Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-psw.win32.onlinegames.yhl


  • Please log in to reply
19 replies to this topic

#1 Aelius

Aelius

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 19 April 2008 - 07:12 AM

Im glad ive found this forum. Thanks you guys for provinding this free computer support.

I ran kaspersky online virus scan and was found to be infected by Trojan-PSW.Win32.OnLineGames.yhl. After trying with no success to remove the several infected files manually (some were protected, others i simply couldn't find, although i had checked the show hidden files box), I ran Ad-Aware Scan; but i believe that didn't work either.

Im also also infected by the Virus.ALS.Bursted, but what worries me most is the Trojan in the topic title. There goes the log:

Main.txt

Deckard's System Scanner v20071014.68
Run by Juvêncio on 2008-04-19 08:41:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
26: 2008-04-19 11:18:06 UTC - RP83 - Deckard's System Scanner Restore Point
25: 2008-04-19 10:36:15 UTC - RP82 - Removed AntiSpyware
24: 2008-04-19 10:26:56 UTC - RP81 - Installed AntiSpyware
23: 2008-04-19 10:18:19 UTC - RP80 - Installed OpenOffice.org Installer 1.0
22: 2008-04-19 10:15:11 UTC - RP79 - Installed Java™ 6 Update 5


-- First Restore Point --
1: 2008-01-30 13:52:38 UTC - RP58 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Juvêncio.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:43:50, on 19/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Juvêncio\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\Juvêncio.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marumushi.com/apps/newsmap/newsmap.cfm
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E31EFAE-AEAD-4D9F-9D39-2BBF74B445E6}: NameServer = 200.165.132.155 200.149.55.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E4DDFF-E378-4892-8F8D-F36F9B442D4E}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E31EFAE-AEAD-4D9F-9D39-2BBF74B445E6}: NameServer = 200.165.132.155 200.149.55.140
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E31EFAE-AEAD-4D9F-9D39-2BBF74B445E6}: NameServer = 200.165.132.155 200.149.55.140
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7712 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 RMSPPPOE (WAN Miniport (PPP over Ethernet Protocol)) - c:\windows\system32\drivers\rmspppoe.sys <Not Verified; Robert Schlabbach; PPP over Ethernet Protocol>

S3 FreshIO - c:\arquivos de programas\freshdevices\freshdiagnose\freshio.sys (file missing)
S3 FXDrv32 - f:\fxdrv32.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\arquivos de programas\arquivos comuns\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-19 and 2008-04-19 -----------------------------

2008-04-19 08:43:41 0 d-------- C:\Arquivos de programas\Trend Micro
2008-04-19 07:18:37 0 d-------- C:\WINDOWS\Sun
2008-04-19 07:18:21 0 d-------- C:\Arquivos de programas\Sun
2008-04-19 07:17:21 0 d-------- C:\Arquivos de programas\Java
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-04-18 19:20:29 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 16:57:09 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-04-13 16:57:09 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-13 16:57:08 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-13 16:57:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-04-13 16:57:08 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-04-13 16:57:07 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-13 16:57:06 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-13 16:49:40 0 d-------- C:\VirtualDub-1.7.7
2008-04-12 14:28:47 104310 -r-hs---- C:\tknn6.bat
2008-04-12 14:28:18 70144 -r-hs---- C:\WINDOWS\system32\amvo0.dll
2008-04-12 14:28:18 104310 -r-hs---- C:\WINDOWS\system32\amvo.exe
2008-04-12 12:04:15 0 d-------- C:\Arquivos de programas\Intel
2008-04-12 12:04:11 0 d-------- C:\WINDOWS\OPTIONS
2008-04-12 12:04:11 0 d-------- C:\Arquivos de programas\Realtek
2008-04-12 12:03:31 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-12 12:01:38 0 d-------- C:\Intel


-- Find3M Report ---------------------------------------------------------------

2008-04-19 07:18:37 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Sun
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-04-19 06:58:13 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon
2008-04-15 20:10:29 0 d-------- C:\Arquivos de programas\Soulseek
2008-04-13 18:50:11 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Media Player Classic
2008-04-13 16:57:07 0 d-------- C:\Arquivos de programas\K-Lite Codec Pack
2008-04-12 12:04:10 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-04-12 12:04:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\InstallShield
2008-04-12 12:03:56 425426 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-12 12:03:56 67450 --a------ C:\WINDOWS\system32\perfc016.dat
2008-03-07 12:43:31 0 d-------- C:\Arquivos de programas\eMule
2008-03-01 20:20:12 0 d-------- C:\Arquivos de programas\WinAVIVideoConverter
2008-03-01 20:19:50 3082 --a------ C:\WINDOWS\system32\affv208325p1now.sys
2008-03-01 19:33:21 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\uTorrent
2008-03-01 01:23:46 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Help
2008-02-29 07:33:34 0 d-------- C:\Arquivos de programas\WinAce
2008-02-28 21:46:45 0 d-------- C:\Arquivos de programas\Gabest


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14/12/2007 17:21 262144 --a------ C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [14/12/2007 17:21 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/2008 15:37]
"WinPatrol"="C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [23/09/2007 14:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 09:50]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [14/11/2007 15:05]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [11/12/2007 09:56]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [11/12/2007 11:10]
"USB Storage Toolbox"="C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE" [14/09/2005 19:44]
"RTHDCPL"="RTHDCPL.EXE" [10/08/2007 04:21 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [03/08/2007 02:22 C:\WINDOWS\SkyTel.exe]
"AlcWzrd"="ALCWZRD.EXE" [04/05/2006 05:26 C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 07:43 C:\WINDOWS\ALCMTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [13/06/2007 01:56]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [13/06/2007 01:55]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [13/06/2007 01:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 23:45]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [26/09/2007 23:04]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [26/9/2007 23:04:08]
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [13/2/2001 09:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-04-19 08:44:38 ------------






Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Portuguese

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 1014.11 MiB / 573.88 MiB
Pagefile Memory (total/avail): 1661.29 MiB / 1280.93 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919.46 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.25 GiB total, 12.88 GiB free.
D: is Fixed (FAT32) - 29.39 GiB total, 29.39 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75JHC0 - 74.5 GiB - 2 partitions
\PARTITION0 (bootable) - Sistema de arquivos instalável - 37.25 GiB - C:
\PARTITION1 - Estendido c/Int. estendida 13 - 29.41 GiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)
AV: avast! antivirus 4.8.1169 [VPS 080418-0] v4.8.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Arquivos de programas\\iTunes\\iTunes.exe"="C:\\Arquivos de programas\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Juvˆncio\Dados de aplicativos
CLASSPATH=.;C:\Arquivos de programas\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Arquivos de programas\Arquivos comuns
COMPUTERNAME=MALARIS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Juvˆncio
LOGONSERVER=\\MALARIS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Arquivos de programas\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Arquivos de programas
PROMPT=$P$G
QTJAVA=C:\Arquivos de programas\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JUVNCI~1\CONFIG~1\Temp
TMP=C:\DOCUME~1\JUVNCI~1\CONFIG~1\Temp
tvdumpflags=8
USERDOMAIN=MALARIS
USERNAME=Juvˆncio
USERPROFILE=C:\Documents and Settings\Juvˆncio
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Juvêncio (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ivx MPEG-4 5.0.1 (remove only) --> "C:\Arquivos de programas\3ivx\3ivx MPEG-4 5.0.1\uninstall.exe"
7-Zip 4.42 --> "C:\Arquivos de programas\7-Zip\Uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1 - Português --> MsiExec.exe /I{AC76BA86-7AD7-1046-7B44-A81000000003}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
µTorrent --> "C:\Arquivos de programas\uTorrent\uTorrent.exe" /UNINSTALL
AutoCAD 2007 - English --> MsiExec.exe /I{5783F2D7-5001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\ARQUIV~1\Autodesk\AUTODE~1\Setup.exe /remove /q0
avast! Antivirus --> C:\Arquivos de programas\Alwil Software\Avast4\aswRunDll.exe "C:\Arquivos de programas\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
CCleaner (remove only) --> "C:\Arquivos de programas\CCleaner\uninst.exe"
CorelDRAW Graphics Suite 12 --> MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
dBpowerAMP CD Writer --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP CD Writer.dat
dBpoweramp FLAC Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
Discador Velox 0.98 --> "C:\Arquivos de programas\Velox\Discador Velox\unins000.exe"
Easy CD Cover Printer --> C:\ARQUIV~1\EASYCD~1\UNWISE.EXE C:\ARQUIV~1\EASYCD~1\INSTALL.LOG
eMule --> "C:\Arquivos de programas\eMule\Uninstall.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google SketchUp 6 --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9 -removeonly
Google SketchUp 6 --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\arquivos de programas\google\googletoolbar1.dll"
Google Updater --> "C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HP Image Zone 4.7 --> C:\Arquivos de programas\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.7 --> "C:\Arquivos de programas\HP\Digital Imaging\{5469D537-9B44-4c78-BF2D-5F9807564F74}\setup\hpzscr01.exe" -datfile hposcr05.dat
Informações Velox --> "C:\Arquivos de programas\Velox\Misc\unins000.exe"
Intel® Graphics Media Accelerator Driver --> C:\WINDOWS\system32\igxpun.exe -uninstall
iTunes --> MsiExec.exe /I{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
K-Lite Codec Pack 3.8.5 Full --> "C:\Arquivos de programas\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Flash Player 8 --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Microsoft Office XP Professional com FrontPage --> MsiExec.exe /I{90280416-6000-11D3-8CFE-0050048383C9}
Nero OEM --> C:\Arquivos de programas\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Opera 9.24 --> MsiExec.exe /X{16913489-B5E3-403E-AFD3-2B19BBE464D4}
Programador de Modem Velox 2.0 --> "C:\Arquivos de programas\Velox\Programador de Modem Velox\unins000.exe"
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
Realtek AC'97 Audio --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
REALTEK GbE & FE Ethernet PCI-E NIC Driver --> C:\Arquivos de programas\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\Setup.exe -runfromtemp -l0x0416 -removeonly
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
SoulSeek Client 156b --> "C:\Arquivos de programas\Soulseek\uninstall.exe"
StumbleUpon IE Toolbar --> C:\Arquivos de programas\StumbleUpon\uninstall.exe
Unlocker 1.8.6 --> C:\Arquivos de programas\Unlocker\uninst.exe
USB Disk Win98 Driver --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{4E79A62F-7A2D-4058-BCE0-94E6B9E2F162}\Setup.exe"
VeryPDF PDF2Word v3.0 --> "C:\Arquivos de programas\VeryPDF PDF2Word v3.0\unins000.exe"
VobSub v2.23 (Remove Only) --> "C:\Arquivos de programas\Gabest\VobSub\uninstall.exe"
WinAce Archiver --> "C:\Arquivos de programas\WinAce\SXUNINST.EXE" "C:\Arquivos de programas\WinAce\SXUNINST.INI"
WinAVIVideoConverter --> "C:\Arquivos de programas\WinAVIVideoConverter\unins000.exe"
Windows Live Messenger --> MsiExec.exe /I{37FD253D-5064-4034-8CEC-CC3995F823A4}
WinPatrol 2007 --> C:\ARQUIV~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
ZoneAlarm --> C:\Arquivos de programas\Zone Labs\ZoneAlarm\zauninst.exe
ZoneAlarm Spy Blocker --> rundll32 C:\ARQUIV~1\ZONEAL~1\bar\1.bin\SpyBlock.dll,O


-- Application Event Log -------------------------------------------------------

Event Record #/Type2986 / Error
Event Submitted/Written: 04/19/2008 06:40:57 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicativo com falha lsupdatemanager.exe, versão 7.0.2.6, módulo com falha hungapp, versão 0.0.0.0, endereço com falha 0x00000000.

Event Record #/Type2985 / Error
Event Submitted/Written: 04/19/2008 06:40:54 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicativo com falha lsupdatemanager.exe, versão 7.0.2.6, módulo com falha hungapp, versão 0.0.0.0, endereço com falha 0x00000000.

Event Record #/Type2982 / Error
Event Submitted/Written: 04/18/2008 05:37:07 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Produto: Microsoft Office XP Professional com FrontPage -- Erro 1706. A instalação não pode encontrar os arquivos necessários. Verifique a conexão com a rede ou a unidade de CD-ROM. Para obter outras soluções possíveis para este problema, consulte .

Event Record #/Type2900 / Error
Event Submitted/Written: 04/13/2008 05:53:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicativo com falha VobSub_2.23.exe, versão 0.0.0.0, módulo com falha hungapp, versão 0.0.0.0, endereço com falha 0x00000000.

Event Record #/Type2899 / Error
Event Submitted/Written: 04/13/2008 05:53:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicativo com falha VobSub_2.23.exe, versão 0.0.0.0, módulo com falha hungapp, versão 0.0.0.0, endereço com falha 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type30259 / Error
Event Submitted/Written: 04/19/2008 07:00:46 AM
Event ID/Source: 1003 / System Error
Event Description:
Código de erro 1000008e, parâmetro1 c0000005, parâmetro2 8060bca7, parâmetro3 a9d7ab40, parâmetro4 00000000.

Event Record #/Type30232 / Warning
Event Submitted/Written: 04/18/2008 10:16:31 PM
Event ID/Source: 63 / RMSPPPOE
Event Description:
Received a PPPoE Session packet for an unknown session.
Ignoring this packet.

Event Record #/Type30231 / Warning
Event Submitted/Written: 04/18/2008 10:16:31 PM
Event ID/Source: 63 / RMSPPPOE
Event Description:
Received a PPPoE Session packet for an unknown session.
Ignoring this packet.

Event Record #/Type30230 / Warning
Event Submitted/Written: 04/18/2008 10:16:31 PM
Event ID/Source: 63 / RMSPPPOE
Event Description:
Received a PPPoE Session packet for an unknown session.
Ignoring this packet.

Event Record #/Type30229 / Warning
Event Submitted/Written: 04/18/2008 10:16:31 PM
Event ID/Source: 63 / RMSPPPOE
Event Description:
Received a PPPoE Session packet for an unknown session.
Ignoring this packet.



-- End of Deckard's System Scanner: finished at 2008-04-19 08:44:38 ------------

BC AdBot (Login to Remove)

 


m

#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 03 May 2008 - 09:57 AM

Hello Aelius

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please post a new Hijackthis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Aelius

Aelius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 09 May 2008 - 07:38 PM

I'm still in need of assistance
Thanks
Here goes the log:

Deckard's System Scanner v20071014.68
Run by Juvêncio on 2008-05-09 21:33:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.88 GiB (less than 15%) free.


-- HijackThis (run as Juvêncio.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:33:18, on 9/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Juvêncio\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\JUVNCI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marumushi.com/apps/newsmap/newsmap.cfm
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E4DDFF-E378-4892-8F8D-F36F9B442D4E}: Domain = @
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7366 bytes

-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-07 14:04:08 125952 -r-hs---- C:\WINDOWS\system32\kavo0.dll
2008-05-07 10:34:35 0 d-------- C:\Arquivos de programas\iPod
2008-05-07 10:34:27 0 d-------- C:\Arquivos de programas\iTunes
2008-04-19 08:43:41 0 d-------- C:\Arquivos de programas\Trend Micro
2008-04-19 07:18:37 0 d-------- C:\WINDOWS\Sun
2008-04-19 07:18:21 0 d-------- C:\Arquivos de programas\Sun
2008-04-19 07:17:21 0 d-------- C:\Arquivos de programas\Java
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-04-18 19:20:29 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 16:57:09 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-04-13 16:57:09 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-13 16:57:08 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-13 16:57:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-04-13 16:57:08 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-04-13 16:57:07 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-13 16:57:06 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-13 16:49:40 0 d-------- C:\VirtualDub-1.7.7
2008-04-12 12:04:15 0 d-------- C:\Arquivos de programas\Intel
2008-04-12 12:04:11 0 d-------- C:\WINDOWS\OPTIONS
2008-04-12 12:04:11 0 d-------- C:\Arquivos de programas\Realtek
2008-04-12 12:03:31 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-12 12:01:38 0 d-------- C:\Intel


-- Find3M Report ---------------------------------------------------------------

2008-05-07 10:56:40 0 d-------- C:\Arquivos de programas\Apple Software Update
2008-05-07 10:32:39 0 d-------- C:\Arquivos de programas\QuickTime
2008-05-04 08:05:49 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\uTorrent
2008-05-03 14:22:51 0 d-------- C:\Arquivos de programas\Soulseek
2008-05-01 11:34:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\WinRAR
2008-04-24 22:49:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-21 09:40:45 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-04-19 07:18:37 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Sun
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-04-19 06:58:13 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon
2008-04-13 18:50:11 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Media Player Classic
2008-04-13 16:57:07 0 d-------- C:\Arquivos de programas\K-Lite Codec Pack
2008-04-12 12:04:10 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-04-12 12:04:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\InstallShield
2008-04-12 12:03:56 425426 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-12 12:03:56 67450 --a------ C:\WINDOWS\system32\perfc016.dat
2008-03-01 20:19:50 3082 --a------ C:\WINDOWS\system32\affv208325p1now.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14/12/2007 17:21 262144 --a------ C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [14/12/2007 17:21 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/2008 15:37]
"WinPatrol"="C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [23/09/2007 14:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 09:50]
"USB Storage Toolbox"="C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE" [14/09/2005 19:44]
"RTHDCPL"="RTHDCPL.EXE" [10/08/2007 04:21 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [03/08/2007 02:22 C:\WINDOWS\SkyTel.exe]
"AlcWzrd"="ALCWZRD.EXE" [04/05/2006 05:26 C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 07:43 C:\WINDOWS\ALCMTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [13/06/2007 01:56]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [13/06/2007 01:55]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [13/06/2007 01:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [30/03/2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [26/09/2007 23:04]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [26/9/2007 23:04:08]
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [13/2/2001 09:01:04]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-05-09 21:34:12 ------------

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 09 May 2008 - 09:16 PM

Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Aelius

Aelius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 10 May 2008 - 04:26 PM

This is the DSS log:

Deckard's System Scanner v20071014.68
Run by Juvêncio on 2008-05-10 18:22:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.7 GiB (less than 15%) free.


-- HijackThis (run as Juvêncio.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:22:41, on 10/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Opera\Opera.exe
C:\Documents and Settings\Juvêncio\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\JUVNCI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marumushi.com/apps/newsmap/newsmap.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E31EFAE-AEAD-4D9F-9D39-2BBF74B445E6}: NameServer = 200.165.132.155 200.149.55.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E4DDFF-E378-4892-8F8D-F36F9B442D4E}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E31EFAE-AEAD-4D9F-9D39-2BBF74B445E6}: NameServer = 200.165.132.155 200.149.55.140
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7767 bytes

-- Files created between 2008-04-10 and 2008-05-10 -----------------------------

2008-05-10 18:06:55 68096 --a------ C:\WINDOWS\zip.exe
2008-05-10 18:06:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-10 18:06:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-10 18:06:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-10 18:06:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-10 18:06:55 98816 --a------ C:\WINDOWS\sed.exe
2008-05-10 18:06:55 80412 --a------ C:\WINDOWS\grep.exe
2008-05-10 18:06:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-07 10:34:35 0 d-------- C:\Arquivos de programas\iPod
2008-05-07 10:34:27 0 d-------- C:\Arquivos de programas\iTunes
2008-04-19 08:43:41 0 d-------- C:\Arquivos de programas\Trend Micro
2008-04-19 07:18:37 0 d-------- C:\WINDOWS\Sun
2008-04-19 07:18:21 0 d-------- C:\Arquivos de programas\Sun
2008-04-19 07:17:21 0 d-------- C:\Arquivos de programas\Java
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-04-18 19:20:29 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 16:57:09 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2008-04-13 16:57:09 755027 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-13 16:57:08 159839 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-13 16:57:08 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-04-13 16:57:08 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-04-13 16:57:07 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-04-13 16:57:06 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-04-13 16:49:40 0 d-------- C:\VirtualDub-1.7.7
2008-04-12 12:04:15 0 d-------- C:\Arquivos de programas\Intel
2008-04-12 12:04:11 0 d-------- C:\WINDOWS\OPTIONS
2008-04-12 12:04:11 0 d-------- C:\Arquivos de programas\Realtek
2008-04-12 12:03:31 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-12 12:01:38 0 d-------- C:\Intel


-- Find3M Report ---------------------------------------------------------------

2008-05-07 10:56:40 0 d-------- C:\Arquivos de programas\Apple Software Update
2008-05-07 10:32:39 0 d-------- C:\Arquivos de programas\QuickTime
2008-05-04 08:05:49 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\uTorrent
2008-05-03 14:22:51 0 d-------- C:\Arquivos de programas\Soulseek
2008-05-01 11:34:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\WinRAR
2008-04-24 22:49:10 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-21 09:40:45 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-04-19 07:18:37 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Sun
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-04-19 06:58:13 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon
2008-04-13 18:50:11 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Media Player Classic
2008-04-13 16:57:07 0 d-------- C:\Arquivos de programas\K-Lite Codec Pack
2008-04-12 12:04:10 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-04-12 12:04:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\InstallShield
2008-04-12 12:03:56 425426 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-12 12:03:56 67450 --a------ C:\WINDOWS\system32\perfc016.dat
2008-03-01 20:19:50 3082 --a------ C:\WINDOWS\system32\affv208325p1now.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14/12/2007 17:21 262144 --a------ C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [14/12/2007 17:21 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [29/03/2008 15:37]
"WinPatrol"="C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [23/09/2007 14:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 09:50]
"USB Storage Toolbox"="C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE" [14/09/2005 19:44]
"RTHDCPL"="RTHDCPL.EXE" [10/08/2007 04:21 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [03/08/2007 02:22 C:\WINDOWS\SkyTel.exe]
"AlcWzrd"="ALCWZRD.EXE" [04/05/2006 05:26 C:\WINDOWS\ALCWZRD.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [13/06/2007 01:56]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [13/06/2007 01:55]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [13/06/2007 01:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [30/03/2008 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [26/09/2007 23:04]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [26/9/2007 23:04:08]
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [13/2/2001 09:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-05-10 18:23:31 ------------


This is the combofix log:


ComboFix 08-05-09.1 - Juvêncio 2008-05-10 18:13:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.666 [GMT -3:00]
Executando de: C:\Documents and Settings\Juvêncio\Desktop\ComboFix.exe
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\kavo0.dll
D:\Autorun.inf

.
((((((((((((((((((((((( Ficheiros criados de 2008-04-10 to 2008-05-10 ))))))))))))))))))))))))))))))))
.

2008-05-07 10:35 . 2008-05-10 17:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-07 10:35 . 2008-05-07 10:35 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 10:34 . 2008-05-07 10:34 <DIR> d-------- C:\Arquivos de programas\iTunes
2008-05-07 10:34 . 2008-05-07 10:34 <DIR> d-------- C:\Arquivos de programas\iPod
2008-04-26 09:53 . 2008-04-26 09:53 244 --ah----- C:\sqmnoopt02.sqm
2008-04-26 09:53 . 2008-04-26 09:53 232 --ah----- C:\sqmdata02.sqm
2008-04-24 22:46 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-04-24 22:45 . 2008-04-24 22:45 <DIR> d-------- C:\Arquivos de programas\Zone Labs
2008-04-24 22:45 . 2008-03-13 23:11 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-24 22:45 . 2008-05-10 17:55 352,918 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-04-19 08:43 . 2008-04-19 08:43 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-04-19 08:17 . 2008-04-19 08:17 <DIR> d-------- C:\Deckard
2008-04-19 07:20 . 2008-04-19 07:20 <DIR> d-------- C:\Documents and Settings\Juvêncio\.housecall6.6
2008-04-19 07:20 . 2008-04-19 07:20 <DIR> d-------- C:\Documents and Settings\Juvêncio\.housecall6.6
2008-04-19 07:18 . 2008-04-19 07:18 <DIR> d-------- C:\WINDOWS\Sun
2008-04-19 07:18 . 2008-04-19 07:18 <DIR> d-------- C:\Arquivos de programas\Sun
2008-04-19 07:18 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-19 07:17 . 2008-04-19 07:18 <DIR> d-------- C:\Arquivos de programas\Java
2008-04-19 07:15 . 2008-04-19 07:15 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-04-19 06:58 . 2008-04-19 06:58 <DIR> d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon
2008-04-19 06:58 . 2008-04-19 06:59 <DIR> d-------- C:\Arquivos de programas\Unlocker
2008-04-18 19:20 . 2008-04-18 19:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 19:20 . 2008-04-18 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab
2008-04-13 18:50 . 2008-04-13 18:50 <DIR> d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Media Player Classic
2008-04-13 16:49 . 2008-04-13 16:49 <DIR> d-------- C:\VirtualDub-1.7.7
2008-04-12 12:08 . 2008-04-12 12:08 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-04-12 12:08 . 2007-06-05 03:25 180,224 -ra------ C:\WINDOWS\system32\igfxres.dll
2008-04-12 12:08 . 2008-04-12 12:08 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-04-12 12:05 . 2007-06-13 01:55 400,152 -ra------ C:\WINDOWS\system32\igxpun.exe
2008-04-12 12:05 . 2006-11-09 22:25 319,456 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-04-12 12:05 . 2006-01-23 00:29 121,232 -ra------ C:\WINDOWS\system32\IScrNBR.bmp
2008-04-12 12:05 . 2006-01-23 00:29 121,232 -ra------ C:\WINDOWS\system32\IScrNB.bmp
2008-04-12 12:04 . 2008-04-12 12:04 <DIR> d-------- C:\WINDOWS\OPTIONS
2008-04-12 12:04 . 2008-04-12 12:04 <DIR> d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\InstallShield
2008-04-12 12:04 . 2008-04-12 12:04 <DIR> d-------- C:\Arquivos de programas\Realtek
2008-04-12 12:04 . 2008-04-12 12:04 <DIR> d-------- C:\Arquivos de programas\Intel
2008-04-12 12:04 . 2007-08-07 06:40 98,944 --a------ C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-04-12 12:03 . 2008-04-12 12:03 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-04-12 12:03 . 2007-08-10 04:21 16,384,000 -ra------ C:\WINDOWS\RTHDCPL.EXE
2008-04-12 12:03 . 2007-03-23 08:19 9,715,200 -ra------ C:\WINDOWS\RTLCPL.EXE
2008-04-12 12:03 . 2007-08-10 02:52 4,603,904 -ra------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-12 12:03 . 2006-05-04 05:26 2,808,832 -ra------ C:\WINDOWS\ALCWZRD.EXE
2008-04-12 12:03 . 2007-06-28 05:44 2,165,760 -ra------ C:\WINDOWS\MicCal.exe
2008-04-12 12:03 . 2007-08-03 02:22 1,826,816 -ra------ C:\WINDOWS\SkyTel.exe
2008-04-12 12:03 . 2007-07-26 07:06 1,191,936 -ra------ C:\WINDOWS\RtlUpd.exe
2008-04-12 12:03 . 2006-08-17 19:58 282,624 -ra------ C:\WINDOWS\system32\RTSndMgr.CPL
2008-04-12 12:03 . 2005-05-03 07:43 69,632 -ra------ C:\WINDOWS\ALCMTR.EXE
2008-04-12 12:02 . 2004-11-18 10:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-12 12:01 . 2008-04-12 12:01 <DIR> d-------- C:\Intel
2008-04-12 11:53 . 2001-08-17 21:51 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2008-04-12 11:53 . 2001-08-17 21:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-10 21:15 3,555,360 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-10 19:39 42,260 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-10 16:40 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Google Updater
2008-05-07 13:56 --------- d-----w C:\Arquivos de programas\Apple Software Update
2008-05-07 13:32 --------- d-----w C:\Arquivos de programas\QuickTime
2008-05-04 11:05 --------- d-----w C:\Documents and Settings\Juvêncio\Dados de aplicativos\uTorrent
2008-05-03 17:22 --------- d-----w C:\Arquivos de programas\Soulseek
2008-04-21 12:40 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe
2008-04-19 10:36 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Lavasoft
2008-04-19 09:41 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-13 19:57 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack
2008-04-12 15:04 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2008-03-04 15:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 23:19 3,082 ----a-w C:\WINDOWS\system32\affv208325p1now.sys
2008-01-15 19:21 51,912 ----a-w C:\Documents and Settings\Juvêncio\Dados de aplicativos\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-14 17:21 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-14 17:21 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-26 23:04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 15:37 79224]
"WinPatrol"="C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [2007-09-23 14:30 292152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"USB Storage Toolbox"="C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE" [2005-09-14 19:44 65536]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 04:21 16384000 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2007-08-03 02:22 1826816 C:\WINDOWS\SkyTel.exe]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 05:26 2808832 C:\WINDOWS\ALCWZRD.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-13 01:56 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-13 01:55 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-13 01:55 138008]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [2007-09-26 23:04:08 126136]
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"C:\\Arquivos de programas\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 15:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 15:35]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]
S3 FXDrv32;FXDrv32;F:\FXDrv32.sys []

*Newly Created Service* - CATCHME
.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-05-07 13:16:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-10 18:15:21
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2008-05-10 18:17:11
ComboFix-quarantined-files.txt 2008-05-10 21:16:39

Pre-Run: 2,899,345,408 bytes disponíveis
Post-Run: 2,889,408,512 bytes disponíveis

158

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 10 May 2008 - 04:53 PM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Aelius

Aelius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 12 May 2008 - 08:06 PM

I did the quick scan, it found no malware and log was this:

Malwarebytes' Anti-Malware 1.12
Versão do banco de dados: 743

Tipo de Verificação: Rápida
Objetos verificados: 33794
Tempo decorrido: 3 minute(s), 13 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)



And I did the complete scan, an it found one trojan agent, the log is this:

Malwarebytes' Anti-Malware 1.12
Versão do banco de dados: 743

Tipo de Verificação: Completa (C:\|D:\|)
Objetos verificados: 81633
Tempo decorrido: 23 minute(s), 44 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 1

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados: (infected files)
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 12 May 2008 - 08:55 PM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=========================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as button:
  • Save the file in txt format to your desktop.
  • Post that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Aelius

Aelius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 14 May 2008 - 06:59 AM

This thing seems hard to get rid of. Thanks for the help. Kaspersky's log:

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 13, 2008 10:56:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/05/2008
Kaspersky Anti-Virus database records: 771702
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 51683
Number of viruses found: 7
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 01:01:31

Infected Object Name / Virus Name / Last Action
C:\Arquivos de programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswAr.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Arquivos de programas\Alwil Software\Avast4\DATA\report\Proteção residente.txt Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Histórico\History.IE5\MSHist012008051320080514\index.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Temp\AHI3F.tmp Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Temp\ESTUDO 5 sketch_1_1_1478.dwl Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Temp\IMG25.tmp Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Temp\REDO.ac$ Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Temp\SketchUpUndo0.log Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Temp\UNDO.ac$ Object is locked skipped
C:\Documents and Settings\Juvêncio\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acad.lsp Infected: Virus.ALS.Bursted skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acadapp.lsp Infected: Virus.ALS.Bursted skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\WebServices\ws_CommCntr_20080513_0.log Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\indexer\indexer_1024.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\indexer\indexer_128.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\indexer\indexer_2048.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\indexer\indexer_512.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\indexer\indexer_64.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\lexicon\lexicon_1024.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\lexicon\lexicon_128.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\lexicon\lexicon_2048.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\lexicon\lexicon_512.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\lexicon\lexicon_64.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\mailbase.dat Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2007\10\29\81.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2007\11\04\86.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2007\12\14\260.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\01\05\266.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\01\08\268.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\01\11\274.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\02\07\345.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\03\20\410.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\05\421.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\05\422.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\10\429.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\19\447.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\21\448.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\24\449.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\28\456.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\28\457.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\04\30\458.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\02\459.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\03\461.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\03\466.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\03\467.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\04\468.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\04\469.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\05\470.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\05\471.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\07\472.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\10\473.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\10\480.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\10\481.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\12\482.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\12\483.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\13\484.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\13\485.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\13\486.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account2\2008\05\14\487.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\53.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\54.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\55.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\56.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\57.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\58.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\59.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\60.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\61.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\62.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\63.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\64.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\65.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\66.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\67.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\68.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\69.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\70.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\71.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\72.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\16\73.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\17\74.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\18\75.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\04\22\76.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2007\09\14\16.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\25\390.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\25\391.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\28\392.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\28\393.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\28\394.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\28\395.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\28\396.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\03\28\397.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\04\398.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\04\399.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\04\400.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\04\401.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\04\402.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\10\403.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\10\404.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\10\405.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\10\406.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\10\407.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\10\408.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\17\442.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\17\443.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\17\444.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\17\445.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\17\446.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\24\450.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\24\451.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\24\452.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\24\453.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\24\454.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\04\24\455.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\02\462.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\02\463.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\02\464.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\02\465.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\09\474.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\09\475.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\09\476.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\09\477.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\09\478.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Opera\Opera\mail\store\account3\2008\05\09\479.mbs Object is locked skipped
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\PA\PA-3\acad.lsp Infected: Virus.ALS.Bursted skipped
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\PA-5\acad.lsp Infected: Virus.ALS.Bursted skipped
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\PA-5\ESTUDO 5 FINAL.dwl Object is locked skipped
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\PA-5\ESTUDO 5 sketch.dwg Object is locked skipped
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\PA-5\ESTUDO 5 sketch.dwl Object is locked skipped
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\projeto-mãe\acad.lsp Infected: Virus.ALS.Bursted skipped
C:\Documents and Settings\Juvêncio\Meus documentos\Minhas músicas\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Juvêncio\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Juvêncio\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.dne skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kavo0.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.acbo skipped
C:\RECYCLER\S-1-5-21-1409082233-1450960922-725345543-1003\Dc4.lsp Infected: Virus.ALS.Bursted skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP82\A0036368.exe/AntiSpywareApp/SpyCleaner.dll Infected: not-a-virus:FraudTool.Win32.SpywareStop.b skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP82\A0036368.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP82\A0036368.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP82\A0036368.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP83\A0036430.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.b skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0040181.inf Infected: Trojan-PSW.Win32.OnLineGames.yhl skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP93\A0042631.exe Infected: Trojan.Win32.VB.cpf skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP94\A0042674.dll Infected: Trojan-PSW.Win32.OnLineGames.acbo skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP94\A0042675.inf Infected: Worm.Win32.AutoRun.dne skipped
C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP95\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MALARIS.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6ac.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT01af6.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT01af9.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\avc35.exe Infected: Trojan.Win32.VB.cpf skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP75\A0034709.inf Infected: Trojan-PSW.Win32.OnLineGames.yhl skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP75\A0034738.inf Infected: Trojan-PSW.Win32.OnLineGames.yhl skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0040182.inf Infected: Trojan-PSW.Win32.OnLineGames.yhl skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0040194.inf Infected: Worm.Win32.AutoRun.dne skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0041195.exe Infected: Trojan.Win32.VB.cpf skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0041204.exe Infected: Trojan.Win32.VB.cpf skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0041262.exe Infected: Trojan.Win32.VB.cpf skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0041282.exe Infected: Trojan.Win32.VB.cpf skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0041309.EXE Infected: Trojan.Win32.VB.cpf skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92\A0041437.exe Infected: Trojan.Win32.VB.cpf skipped
D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP93\A0042595.exe Infected: Trojan.Win32.VB.cpf skipped
D:\8386nac.com Infected: Trojan-PSW.Win32.OnLineGames.acbn skipped

Scan process completed.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 14 May 2008 - 10:21 AM

Yes this infection can be pesky.
=====================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
D:\8386nac.com 
D:\avc35.exe 
C:\RECYCLER\S-1-5-21-1409082233-1450960922-725345543-1003\Dc4.lsp 
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\projeto-mãe\acad.lsp 
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\PA\PA-3\acad.lsp 
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acadapp.lsp 
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acad.lsp


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Aelius

Aelius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 16 May 2008 - 05:49 PM

The hijackthis log:

Deckard's System Scanner v20071014.68
Run by Juvêncio on 2008-05-16 19:44:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.57 GiB (less than 15%) free.


-- HijackThis (run as Juvêncio.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:44:30, on 16/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Juvêncio\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\JUVNCI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marumushi.com/apps/newsmap/newsmap.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E4DDFF-E378-4892-8F8D-F36F9B442D4E}: Domain = @
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7510 bytes

-- Files created between 2008-04-16 and 2008-05-16 -----------------------------

2008-05-14 20:37:47 395296 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-14 20:34:43 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-05-14 20:33:25 0 d-------- C:\Arquivos de programas\Lavasoft
2008-05-14 10:59:47 0 d-------- C:\kav
2008-05-12 21:16:19 0 d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware
2008-05-10 18:06:55 68096 --a------ C:\WINDOWS\zip.exe
2008-05-10 18:06:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-10 18:06:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-10 18:06:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-10 18:06:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-10 18:06:55 98816 --a------ C:\WINDOWS\sed.exe
2008-05-10 18:06:55 80412 --a------ C:\WINDOWS\grep.exe
2008-05-10 18:06:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-07 10:34:35 0 d-------- C:\Arquivos de programas\iPod
2008-05-07 10:34:27 0 d-------- C:\Arquivos de programas\iTunes
2008-04-19 08:43:41 0 d-------- C:\Arquivos de programas\Trend Micro
2008-04-19 07:18:37 0 d-------- C:\WINDOWS\Sun
2008-04-19 07:18:21 0 d-------- C:\Arquivos de programas\Sun
2008-04-19 07:17:21 0 d-------- C:\Arquivos de programas\Java
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-04-18 19:20:29 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

2008-05-14 20:49:30 0 d-------- C:\Arquivos de programas\Alwil Software
2008-05-14 20:36:39 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-12 21:56:39 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon
2008-05-12 21:16:34 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Malwarebytes
2008-05-07 10:56:40 0 d-------- C:\Arquivos de programas\Apple Software Update
2008-05-07 10:32:39 0 d-------- C:\Arquivos de programas\QuickTime
2008-05-04 08:05:49 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\uTorrent
2008-05-03 14:22:51 0 d-------- C:\Arquivos de programas\Soulseek
2008-05-01 11:34:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\WinRAR
2008-04-21 09:40:45 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-04-19 07:18:37 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Sun
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-04-13 18:50:11 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Media Player Classic
2008-04-13 16:57:07 0 d-------- C:\Arquivos de programas\K-Lite Codec Pack
2008-04-12 12:04:15 0 d-------- C:\Arquivos de programas\Intel
2008-04-12 12:04:11 0 d-------- C:\Arquivos de programas\Realtek
2008-04-12 12:04:10 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-04-12 12:04:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\InstallShield
2008-04-12 12:03:56 425426 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-12 12:03:56 67450 --a------ C:\WINDOWS\system32\perfc016.dat
2008-03-04 12:33:18 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 20:19:50 3082 --a------ C:\WINDOWS\system32\affv208325p1now.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14/12/2007 17:21 262144 --a------ C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [14/12/2007 17:21 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 07:06]
"WinPatrol"="C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [23/09/2007 14:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 09:50]
"USB Storage Toolbox"="C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE" [14/09/2005 19:44]
"RTHDCPL"="RTHDCPL.EXE" [10/08/2007 04:21 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [03/08/2007 02:22 C:\WINDOWS\SkyTel.exe]
"AlcWzrd"="ALCWZRD.EXE" [04/05/2006 05:26 C:\WINDOWS\ALCWZRD.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [13/06/2007 01:56]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [13/06/2007 01:55]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [13/06/2007 01:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [26/09/2007 23:04]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [26/9/2007 23:04:08]
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [13/2/2001 09:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa57b40d-6d2c-11dc-8c04-00142a5f0965}]
AutoRun\command- H:\avc35.exe
explore\command- H:\avc35.exe explore
find\command- H:\avc35.exe
open\command- H:\avc35.exe




-- End of Deckard's System Scanner: finished at 2008-05-16 19:45:11 ------------



The combofix log:

ComboFix 08-05-09.1 - Juvêncio 2008-05-16 19:38:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.609 [GMT -3:00]
Executando de: C:\Documents and Settings\Juvêncio\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Juvêncio\Desktop\CFScript.txt
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acad.lsp
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acadapp.lsp
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\PA\PA-3\acad.lsp
C:\Documents and Settings\Juvêncio\Meus documentos\Clarice\projeto-mãe\acad.lsp
C:\RECYCLER\S-1-5-21-1409082233-1450960922-725345543-1003\Dc4.lsp
D:\8386nac.com
D:\avc35.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acad.lsp
C:\Documents and Settings\Juvêncio\Dados de aplicativos\Autodesk\AutoCAD 2007\R17.0\enu\Support\acadapp.lsp
D:\Autorun.inf

.
((((((((((((((((((((((( Ficheiros criados de 2008-04-16 to 2008-05-16 ))))))))))))))))))))))))))))))))
.

2008-05-16 08:03 . 2008-05-16 08:03 244 --ah----- C:\sqmnoopt04.sqm
2008-05-16 08:03 . 2008-05-16 08:03 232 --ah----- C:\sqmdata04.sqm
2008-05-14 20:48 . 2008-05-14 20:48 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\NtUser.dat.LOG
2008-05-14 20:37 . 2008-05-16 19:40 385,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-14 20:37 . 2008-05-16 11:07 5,156 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-14 20:35 . 2008-03-13 23:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-05-14 20:34 . 2008-05-14 20:34 <DIR> d-------- C:\Arquivos de programas\Zone Labs
2008-05-14 20:33 . 2008-05-14 20:33 <DIR> d-------- C:\Arquivos de programas\Lavasoft
2008-05-14 12:28 . 2008-05-14 12:28 244 --ah----- C:\sqmnoopt03.sqm
2008-05-14 12:28 . 2008-05-14 12:28 232 --ah----- C:\sqmdata03.sqm
2008-05-14 10:59 . 2008-05-14 10:59 <DIR> d-------- C:\kav
2008-05-12 21:16 . 2008-05-12 21:16 <DIR> d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Malwarebytes
2008-05-12 21:16 . 2008-05-12 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes
2008-05-12 21:16 . 2008-05-12 21:16 <DIR> d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware
2008-05-12 21:16 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 21:16 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-11 18:02 . 2008-05-16 19:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-11 18:02 . 2008-05-11 18:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-07 10:34 . 2008-05-07 10:34 <DIR> d-------- C:\Arquivos de programas\iTunes
2008-05-07 10:34 . 2008-05-07 10:34 <DIR> d-------- C:\Arquivos de programas\iPod
2008-04-26 09:53 . 2008-04-26 09:53 244 --ah----- C:\sqmnoopt02.sqm
2008-04-26 09:53 . 2008-04-26 09:53 232 --ah----- C:\sqmdata02.sqm
2008-04-19 08:43 . 2008-04-19 08:43 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-04-19 08:17 . 2008-04-19 08:17 <DIR> d-------- C:\Deckard
2008-04-19 07:20 . 2008-04-19 07:20 <DIR> d-------- C:\Documents and Settings\Juvêncio\.housecall6.6
2008-04-19 07:20 . 2008-04-19 07:20 <DIR> d-------- C:\Documents and Settings\Juvêncio\.housecall6.6
2008-04-19 07:18 . 2008-04-19 07:18 <DIR> d-------- C:\WINDOWS\Sun
2008-04-19 07:18 . 2008-04-19 07:18 <DIR> d-------- C:\Arquivos de programas\Sun
2008-04-19 07:18 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-19 07:17 . 2008-04-19 07:18 <DIR> d-------- C:\Arquivos de programas\Java
2008-04-19 07:15 . 2008-04-19 07:15 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-04-19 06:58 . 2008-05-12 21:56 <DIR> d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon
2008-04-19 06:58 . 2008-04-19 06:59 <DIR> d-------- C:\Arquivos de programas\Unlocker
2008-04-18 19:20 . 2008-04-18 19:20 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-18 19:20 . 2008-04-18 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 14:07 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Google Updater
2008-05-14 23:49 --------- d-----w C:\Arquivos de programas\Alwil Software
2008-05-07 13:56 --------- d-----w C:\Arquivos de programas\Apple Software Update
2008-05-07 13:32 --------- d-----w C:\Arquivos de programas\QuickTime
2008-05-04 11:05 --------- d-----w C:\Documents and Settings\Juvêncio\Dados de aplicativos\uTorrent
2008-05-03 17:22 --------- d-----w C:\Arquivos de programas\Soulseek
2008-04-21 12:40 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe
2008-04-19 10:36 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Lavasoft
2008-04-13 21:50 --------- d-----w C:\Documents and Settings\Juvêncio\Dados de aplicativos\Media Player Classic
2008-04-13 19:57 --------- d-----w C:\Arquivos de programas\K-Lite Codec Pack
2008-04-12 15:04 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2008-04-12 15:04 --------- d-----w C:\Documents and Settings\Juvêncio\Dados de aplicativos\InstallShield
2008-04-12 15:04 --------- d-----w C:\Arquivos de programas\Realtek
2008-04-12 15:04 --------- d-----w C:\Arquivos de programas\Intel
2008-03-14 02:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-03-04 15:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 23:19 3,082 ----a-w C:\WINDOWS\system32\affv208325p1now.sys
2008-01-15 19:21 51,912 ----a-w C:\Documents and Settings\Juvêncio\Dados de aplicativos\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-05-10_18.16.29.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-10 20:54:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-16 22:30:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-09-27 02:01:40 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-05-14 23:33:28 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
- 2007-09-27 02:01:40 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-05-14 23:33:28 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
- 2007-09-27 02:01:40 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-05-14 23:33:28 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
- 2007-09-27 02:01:40 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-05-14 23:33:28 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2008-03-29 18:45:49 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
+ 2007-09-06 10:09:49 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
- 2008-03-29 18:23:22 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2007-09-06 10:00:07 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
+ 2008-05-14 23:48:50 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
- 2008-03-29 18:26:52 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
+ 2007-09-06 10:00:53 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
- 2008-01-17 17:34:01 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
+ 2007-09-06 10:05:25 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
- 2008-03-29 18:35:21 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
+ 2007-09-06 10:05:10 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
- 2008-03-29 18:29:08 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
+ 2007-09-06 10:03:02 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
- 2008-03-29 18:27:33 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
+ 2007-09-06 10:02:20 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
- 2008-04-19 09:41:17 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
+ 2007-04-13 18:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2008-04-25 01:49:10 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2008-05-14 23:36:39 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2008-03-14 02:11:20 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-05-15 15:26:45 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2008-05-16 22:30:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b4.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2007-12-14 17:21 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-14 17:21 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-26 23:04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 07:06 79224]
"WinPatrol"="C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [2007-09-23 14:30 292152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648]
"USB Storage Toolbox"="C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE" [2005-09-14 19:44 65536]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 04:21 16384000 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2007-08-03 02:22 1826816 C:\WINDOWS\SkyTel.exe]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 05:26 2808832 C:\WINDOWS\ALCWZRD.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-13 01:56 142104]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-13 01:55 162584]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-13 01:55 138008]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:45 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [2007-09-26 23:04:08 126136]
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll
"vidc.SEDG"= SamsungVfWCodec.dll
"vidc.DX50"= DivXVfWCodec.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"C:\\Arquivos de programas\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 15:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 15:35]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-06-10 00:09]
S3 FXDrv32;FXDrv32;F:\FXDrv32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa57b40d-6d2c-11dc-8c04-00142a5f0965}]
\Shell\AutoRun\command - H:\avc35.exe
\Shell\explore\command - H:\avc35.exe explore
\Shell\find\command - H:\avc35.exe
\Shell\open\command - H:\avc35.exe

.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-05-15 20:09:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Arquivos de programas\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 19:40:44
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2008-05-16 19:42:37
ComboFix-quarantined-files.txt 2008-05-16 22:42:07
ComboFix2.txt 2008-05-10 21:17:12

Pre-Run: 2,608,283,648 bytes disponíveis
Post-Run: 2,727,407,616 bytes disponíveis

196


I saw that there is something wrong with the autocad aplications, would it help if I reinstalled the autocad?

Thanks

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 16 May 2008 - 08:13 PM

No you don't have to reinstall this program below will fix it.
=====================
Please download DAFT and save it to your desktop:
  • Double-click the daft.exe icon.
  • Click on the Scan button.
  • Select everything it is displaying there
  • Click the Fix button.
  • Then rescan with DAFT again - it should say now that "All associations are OK"
  • Close DAFT if you receive that message. This means that it is fixed now.
===============
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa57b40d-6d2c-11dc-8c04-00142a5f0965}]
    H:\avc35.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=============================
Please go to Start > Run> then copy\paste this in "%userprofile%\desktop\dss.exe" /config then hit ok.
Place a check next to everything and click on ok or scan.
Post those logs please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Aelius

Aelius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 18 May 2008 - 08:17 PM

The OTMoveIt2 log:

< [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa57b40d-6d2c-11dc-8c04-00142a5f0965}] >
File/Folder [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa57b40d-6d2c-11dc-8c04-00142a5f0965}] not found.
File/Folder H:\avc35.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05182008_220720



The main dss log:

Deckard's System Scanner v20071014.68
Run by Juvêncio on 2008-05-18 22:11:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
34: 2008-05-19 01:11:54 UTC - RP98 - Deckard's System Scanner Restore Point
33: 2008-05-18 17:55:26 UTC - RP97 - Ponto de verificação do sistema
32: 2008-05-16 22:37:51 UTC - RP96 - ComboFix created restore point
31: 2008-05-13 22:21:15 UTC - RP95 - Ponto de verificação do sistema
30: 2008-05-10 21:13:22 UTC - RP94 - ComboFix created restore point


-- First Restore Point --
1: 2008-02-20 02:10:04 UTC - RP65 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.64 GiB (less than 15%) free.


-- HijackThis (run as Juvêncio.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:12:47, on 18/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Opera\Opera.exe
C:\Documents and Settings\Juvêncio\desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\JUVNCI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.marumushi.com/apps/newsmap/newsmap.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Arquivos de programas\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Arquivos de programas\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E31EFAE-AEAD-4D9F-9D39-2BBF74B445E6}: NameServer = 200.165.132.155 200.149.55.140
O17 - HKLM\System\CCS\Services\Tcpip\..\{43E4DDFF-E378-4892-8F8D-F36F9B442D4E}: Domain = @
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E31EFAE-AEAD-4D9F-9D39-2BBF74B445E6}: NameServer = 200.165.132.155 200.149.55.140
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7683 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 RMSPPPOE (WAN Miniport (PPP over Ethernet Protocol)) - c:\windows\system32\drivers\rmspppoe.sys <Not Verified; Robert Schlabbach; PPP over Ethernet Protocol>

S3 FreshIO - c:\arquivos de programas\freshdevices\freshdiagnose\freshio.sys (file missing)
S3 FXDrv32 - f:\fxdrv32.sys (file missing)
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\arquivos de programas\arquivos comuns\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 aawservice (Ad-Aware 2007 Service) - "c:\arquivos de programas\lavasoft\ad-aware 2007\aawservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 1628)
2007-09-20 18:34:58 129024 --a------ C:\Arquivos de programas\WinRAR\RarExt.dll
2006-05-14 01:23:40 138752 --a------ C:\Arquivos de programas\7-Zip\7-zip.dll
2007-12-14 17:21:29 262144 --a------ C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL <Not Verified; ZoneAlarm; ZoneAlarm Spy Blocker for Internet Explorer and Firefox>


-- Scheduled Tasks -------------------------------------------------------------

2008-05-15 17:09:02 300 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-14 20:37:47 788512 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-14 20:34:43 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-05-14 20:33:25 0 d-------- C:\Arquivos de programas\Lavasoft
2008-05-14 10:59:47 0 d-------- C:\kav
2008-05-12 21:16:19 0 d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware
2008-05-10 18:06:55 68096 --a------ C:\WINDOWS\zip.exe
2008-05-10 18:06:55 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-10 18:06:55 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-10 18:06:55 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-10 18:06:55 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-10 18:06:55 98816 --a------ C:\WINDOWS\sed.exe
2008-05-10 18:06:55 80412 --a------ C:\WINDOWS\grep.exe
2008-05-10 18:06:55 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-07 10:34:35 0 d-------- C:\Arquivos de programas\iPod
2008-05-07 10:34:27 0 d-------- C:\Arquivos de programas\iTunes
2008-04-19 08:43:41 0 d-------- C:\Arquivos de programas\Trend Micro
2008-04-19 07:18:37 0 d-------- C:\WINDOWS\Sun
2008-04-19 07:18:21 0 d-------- C:\Arquivos de programas\Sun
2008-04-19 07:17:21 0 d-------- C:\Arquivos de programas\Java
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-04-18 19:20:29 0 d-------- C:\WINDOWS\system32\Kaspersky Lab


-- Find3M Report ---------------------------------------------------------------

2008-05-18 21:33:37 0 d-------- C:\Arquivos de programas\Soulseek
2008-05-14 20:49:30 0 d-------- C:\Arquivos de programas\Alwil Software
2008-05-14 20:36:39 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-05-12 21:56:39 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Desktopicon
2008-05-12 21:16:34 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Malwarebytes
2008-05-07 10:56:40 0 d-------- C:\Arquivos de programas\Apple Software Update
2008-05-07 10:32:39 0 d-------- C:\Arquivos de programas\QuickTime
2008-05-04 08:05:49 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\uTorrent
2008-05-01 11:34:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\WinRAR
2008-04-21 09:40:45 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-04-19 07:18:37 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Sun
2008-04-19 07:15:29 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-04-13 18:50:11 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\Media Player Classic
2008-04-13 16:57:07 0 d-------- C:\Arquivos de programas\K-Lite Codec Pack
2008-04-12 12:04:15 0 d-------- C:\Arquivos de programas\Intel
2008-04-12 12:04:11 0 d-------- C:\Arquivos de programas\Realtek
2008-04-12 12:04:10 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-04-12 12:04:02 0 d-------- C:\Documents and Settings\Juvêncio\Dados de aplicativos\InstallShield
2008-04-12 12:03:56 425426 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-12 12:03:56 67450 --a------ C:\WINDOWS\system32\perfc016.dat
2008-03-04 12:33:18 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 20:19:50 3082 --a------ C:\WINDOWS\system32\affv208325p1now.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
14/12/2007 17:21 262144 --a------ C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Arquivos de programas\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [14/12/2007 17:21 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 07:06]
"WinPatrol"="C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [23/09/2007 14:30]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 09:50]
"USB Storage Toolbox"="C:\Arquivos de programas\USB Disk Win98 Driver\Res.EXE" [14/09/2005 19:44]
"RTHDCPL"="RTHDCPL.EXE" [10/08/2007 04:21 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [03/08/2007 02:22 C:\WINDOWS\SkyTel.exe]
"AlcWzrd"="ALCWZRD.EXE" [04/05/2006 05:26 C:\WINDOWS\ALCWZRD.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [13/06/2007 01:56]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [13/06/2007 01:55]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [13/06/2007 01:55]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [26/09/2007 23:04]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Google Updater.lnk - C:\Arquivos de programas\Google\Google Updater\GoogleUpdater.exe [26/9/2007 23:04:08]
Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [13/2/2001 09:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa57b40d-6d2c-11dc-8c04-00142a5f0965}]
AutoRun\command- H:\avc35.exe
explore\command- H:\avc35.exe explore
find\command- H:\avc35.exe
open\command- H:\avc35.exe




-- End of Deckard's System Scanner: finished at 2008-05-18 22:14:09 ------------


The dss extra log:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Portuguese

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 1014.11 MiB / 579.19 MiB
Pagefile Memory (total/avail): 1661.29 MiB / 1230.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.36 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.25 GiB total, 2.64 GiB free.
D: is Fixed (FAT32) - 29.39 GiB total, 29.39 GiB free.
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD800BB-75JHC0 - 74.5 GiB - 2 partitions
\PARTITION0 (bootable) - Sistema de arquivos instalável - 37.25 GiB - C:
\PARTITION1 - Estendido c/Int. estendida 13 - 29.41 GiB - D:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.470.000 (Check Point, LTD.)
AV: avast! antivirus 4.7.1169 [VPS 080518-1] v4.7.1169 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"="C:\\Arquivos de programas\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"="C:\\Arquivos de programas\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Arquivos de programas\\iTunes\\iTunes.exe"="C:\\Arquivos de programas\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Juvˆncio\Dados de aplicativos
CLASSPATH=.;C:\Arquivos de programas\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Arquivos de programas\Arquivos comuns
COMPUTERNAME=MALARIS
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Juvˆncio
LOGONSERVER=\\MALARIS
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Arquivos de programas\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Arquivos de programas
PROMPT=$P$G
QTJAVA=C:\Arquivos de programas\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JUVNCI~1\CONFIG~1\Temp
TMP=C:\DOCUME~1\JUVNCI~1\CONFIG~1\Temp
tvdumpflags=8
USERDOMAIN=MALARIS
USERNAME=Juvˆncio
USERPROFILE=C:\Documents and Settings\Juvˆncio
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Juvêncio (admin)


-- Add/Remove Programs ---------------------------------------------------------

Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Arquivo do WinRAR --> C:\Arquivos de programas\WinRAR\uninstall.exe
µTorrent --> "C:\Arquivos de programas\uTorrent\uTorrent.exe" /UNINSTALL
avast! Antivirus --> rundll32 C:\ARQUIV~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
CCleaner (remove only) --> "C:\Arquivos de programas\CCleaner\uninst.exe"
HijackThis 2.0.2 --> "C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Malwarebytes' Anti-Malware --> "C:\Arquivos de programas\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional com FrontPage --> MsiExec.exe /I{90280416-6000-11D3-8CFE-0050048383C9}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
ZoneAlarm --> C:\Arquivos de programas\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3806 / Error
Event Submitted/Written: 05/18/2008 08:10:26 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicativo com falha wmplayer.exe, versão 9.0.0.3250, módulo com falha hungapp, versão 0.0.0.0, endereço com falha 0x00000000.

Event Record #/Type3805 / Error
Event Submitted/Written: 05/18/2008 08:10:24 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Aplicativo com falha wmplayer.exe, versão 9.0.0.3250, módulo com falha hungapp, versão 0.0.0.0, endereço com falha 0x00000000.

Event Record #/Type3782 / Warning
Event Submitted/Written: 05/17/2008 09:12:14 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detecção de produto '{5783F2D7-5001-0409-0002-0060B0CE6BBA}', recurso 'AW' falhou durante solicitação do componente '{78A71021-F3B2-43BF-81F0-6BAD69F6AA3A}'

Event Record #/Type3781 / Warning
Event Submitted/Written: 05/17/2008 09:12:14 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detecção de produto '{5783F2D7-5001-0409-0002-0060B0CE6BBA}', recurso 'P', componente '{889A2A90-6F1C-46E4-9DA2-80104F7CD866}' falhou. O recurso 'C:\WINDOWS\Downloaded Program Files\IDrop.ocx' não existe.

Event Record #/Type3779 / Warning
Event Submitted/Written: 05/17/2008 09:11:51 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detecção de produto '{5783F2D7-5001-0409-0002-0060B0CE6BBA}', recurso 'AW' falhou durante solicitação do componente '{78A71021-F3B2-43BF-81F0-6BAD69F6AA3A}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type33116 / Error
Event Submitted/Written: 05/18/2008 09:48:45 PM
Event ID/Source: 29 / W32Time
Event Description:
O provedor de tempo NtpClient foi configurado para obter tempo de uma ou mais
fontes de tempo; no entanto, nenhuma delas está acessível no momento.
Não será feita nenhuma tentativa de contatar uma fonte durante 30 minutos.
O NtpClient não tem uma fonte de tempo preciso.

Event Record #/Type33115 / Error
Event Submitted/Written: 05/18/2008 09:48:45 PM
Event ID/Source: 17 / W32Time
Event Description:
Provedor de tempo NtpClient: erro durante a pesquisa de DNS do nível de protocolo 'time.windows.com,0x1' configurado
manualmente. O NtpClient fará uma nova tentativa em 30
minutos.
Erro: Uma operação de soquete foi tentada em um host inacessível. (0x80072751)

Event Record #/Type33113 / Error
Event Submitted/Written: 05/18/2008 09:33:45 PM
Event ID/Source: 29 / W32Time
Event Description:
O provedor de tempo NtpClient foi configurado para obter tempo de uma ou mais
fontes de tempo; no entanto, nenhuma delas está acessível no momento.
Não será feita nenhuma tentativa de contatar uma fonte durante 14 minutos.
O NtpClient não tem uma fonte de tempo preciso.

Event Record #/Type33112 / Error
Event Submitted/Written: 05/18/2008 09:33:45 PM
Event ID/Source: 17 / W32Time
Event Description:
Provedor de tempo NtpClient: erro durante a pesquisa de DNS do nível de protocolo 'time.windows.com,0x1' configurado
manualmente. O NtpClient fará uma nova tentativa em 15
minutos.
Erro: Uma operação de soquete foi tentada em um host inacessível. (0x80072751)

Event Record #/Type33111 / Warning
Event Submitted/Written: 05/18/2008 09:33:45 PM
Event ID/Source: 63 / RMSPPPOE
Event Description:
Received a PPPoE Session packet for an unknown session.
Ignoring this packet.



-- End of Deckard's System Scanner: finished at 2008-05-18 22:14:09 ------------

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:54 PM

Posted 19 May 2008 - 03:43 AM

PLease plug in drive H: to do the following:
  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
===================================
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.
(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Aelius

Aelius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 22 May 2008 - 06:35 PM

The Dr.Web CureIt log:

autorun.inf.vir C:\QooBox\Quarantine\C Win32.HLLW.Autoruner Eliminado.
kavo0.dll.vir C:\QooBox\Quarantine\C\WINDOWS\system32 Trojan.PWS.Wsgame.3605 Eliminado.
A0042607.bat C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP93 Provavelmente SCRIPT.Virus Incurável.Eliminado.
A0042652.bat C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP93 Provavelmente SCRIPT.Virus Incurável.Eliminado.
A0042674.dll C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP94 Trojan.PWS.Wsgame.3605 Eliminado.
A0042675.inf C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP94 Win32.HLLW.Autoruner Eliminado.
A0042689.bat C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP94 Provavelmente SCRIPT.Virus Incurável.Eliminado.
A0043750.bat C:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP96 Provavelmente SCRIPT.Virus Incurável.Eliminado.
A0040194.inf D:\System Volume Information\_restore{1A40D2DA-633D-4F8A-9162-2B07AFD1E6CB}\RP92 Win32.HLLW.Autoruner Eliminado.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users