\Jogos\Priston Tale\uninstall.exe
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
Railroad Tycoon 3 --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{DE29025A-091F-4998-AD2D-24C84421190F}\setup.exe" -l0x9
RCT3 Soaked --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{EA926717-CE5A-4CB4-AB21-9E6E9565A458}\setup.exe" -l0x9
Receitanet 2007 --> C:\WINDOWS\DesinstRecnet.exe
Rise of Nations --> "C:\Arquivos de programas\Jogos\Rise of Nations\Uninstal.exe" /runtemp /uninstall
RollerCoaster Tycoon® 3 --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\Setup.exe" -l0x9
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 USB Driver Installer --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x416 -removeonly
ShiftWindow 1.02 --> "C:\Arquivos de programas\ShiftWindow\unins000.exe"
Sid Meier's Civilization 4 --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Sid Meier's Civilization 4 - Beyond the Sword --> C:\Arquivos de programas\InstallShield Installation Information\{32E4F0D2-C135-475E-A841-1D59A0D22989}\setup.exe -runfromtemp -l0x0009 -removeonly
Sid Meier's Civilization 4 - Warlords --> C:\Arquivos de programas\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\setup.exe -runfromtemp -l0x0009 -removeonly
SimCity 4 Rush Hour --> C:\Arquivos de programas\Jogos\SimCity 4\EAUninstall.exe
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony Ericsson PC Suite 1.20.173 --> MsiExec.exe /I{C5ADA65A-7828-4D85-B071-ECC52B51F794}
SoundMAX --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x416 -removeonly
Spyberus --> MsiExec.exe /I{331A1B33-2973-4735-8E76-D75B3A43AD65}
Spybot - Search & Destroy --> "C:\Arquivos de programas\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.4 --> "C:\Arquivos de programas\Spybot\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Arquivos de programas\Anti Spyware\SpywareBlaster\unins000.exe"
Star Wars JK II Jedi Outcast --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{576E71DA-3000-48F6-9B21-B9A70D47DFCF}\Setup.exe"
Sun Download Manager 2.0 (web) --> C:\WINDOWS\system32\javaws.exe -uninstall "http://javadl-esd.sun.com/update/sdm20/sdm20.jnlp"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWAT 4 --> C:\ARQUIV~1\ARQUIV~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8} uninstall
Tom Clancy's Splinter Cell Chaos Theory --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{BABAEBE4-9FFB-4B5D-9453-64FF11517CA2}\setup.exe" -l0x9 -removeonly
Tweak UI --> "C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Unlocker 1.8.5 --> C:\Arquivos de programas\Unlocker\uninst.exe
VIA Platform Device Manager --> C:\ARQUIV~1\ARQUIV~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast-Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VideoLAN VLC media player 0.8.6c --> C:\Arquivos de programas\VLC\uninstall.exe
VobSub v2.23 (Remove Only) --> "C:\Arquivos de programas\Gabest\VobSub\uninstall.exe"
Vodafone 804SS USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\4\SSVDUninstall.exe
WA Update v3.50 beta2 --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{9BE2669E-2BD8-4164-A8B5-C904C864B403}\Setup.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{3A417047-2E30-4D05-8977-F706D40BFF39}
Windows Live Messenger --> MsiExec.exe /X{8EADB73B-026D-4978-A8F0-1EEF5E1ECEC7}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (PTB) --> MsiExec.exe /X{93676FC6-C7DB-45A6-A62B-74A324F17313}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows Workflow Foundation BR Language Pack --> MsiExec.exe /I{6A288CAE-32D0-4CA7-8166-210D380A8045}
WinRAR archiver --> C:\Arquivos de programas\WinRAR\uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->
XNote Stopwatch 1.40 --> C:\Arquivos de programas\XNote Stopwatch\uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Arquivos de programas\Xvid\unins000.exe"
ZoneAlarm Pro --> C:\Arquivos de programas\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type11502 / Error
Event Submitted/Written: 04/07/2008 09:49:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha gspas.exe, versão 0.0.0.0, módulo com falha gspas.exe, versão 0.0.0.0, endereço com falha 0x0000c566.
Processando evento específico de mídia para [gspas.exe!ws!]

Event Record #/Type11501 / Error
Event Submitted/Written: 04/07/2008 09:49:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha zgccx.exe, versão 0.0.0.0, módulo com falha zgccx.exe, versão 0.0.0.0, endereço com falha 0x0000c566.
Processando evento específico de mídia para [zgccx.exe!ws!]

Event Record #/Type11498 / Error
Event Submitted/Written: 04/07/2008 09:35:28 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha ykcgm.exe, versão 0.0.0.0, módulo com falha ykcgm.exe, versão 0.0.0.0, endereço com falha 0x0000c566.
Processando evento específico de mídia para [ykcgm.exe!ws!]

Event Record #/Type11496 / Warning
Event Submitted/Written: 04/07/2008 09:34:47 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detecção de produto '{90280416-6000-11D3-8CFE-0050048383C9}', recurso 'ProductNonBootFiles' falhou durante solicitação do componente '{DD68FEE8-C369-11D1-A173-00A0C90AB50F}'

Event Record #/Type11495 / Warning
Event Submitted/Written: 04/07/2008 09:34:47 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detecção de produto '{90280416-6000-11D3-8CFE-0050048383C9}', recurso 'ProductNonBootFiles', componente '{BF83B9A4-DF02-11D1-9395-00A0C90F27F9}' falhou. O recurso 'C:\WINDOWS\system32\MSRDO20.DLL' não existe.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14489 / Error
Event Submitted/Written: 04/14/2008 09:25:37 PM
Event ID/Source: 10000 / DCOM
Event Description:
Não foi possível iniciar o servidor DCOM: {CD79C623-E1B7-47CF-A685-2E8A882BA3F8}.
O erro:
"%%5"
Aconteceu ao iniciar este comando:
"C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe" -Embedding

Event Record #/Type14488 / Error
Event Submitted/Written: 04/14/2008 09:22:08 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type14466 / Error
Event Submitted/Written: 04/14/2008 09:21:08 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema ou de inicialização:
RGProtect

Event Record #/Type14465 / Error
Event Submitted/Written: 04/14/2008 09:20:19 PM / 04/14/2008 09:20:42 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type

Event Record #/Type14463 / Error
Event Submitted/Written: 04/14/2008 09:19:42 PM / 04/14/2008 09:20:42 PM
Event ID/Source: 4 / sptd
Event Description:
O driver detectou um erro interno nas estruturas de dados para .



-- End of Deckard's System Scanner: finished at 2008-04-15 00:07:00 ------------

#8 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 15 April 2008 - 07:05 PM

Your antivirus is outdated!
Your log indicates that you are using Avast! antivirus 4.7.1098. The current version is 4.8.1169 and is available HERE.
Please update your antivirus software now.

Next, enable the Show Hidden Folders option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

The Deckard's log indicates that you use removable drives. It is possible that they could be infected and I would like you to see if you can find the files on those drives (identified in the log as G: and F:) so that they can be scanned in the next step.

Upload malware for scanning
I'd like you to check a file/some files for malware.

C:\WINDOWS\system\qqkkm.exe
G:\setup.exe
F:\MBVolCrypt.exe

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Repeat for all files on the list.
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon. Read the disclaimer and click OK.
  • Click on the Scan button.
  • Place a checkmark next to the following entries:

    .reg
    .scr



  • Click the Fix button.
  • Re-scan and save a logfile. By default, it will save as daft.txt.
Post the contents of that logfile with your next post.


I can see from your log that you have run ComboFix recently. If you still have the ComboFix log from that scan, please post it in your next reply.
Note: I do not want you to run ComboFix again to obtain a log. I am hoping to see the log produced when you ran it previously.


Please post the Virustotal/Jotti results, the DAFT log, the ComboFix log (if you have it) and a fresh HijackThis log.

Edited by Carolyn, 15 April 2008 - 07:06 PM.

Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#9 Kupuham

Kupuham
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 18 April 2008 - 07:35 PM

I updated avast from the Update dowload in the site.
Here go the results:
Scan on "C:\WINDOWS\system\qqkkm.exe"
AhnLab-V3 2008.4.19.0 2008.04.18 -
AntiVir 7.8.0.8 2008.04.18 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2008.04.18 -
Avast 4.8.1169.0 2008.04.18 Win32:AutoRun-ZQ
AVG 7.5.0.516 2008.04.18 Generic9.BECA
BitDefender 7.2 2008.04.19 -
CAT-QuickHeal 9.50 2008.04.18 Worm.AutoRun.crv
ClamAV 0.92.1 2008.04.19 -
DrWeb 4.44.0.09170 2008.04.18 -
eSafe 7.0.15.0 2008.04.17 Suspicious File
eTrust-Vet 31.3.5714 2008.04.19 -
Ewido 4.0 2008.04.18 Worm.AutoRun.crv
F-Prot 4.4.2.54 2008.04.18 W32/Worm!c182
F-Secure 6.70.13260.0 2008.04.19 Worm.Win32.AutoRun.crv
FileAdvisor 1 2008.04.19 -
Fortinet 3.14.0.0 2008.04.18 W32/Agent.UPZ!tr
Ikarus T3.1.1.26 2008.04.19 Worm.Win32.AutoRun.crv
Kaspersky 7.0.0.125 2008.04.19 Worm.Win32.AutoRun.crv
McAfee 5277 2008.04.18 W32/Autorun.worm.c
Microsoft 1.3408 2008.04.18 -
NOD32v2 3038 2008.04.18 -
Norman 5.80.02 2008.04.18 W32/Agent.EHVF
Panda 9.0.0.4 2008.04.19 Suspicious file
Prevx1 V2 2008.04.19 Generic9.BECA
Rising 20.40.42.00 2008.04.18 Worm.Win32.Agent.zln
Sophos 4.28.0 2008.04.19 Mal/Generic-A
Sunbelt 3.0.1056.0 2008.04.17 VIPRE.Suspicious
Symantec 10 2008.04.19 Downloader
TheHacker 6.2.92.284 2008.04.18 -
VBA32 3.12.6.4 2008.04.16 Worm.Win32.AutoRun.crv
VirusBuster 4.3.26:9 2008.04.18 -
Webwasher-Gateway 6.6.2 2008.04.18 Trojan.Crypt.XPACK.Gen

Scan on G:\setup.exe
Havent found this specific drive, might find it today or latert tomorrow

Scan on F:\MBVolCrypt.exe
File is not on the drive anymore

I was unable to find the ComboFix log.

DAFT Log saved on 2008-04-18 21:31:51
-----------------------------------------------------------------------
All associations okay!

#10 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 19 April 2008 - 03:49 PM

Hello,

It looks as though your computer has been infected by a worm that propogates via removable drives.

Please collect all of your removable media (that includes flash drives, cameras, MP3 players, etc.). Each of these will have to be disinfected to ensure that this worm does not reinfect your computer again!


  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.
Be sure to run Flash_Disinfector on all of your removable media!!!


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please post the ComboFix log and a fresh HijackThis log. Also let me know how your computer is behaving.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#11 Kupuham

Kupuham
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 19 April 2008 - 09:25 PM

Flash Disinfector ran very quickly and produced no logs, I had all the possibly infected drives inserted at that time.

Combofix made the computer reboot as soon as it changes the system clock. I was unable to find any logs.

Also, avast is now reporting the existence of a Trojan called Patched-FG. It is also warning that it is failing to update itself.

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13, on 2008-04-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Avast\aswUpdSv.exe
C:\Arquivos de programas\Avast\ashServ.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Arquivos de programas\Avast\ashMaiSv.exe
C:\Arquivos de programas\Avast\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\ARQUIV~1\Avast\ashDisp.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\usuário\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Arquivos de programas\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\usuário\Desktop\Download\UT1.6.1.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - http://www.audition.com.br/activex/AuditionWeb.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188782401593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188782274187
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://sympatico.zone.msn.com/bingame/zpag...no.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Arquivos de programas\Anti Spyware\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Avast\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Avast\ashWebSv.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader (usnjsvc) - Unknown owner - C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe

--
End of file - 12091 bytes

Edited by Kupuham, 19 April 2008 - 09:27 PM.


#12 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 20 April 2008 - 04:13 PM

Also, avast is now reporting the existence of a Trojan called Patched-FG. It is also warning that it is failing to update itself.


Have you downloaded and installed Avast! Anti-virus Home Edition. It is free, but requires that you register the product to receive an activation key.
AVAST!


Use Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following ComboFix log files

C:\qoobox\ComboFix1.txt
C:\qoobox\ComboFix2.txt

Double-Click on the ComboFix1.txt file and it should open in Notepad. Copy and paste the contents of that file in your next post.

Repeat that procedure for ComboFix2.txt.

Note you may need to post this file seperately because the length of the two files together might not fit in a single post.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#13 Kupuham

Kupuham
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 21 April 2008 - 09:06 PM

Combofix logfiles do not exist. In the qoobox folder, there are 2 other folders, BackEnv, which contains 14 .dat files, and 1 .bat, and a "Quarantine" folder, which contains an empty folder named C.

I am now donwloading avast.

#14 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:07:47 AM

Posted 22 April 2008 - 11:51 AM

Hello,

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.

Disable SUPERAntiSpyware until the computer is clean
  • Right-click on the shortcut from the system tray
  • Choose View Control Center (preferences/options)
  • On the General and Startup tab, uncheck Start SUPERAntispyware when Windows starts.
  • Click Close to exit.
Don't forget to re-enable it, when your computer is clean.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Please post the ComboFix log and a fresh HijackThis log.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

#15 Kupuham

Kupuham
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 23 April 2008 - 08:07 PM

Firstly, the icon for spybot tea timer near the clock wasnt present, but I disabled it as instucted on the program itself. I menaged to disable SuperAntiSpyware as instructed. But again, ComboFix booted the pc on the same spot, and after the boot, the system reported having recovered from a serious error, as it had done before (while running ComboFix)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users