Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Malware Protector 2008 And Antivirus Xp


  • Please log in to reply
5 replies to this topic

#1 Thiago Olávio

Thiago Olávio

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 10 July 2008 - 01:45 PM

suddenly those programs appears at my pc!!! please help me... here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33:59, on 10/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\TEMP\wyn3.tmp
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Arquivos de programas\Arquivos comuns\Teleca Shared\CapabilityManager.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\gwwspin.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\DNA\btdna.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pphcllhj0el2n.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\Arquivos comuns\Teleca Shared\Generic.exe
C:\Arquivos de programas\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqimzone.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe
C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe
C:\Arquivos de programas\Spyware Doctor\pctsTray.exe
C:\Arquivos de programas\Spyware Doctor\pctsGui.exe
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mau\Desktop\HiJackThis.exe
C:\WINDOWS\system32\blphcllhj0el2n.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 124.217.252.77 www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.77 www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O1 - Hosts: 124.217.252.77 www.bravesentry.com
O1 - Hosts: 124.217.252.77 bravesentry.com
O1 - Hosts: 124.217.252.78 secure.isoftpay.com
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Arquivos de programas\FlashGet\jccatch.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Arquivos de programas\FlashGet\getflash.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: pvnsmfor - {CB07D6A9-7491-4A84-B8E8-E846CC689DDC} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Arquivos de programas\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NSRKey] C:\ARQUIV~1\NORTON~1\NSR\Agent\NSRTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Glock Suite 1.1] C:\WINDOWS\system32\glock32.exe
O4 - HKLM\..\Run: [lphcllhj0el2n] C:\WINDOWS\system32\lphcllhj0el2n.exe
O4 - HKLM\..\Run: [ISTray] "C:\Arquivos de programas\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [WintelUpdate] C:\gwwspin.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Arquivos de programas\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Photosmart Premier.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Arquivos de programas\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fzglqyyb - C:\WINDOWS\SYSTEM32\fzglqyyb32.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ad-Aware 2007 Service aawserviceNla (aawserviceNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Alerta AlerterRemoteRegistry (AlerterRemoteRegistry) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço 'Gateway de camada de aplicativo' ALGusnjsvc (ALGusnjsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Gerenciamento de aplicativo AppMgmt Office Groove Audit Service (AppMgmt Office Groove Audit Service) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de transferência inteligente de plano de fundo BITSwscsvcShellHWDetection (BITSwscsvcShellHWDetection) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: Serviço de indexação CiSvcodserv (CiSvcodserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de indexação CiSvcTapiSrvsrservice (CiSvcTapiSrvsrservice) - Unknown owner - C:\WINDOWS\
O23 - Service: Área de armazenamento ClipSrvupnphost (ClipSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32NtLmSsp (clr_optimization_v2.0.50727_32NtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Lic NetConnect service CLTNetCnServiceWmdmPmSN (CLTNetCnServiceWmdmPmSN) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Lic NetConnect service CLTNetCnServiceWmdmPmSN CLTNetCnServiceWmdmPmSNCLTNetCnService (CLTNetCnServiceWmdmPmSNCLTNetCnService) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Lic NetConnect service CLTNetCnServiceWmdmPmSN CLTNetCnServiceWmdmPmSNmnmsrvcdmadmin (CLTNetCnServiceWmdmPmSNmnmsrvcdmadmin) - Unknown owner - C:\WINDOWS\
O23 - Service: Aplicativo de sistema COM+ COMSysAppCiSvcodserv (COMSysAppCiSvcodserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviços de criptografia CryptSvcRSVP (CryptSvcRSVP) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviços de criptografia CryptSvcSCardSvr (CryptSvcSCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço administrativo do gerenciador de disco lógico dmadminRDSessMgrdmadmin (dmadminRDSessMgrdmadmin) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço administrativo do gerenciador de disco lógico dmadminSCardSvr (dmadminSCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço administrativo do gerenciador de disco lógico dmadminWmilanmanserver (dmadminWmilanmanserver) - Unknown owner - C:\WINDOWS\
O23 - Service: Gerenciador de discos lógicos dmserverWmilanmanserver (dmserverWmilanmanserver) - Unknown owner - C:\WINDOWS\
O23 - Service: Cliente DNS Dnscachestisvc (Dnscachestisvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Erro ao informar o serviço ERSvcupnphost (ERSvcupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Compatibilidade com 'Troca rápida de usuário' FastUserSwitchingCompatibilityClipSrv (FastUserSwitchingCompatibilityClipSrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Compatibilidade com 'Troca rápida de usuário' FastUserSwitchingCompatibilityClipSrv FastUserSwitchingCompatibilityClipSrvRSVPhelpsvc (FastUserSwitchingCompatibilityClipSrvRSVPhelpsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Compatibilidade com 'Troca rápida de usuário' FastUserSwitchingCompatibilityClipSrv FastUserSwitchingCompatibilityClipSrvwinmgmtNetDDE (FastUserSwitchingCompatibilityClipSrvwinmgmtNetDDE) - Unknown owner - C:\WINDOWS\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Google Updater Service gusvc Service (gusvc Service) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Updater Service gusvcSENS (gusvcSENS) - Unknown owner - C:\WINDOWS\
O23 - Service: HID Input Service HidServDcomLaunch (HidServDcomLaunch) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Serviço iPod iPodDhcp (iPodDhcp) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço iPod iPodDhcp iPodDhcpWmdmPmSN (iPodDhcpWmdmPmSN) - Unknown owner - C:\WINDOWS\
O23 - Service: Servidor lanmanserverFastUserSwitchingCompatibility (lanmanserverFastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\
O23 - Service: Servidor lanmanserverFastUserSwitchingCompatibility lanmanserverFastUserSwitchingCompatibilityDcomLaunch (lanmanserverFastUserSwitchingCompatibilityDcomLaunch) - Unknown owner - C:\WINDOWS\
O23 - Service: Servidor lanmanserverFastUserSwitchingCompatibility lanmanserverFastUserSwitchingCompatibilityDcomLaunch lanmanserverFastUserSwitchingCompatibilityDcomLaunchSamSs (lanmanserverFastUserSwitchingCompatibilityDcomLaunchSamSs) - Unknown owner - C:\WINDOWS\
O23 - Service: Servidor lanmanserverFastUserSwitchingCompatibility lanmanserverFastUserSwitchingCompatibilityW32Time (lanmanserverFastUserSwitchingCompatibilityW32Time) - Unknown owner - C:\WINDOWS\
O23 - Service: Servidor lanmanserverWmiApSrv (lanmanserverWmiApSrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Estação de trabalho lanmanworkstationupnphost (lanmanworkstationupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Machine Debug Manager MDM Service (MDM Service) - Unknown owner - C:\WINDOWS\
O23 - Service: Mensageiro Messengerwuauserv (Messengerwuauserv) - Unknown owner - C:\WINDOWS\
O23 - Service: Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcdmadmin (mnmsrvcdmadmin) - Unknown owner - C:\WINDOWS\
O23 - Service: Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcNtLmSsp (mnmsrvcNtLmSsp) - Unknown owner - C:\WINDOWS\
O23 - Service: Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcTrkWksAppMgmt (mnmsrvcTrkWksAppMgmt) - Unknown owner - C:\WINDOWS\
O23 - Service: Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcTrkWksAppMgmt mnmsrvcTrkWksAppMgmtsrservice (mnmsrvcTrkWksAppMgmtsrservice) - Unknown owner - C:\WINDOWS\
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: DSDM de DDE de rede NetDDEdsdmAlerter (NetDDEdsdmAlerter) - Unknown owner - C:\WINDOWS\
O23 - Service: DSDM de DDE de rede NetDDEdsdmAlerter NetDDEdsdmAlertersrservice (NetDDEdsdmAlertersrservice) - Unknown owner - C:\WINDOWS\
O23 - Service: Reconhecimento de local da rede (NLA) Nlaaspnet_state (Nlaaspnet_state) - Unknown owner - C:\WINDOWS\
O23 - Service: Reconhecimento de local da rede (NLA) Nlaaspnet_state Nlaaspnet_statelanmanworkstationupnphost (Nlaaspnet_statelanmanworkstationupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Fornecedor de suporte de segurança NT LM NtLmSspERSvcupnphost (NtLmSspERSvcupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Fornecedor de suporte de segurança NT LM NtLmSspERSvcupnphost NtLmSspERSvcupnphostupnphost (NtLmSspERSvcupnphostupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Fornecedor de suporte de segurança NT LM NtLmSspNVSvc (NtLmSspNVSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Serviços IPSEC PolicyAgentVSS (PolicyAgentVSS) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviços IPSEC PolicyAgentVSS PolicyAgentVSSPlugPlay (PolicyAgentVSSPlugPlay) - Unknown owner - C:\WINDOWS\
O23 - Service: Gerenciador de conexão de acesso remoto automático RasAutoBrowser (RasAutoBrowser) - Unknown owner - C:\WINDOWS\
O23 - Service: Gerenciador de conexão de acesso remoto automático RasAutoBrowser RasAutoBrowser Licensing Service (RasAutoBrowser Licensing Service) - Unknown owner - C:\WINDOWS\
O23 - Service: Gerenciador de conexão de acesso remoto automático RasAutoBrowser RasAutoBrowserBrowser (RasAutoBrowserBrowser) - Unknown owner - C:\WINDOWS\
O23 - Service: Gerenciador de conexão de acesso remoto automático RasAutoBrowser RasAutoBrowserBrowser RasAutoBrowserBrowserCryptSvc (RasAutoBrowserBrowserCryptSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Gerenciador de sessão de ajuda de área de trabalho remota RDSessMgrdmadmin (RDSessMgrdmadmin) - Unknown owner - C:\WINDOWS\
O23 - Service: Alocador Remote Procedure Call (RPC) RpcLocatorRDSessMgr (RpcLocatorRDSessMgr) - Unknown owner - C:\WINDOWS\
O23 - Service: Chamada de procedimento remoto (RPC) RpcSsWmi (RpcSsWmi) - Unknown owner - C:\WINDOWS\
O23 - Service: QoS RSVP RSVPhelpsvc (RSVPhelpsvc) - Unknown owner - C:\WINDOWS\
O23 - Service: QoS RSVP RSVPhelpsvc RSVPhelpsvcmnmsrvcdmadmin (RSVPhelpsvcmnmsrvcdmadmin) - Unknown owner - C:\WINDOWS\
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Arquivos de programas\Spyware Doctor\pctsSvc.exe
O23 - Service: Logon secundário seclogonWLSetupSvc (seclogonWLSetupSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Firewall do Windows/Compartilhamento de Conexão com a Internet (ICS) SharedAccessRasMan (SharedAccessRasMan) - Unknown owner - C:\WINDOWS\
O23 - Service: Firewall do Windows/Compartilhamento de Conexão com a Internet (ICS) SharedAccesssrservice (SharedAccesssrservice) - Unknown owner - C:\WINDOWS\
O23 - Service: Detecção do hardware do shell ShellHWDetectionNetDDEdsdm (ShellHWDetectionNetDDEdsdm) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de restauração do sistema srservicesrservice (srservicesrservice) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de descoberta SSDP SSDPSRVNla (SSDPSRVNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Logs e alertas de desempenho SysmonLogClipSrvupnphost (SysmonLogClipSrvupnphost) - Unknown owner - C:\WINDOWS\
O23 - Service: Telefonia TapiSrvsrservice (TapiSrvsrservice) - Unknown owner - C:\WINDOWS\
O23 - Service: Temas ThemesCryptSvc (ThemesCryptSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Cliente de rastreamento de link distribuído TrkWksAppMgmt (TrkWksAppMgmt) - Unknown owner - C:\WINDOWS\
O23 - Service: Cliente de rastreamento de link distribuído TrkWksdmserverWmilanmanserver (TrkWksdmserverWmilanmanserver) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows User Mode Driver Framework UMWdfSharedAccess (UMWdfSharedAccess) - Unknown owner - C:\WINDOWS\
O23 - Service: Host de dispositivo Plug and Play universal upnphostMSDTC (upnphostMSDTC) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader usnjsvcDcomLaunch (usnjsvcDcomLaunch) - Unknown owner - C:\WINDOWS\
O23 - Service: Horário do Windows W32TimeaawserviceNla (W32TimeaawserviceNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Horário do Windows W32TimeCryptSvc (W32TimeCryptSvc) - Unknown owner - C:\WINDOWS\
O23 - Service: Horário do Windows W32TimeHidServ (W32TimeHidServ) - Unknown owner - C:\WINDOWS\
O23 - Service: Horário do Windows W32TimeSwPrv (W32TimeSwPrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Horário do Windows W32TimeSwPrv W32TimeSwPrvSSDPSRVNla (W32TimeSwPrvSSDPSRVNla) - Unknown owner - C:\WINDOWS\
O23 - Service: Testador de instrumentação de gerenciam. do Windows winmgmtNetDDE (winmgmtNetDDE) - Unknown owner - C:\WINDOWS\
O23 - Service: Testador de instrumentação de gerenciam. do Windows winmgmtNetDDE winmgmtNetDDEclr_optimization_v2.0.50727_32 (winmgmtNetDDEclr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\
O23 - Service: Testador de instrumentação de gerenciam. do Windows winmgmtNetDDE winmgmtNetDDEWmiApSrv (winmgmtNetDDEWmiApSrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Live Setup Service WLSetupSvcSharedAccessRasMan (WLSetupSvcSharedAccessRasMan) - Unknown owner - C:\WINDOWS\
O23 - Service: Windows Live Setup Service WLSetupSvcwscsvcShellHWDetection (WLSetupSvcwscsvcShellHWDetection) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de Número de Série de Mídia Portátil WmdmPmSNDcomLaunch (WmdmPmSNDcomLaunch) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de Número de Série de Mídia Portátil WmdmPmSNDcomLaunch WmdmPmSNDcomLaunchSCardSvr (WmdmPmSNDcomLaunchSCardSvr) - Unknown owner - C:\WINDOWS\
O23 - Service: Serviço de Número de Série de Mídia Portátil WmdmPmSNsrservice (WmdmPmSNsrservice) - Unknown owner - C:\WINDOWS\
O23 - Service: Adaptador de desempenho WMI WmiApSrvInCDsrv (WmiApSrvInCDsrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Extensões de driver de instrum. gerenc. do Windows WmiAudioSrv (WmiAudioSrv) - Unknown owner - C:\WINDOWS\
O23 - Service: Extensões de driver de instrum. gerenc. do Windows Wmilanmanserver (Wmilanmanserver) - Unknown owner - C:\WINDOWS\
O23 - Service: Central de Segurança wscsvcShellHWDetection (wscsvcShellHWDetection) - Unknown owner - C:\WINDOWS\

--
End of file - 25972 bytes


thanks

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:38 PM

Posted 12 July 2008 - 09:36 PM

Hello Thiago Olávio and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Thiago Olávio

Thiago Olávio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 13 July 2008 - 05:11 PM

Hi and thanks for the first help... so... I did everything you said and here is the file from OTScanIt... what would i do now?

thanks

Attached Files


Edited by Thiago Olávio, 13 July 2008 - 05:38 PM.


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:38 PM

Posted 13 July 2008 - 06:23 PM

Hi Thiago Olávio. That is one messed up machine. I'm not sure it can even be fixed but we will give it a try. Before we do that we need to find a system file to replace one that is infected. When we do the fix, you will need to boot to the XP CD and run the Recovery Console to manually replace the file since you will not be able to boot back into Windows directly.

Run the scan below so we can see if a backup copy of the file is present on the system:

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the None button on the toolbar.
  • Copy/paste the text in the code box below into the Custom Scans editbox:
    c:\windows\userinit.exe /s
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Thiago Olávio

Thiago Olávio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 15 July 2008 - 10:21 AM

here is

OTScanIt logfile created on: 15/7/2008 12:18:29
OTScanIt by OldTimer - Version 1.0.16.2	 Folder = C:\Documents and Settings\Mau\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy
 
1023,23 Mb Total Physical Memory | 527,29 Mb Available Physical Memory | 51,53% Memory free
2,40 Gb Paging File | 1,77 Gb Available in Paging File | 73,53% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 232,88 Gb Total Space | 28,42 Gb Free Space | 12,20% Space Free | Partition Type: NTFS
Drive D: | 4,36 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
Drive E: | 600,61 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BELAGGIO
Current User Name: Mau
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user


[Manual Scans]
< c:\windows\userinit.exe /s >
c:\windows\system32\ -> c:\WINDOWS\system32 ->  [Folder | Modified Date = 15/7/2008 12:11:20 | Attr =	]
userinit.exe -> c:\WINDOWS\system32\userinit.exe ->  [Ver =  | Size = 24576 bytes | Modified Date = 9/5/2008 22:04:12 | Attr =	]
110 c:\windows\system32\*.tmp files -> c:\windows\system32\*.tmp -> 
c:\windows\system32\dllcache\ -> c:\WINDOWS\system32\dllcache ->  [Folder | Modified Date = 11/7/2008 17:51:06 | Attr = RHS]
userinit.exe -> c:\WINDOWS\system32\dllcache\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 4/8/2004 00:45:46 | Attr =	]
< End of report >


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:38 PM

Posted 16 July 2008 - 11:03 AM

Hi Thiago Olávio. It looks like there is a good copy of userinit.exe there so we can use that. After running the Avenger program in step 1, you might not be able to boot back into Windows. If that happens then follow the directions for booting to the Recovery Console and copying the userinit.exe to the proper location. You will need your XP CD to do this so have it handy. If you can boot into Windows then you do not need to perform that step to replace userinit.exe.

Ok, let's get started. Print these instructions off so you will have them available in case you cannot boot back into Windows. Then follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
aawserviceNla
AlerterRemoteRegistry
ALGusnjsvc
AppMgmt Office Groove Audit Service
BITSwscsvcShellHWDetection
bnn47
CiSvcodserv
CiSvcTapiSrvsrservice
CiSvcupnphost
ClipSrvupnphost
clr_optimization_v2.0.50727_32NtLmSsp
CLTNetCnServiceWmdmPmSN
CLTNetCnServiceWmdmPmSNCLTNetCnService
CLTNetCnServiceWmdmPmSNmnmsrvcdmadmin
CLTNetCnServiceWmdmPmSNmnmsrvcdmadminW32TimeCryptSvc
COMSysAppCiSvcodserv
CryptSvcRSVP
CryptSvcSCardSvr
cww51
dmadminRasAuto
dmadminRDSessMgrdmadmin
dmadminSCardSvr
dmadminWmilanmanserver
dmserverWmilanmanserver
Dnscachestisvc
eeCtrl
EraserUtilDrv10621
ERSvcupnphost
FastUserSwitchingCompatibilityClipSrv
FastUserSwitchingCompatibilityClipSrvgusvcSENS
FastUserSwitchingCompatibilityClipSrvRSVPhelpsvc
FastUserSwitchingCompatibilityClipSrvwinmgmtNetDDE
gusvc Service
gusvcSENS
gusvcSENSmnmsrvc
HidServDcomLaunch
iPodDhcp
iPodDhcpWmdmPmSN
kua81
lanmanserverFastUserSwitchingCompatibility
lanmanserverFastUserSwitchingCompatibilityDcomLaunch
lanmanserverFastUserSwitchingCompatibilityDcomLaunchSamSs
lanmanserverFastUserSwitchingCompatibilityW32Time
lanmanserverWmiApSrv
lanmanworkstationupnphost
Lqn46
MDM Service
Messengerwuauserv
mnmsrvcdmadmin
mnmsrvcNtLmSsp
mnmsrvcTrkWksAppMgmt
mnmsrvcTrkWksAppMgmtsrservice
NetDDEdsdmAlerter
NetDDEdsdmAlertersrservice
Nlaaspnet_state
Nlaaspnet_statelanmanworkstationupnphost
NtLmSspERSvcupnphost
NtLmSspERSvcupnphostupnphost
NtLmSspNVSvc
PciCon
PolicyAgentVSS
PolicyAgentVSSPlugPlay
RasAutoBrowser
RasAutoBrowser Licensing Service
RasAutoBrowserBrowser
RasAutoBrowserBrowserCryptSvc
RDSessMgrdmadmin
RpcLocatorRDSessMgr
RpcSsWmi
RSVPhelpsvc
RSVPhelpsvcmnmsrvcdmadmin
seclogonWLSetupSvc
SharedAccessRasMan
SharedAccesssrservice
ShellHWDetectionNetDDEdsdm
srservicesrservice
SSDPSRVNla
SysmonLogClipSrvupnphost
sysrest.sys
TapiSrvsrservice
tcpsr
ThemesCryptSvc
TrkWksAppMgmt
TrkWksdmserverWmilanmanserver
UMWdfSharedAccess
upnphostMSDTC
usnjsvcDcomLaunch
VSSaspnet_state
W32TimeaawserviceNla
W32TimeCryptSvc
W32TimeHidServ
W32TimeSwPrv
W32TimeSwPrvMSDTC
W32TimeSwPrvSSDPSRVNla
Winaf86
Winau25
Winbe12
Winbo82
Wincm03
Windb71
Windg28
Windn26
Windn33
Windn44
Winee86
Winej03
Winej27
Winel28
Wineo51
Wineq48
Winet22
Winfh63
Winfk02
Winfk47
Winfk62
Winfp73
Winfr66
Winge85
Wingo71
Wings74
Wingv35
Winha06
Winhc03
Winhj35
Winhw36
Winia33
Winib38
Winik03
Winix14
Winje88
Winjh16
Winjm24
Winjw12
Winjw63
Winka24
Winkr26
Winks33
Winkw60
Winlt28
Winmc87
winmgmtNetDDE
winmgmtNetDDEclr_optimization_v2.0.50727_32
winmgmtNetDDEWmiApSrv
Winmm01
Winmp36
Winmt60
Winnd00
Winnf17
Winnl17
Winnp05
Winnp16
Winns10
Winns41
Winnu68
Winoe56
Winoo41
Winps25
Winpx36
Winqo71
Winqx18
Winqx22
Winrk12
Winrm40
Winru36
Winry27
Winsb17
Winsk74
Winsl22
Winsn36
Winsu08
Wintt14
Winui87
Winuk22
Winuw47
Winvj44
Winvl55
Winwh16
Winwk86
Winwo85
Winwr76
Winwy44
Winxi00
Winxq56
Winyh00
Winyh15
Winyj47
Winyl15
Winyq04
Winyv71
WLSetupSvcSharedAccessRasMan
WLSetupSvcwscsvcShellHWDetection
WmdmPmSNDcomLaunch
WmdmPmSNDcomLaunchSCardSvr
WmdmPmSNsrservice
WmdmPmSNsrservicesrservice
WmiApSrvInCDsrv
WmiAudioSrv
Wmilanmanserver
wscsvcShellHWDetection
Files to delete:
%allusersprofile%\desktop\antivirus xp 2008.lnk
%allusersprofile%\desktop\malware protector 2008.lnk
%commonprogramfiles%\symantec shared\eengine\eectrl.sys
%commonprogramfiles%\symantec shared\eengine\eraserutildrv10621.sys
%systemdrive%\gwwspin.exe
%systemroot%\system32\1025q.dll
%systemroot%\system32\878130967.dat
%systemroot%\system32\activedsk.sys
%systemroot%\system32\appendy.sys
%systemroot%\system32\blphcllhj0el2n.scr
%systemroot%\system32\drivers\bnn47.sys
%systemroot%\system32\drivers\cww51.sys
%systemroot%\system32\drivers\kua81.sys
%systemroot%\system32\drivers\lqn46.sys
%systemroot%\system32\drivers\tcpsr.sys
%systemroot%\system32\drivers\winaf86.sys
%systemroot%\system32\drivers\winau25.sys
%systemroot%\system32\drivers\winbe12.sys
%systemroot%\system32\drivers\winbo82.sys
%systemroot%\system32\drivers\wincm03.sys
%systemroot%\system32\drivers\windb71.sys
%systemroot%\system32\drivers\windg28.sys
%systemroot%\system32\drivers\windn26.sys
%systemroot%\system32\drivers\windn33.sys
%systemroot%\system32\drivers\windn44.sys
%systemroot%\system32\drivers\winee86.sys
%systemroot%\system32\drivers\winej03.sys
%systemroot%\system32\drivers\winej27.sys
%systemroot%\system32\drivers\winel28.sys
%systemroot%\system32\drivers\wineo51.sys
%systemroot%\system32\drivers\wineq48.sys
%systemroot%\system32\drivers\winet22.sys
%systemroot%\system32\drivers\winfh63.sys
%systemroot%\system32\drivers\winfk02.sys
%systemroot%\system32\drivers\winfk47.sys
%systemroot%\system32\drivers\winfk62.sys
%systemroot%\system32\drivers\winfp73.sys
%systemroot%\system32\drivers\winfr66.sys
%systemroot%\system32\drivers\winge85.sys
%systemroot%\system32\drivers\wingo71.sys
%systemroot%\system32\drivers\wings74.sys
%systemroot%\system32\drivers\wingv35.sys
%systemroot%\system32\drivers\winha06.sys
%systemroot%\system32\drivers\winhc03.sys
%systemroot%\system32\drivers\winhj35.sys
%systemroot%\system32\drivers\winhw36.sys
%systemroot%\system32\drivers\winia33.sys
%systemroot%\system32\drivers\winib38.sys
%systemroot%\system32\drivers\winik03.sys
%systemroot%\system32\drivers\winix14.sys
%systemroot%\system32\drivers\winje88.sys
%systemroot%\system32\drivers\winjh16.sys
%systemroot%\system32\drivers\winjm24.sys
%systemroot%\system32\drivers\winjw12.sys
%systemroot%\system32\drivers\winjw63.sys
%systemroot%\system32\drivers\winka24.sys
%systemroot%\system32\drivers\winkr26.sys
%systemroot%\system32\drivers\winks33.sys
%systemroot%\system32\drivers\winkw60.sys
%systemroot%\system32\drivers\winlt28.sys
%systemroot%\system32\drivers\winmc87.sys
%systemroot%\system32\drivers\winmm01.sys
%systemroot%\system32\drivers\winmp36.sys
%systemroot%\system32\drivers\winmt60.sys
%systemroot%\system32\drivers\winnd00.sys
%systemroot%\system32\drivers\winnf17.sys
%systemroot%\system32\drivers\winnl17.sys
%systemroot%\system32\drivers\winnp05.sys
%systemroot%\system32\drivers\winnp16.sys
%systemroot%\system32\drivers\winns10.sys
%systemroot%\system32\drivers\winns41.sys
%systemroot%\system32\drivers\winnu68.sys
%systemroot%\system32\drivers\winoe56.sys
%systemroot%\system32\drivers\winoo41.sys
%systemroot%\system32\drivers\winps25.sys
%systemroot%\system32\drivers\winpx36.sys
%systemroot%\system32\drivers\winqo71.sys
%systemroot%\system32\drivers\winqx18.sys
%systemroot%\system32\drivers\winqx22.sys
%systemroot%\system32\drivers\winrk12.sys
%systemroot%\system32\drivers\winrm40.sys
%systemroot%\system32\drivers\winru36.sys
%systemroot%\system32\drivers\winry27.sys
%systemroot%\system32\drivers\winsb17.sys
%systemroot%\system32\drivers\winsk74.sys
%systemroot%\system32\drivers\winsl22.sys
%systemroot%\system32\drivers\winsn36.sys
%systemroot%\system32\drivers\winsu08.sys
%systemroot%\system32\drivers\wintt14.sys
%systemroot%\system32\drivers\winui87.sys
%systemroot%\system32\drivers\winuk22.sys
%systemroot%\system32\drivers\winuw47.sys
%systemroot%\system32\drivers\winvj44.sys
%systemroot%\system32\drivers\winvl55.sys
%systemroot%\system32\drivers\winwh16.sys
%systemroot%\system32\drivers\winwk86.sys
%systemroot%\system32\drivers\winwo85.sys
%systemroot%\system32\drivers\winwr76.sys
%systemroot%\system32\drivers\winwy44.sys
%systemroot%\system32\drivers\winxi00.sys
%systemroot%\system32\drivers\winxq56.sys
%systemroot%\system32\drivers\winyh00.sys
%systemroot%\system32\drivers\winyh15.sys
%systemroot%\system32\drivers\winyj47.sys
%systemroot%\system32\drivers\winyl15.sys
%systemroot%\system32\drivers\winyq04.sys
%systemroot%\system32\drivers\winyv71.sys
%systemroot%\system32\fzglqyyb32.dll
%systemroot%\system32\lphcllhj0el2n.exe
%systemroot%\system32\phcllhj0el2n.bmp
%systemroot%\system32\pphcllhj0el2n.exe
%systemroot%\system32\sysrest.sys
%systemroot%\system32\sysrest32.exe
%systemroot%\system32\winctrl32.dl_
%systemroot%\system32\winctrl32.dll
%systemroot%\system32\winnt32.dll
%systemroot%\system32\xgdsi.dll
%systemroot%\temp\pfo3.tmp
c:\documents and settings\all users\dados de aplicativos\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\dados de aplicativos\microsoft\network\downloader\qmgr1.dat
d:\pcicon.sys
Folders to delete:
%appdata%\rhcglhj0el2n
%appdata%\shcjlhj0el2n
%programfiles%\rhcglhj0el2n
%programfiles%\shcjlhj0el2n

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

If you cannot boot back into Windows then proceed with this step. Otherwise skip this step and continue with the next step.

Boot into the Recovery Console by following these steps:
  • Insert the Windows CD and restart your computer. Follow your computer's prompts to boot from the CD. (You might need to adjust settings in the computer's BIOS to enable the option to boot from a CD.)
  • Follow the setup prompts to load the basic Windows startup files. At the Welcome To Setup screen press R to start the Recovery Console.
  • Enter the number of the Windows installation you want to access from the Recovery Console.
  • When prompted, type the Administrator password. If you're using the Recovery Console on a system running Windows XP Home Edition, this password is blank by default, so just press Enter.
At the command prompt type the following commands exactly as they appear, pressing the Enter key after each command:c:
cd\windows\system32\dllcache
attrib -s -h -r userinit.exe
copy userinit.exe c:\windows\system32
exit
After the system exits from the last command it should reboot. Try and boot normally from there and continue with the rest of the steps.

Step #3

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> pfo3.tmp -> %SystemRoot%\Temp\pfo3.tmp
YY -> blphcllhj0el2n.scr -> %SystemRoot%\system32\blphcllhj0el2n.scr
YY -> sysrest32.exe -> %SystemRoot%\system32\sysrest32.exe
YY -> gwwspin.exe -> %SystemDrive%\gwwspin.exe
YY -> blphcllhj0el2n.scr -> %SystemRoot%\system32\blphcllhj0el2n.scr
YY -> blphcllhj0el2n.scr -> %SystemRoot%\system32\blphcllhj0el2n.scr
YY -> blphcllhj0el2n.scr -> %SystemRoot%\system32\blphcllhj0el2n.scr
YY -> blphcllhj0el2n.scr -> %SystemRoot%\system32\blphcllhj0el2n.scr
YY -> blphcllhj0el2n.scr -> %SystemRoot%\system32\blphcllhj0el2n.scr
[Win32 Services - Non-Microsoft Only]
NY -> (aawserviceNla) Ad-Aware 2007 Service aawserviceNla [Win32_Own | Auto | Stopped] -> 
NY -> (AlerterRemoteRegistry) Alerta AlerterRemoteRegistry [Win32_Own | Auto | Stopped] -> 
NY -> (ALGusnjsvc) Serviço 'Gateway de camada de aplicativo' ALGusnjsvc [Win32_Own | Auto | Stopped] -> 
NY -> (AppMgmt Office Groove Audit Service) Gerenciamento de aplicativo AppMgmt Office Groove Audit Service [Win32_Own | Auto | Stopped] -> 
NY -> (BITSwscsvcShellHWDetection) Serviço de transferência inteligente de plano de fundo BITSwscsvcShellHWDetection [Win32_Own | Auto | Stopped] -> 
NY -> (CiSvcodserv) Serviço de indexação CiSvcodserv [Win32_Own | Auto | Stopped] -> 
NY -> (CiSvcTapiSrvsrservice) Serviço de indexação CiSvcTapiSrvsrservice [Win32_Own | Auto | Stopped] -> 
NY -> (CiSvcupnphost) Serviço de indexação CiSvcupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (ClipSrvupnphost) Área de armazenamento ClipSrvupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (clr_optimization_v2.0.50727_32NtLmSsp) .NET Runtime Optimization Service v2.0.50727_X86 clr_optimization_v2.0.50727_32NtLmSsp [Win32_Own | Auto | Stopped] -> 
NY -> (CLTNetCnServiceWmdmPmSN) Symantec Lic NetConnect service CLTNetCnServiceWmdmPmSN [Win32_Own | Auto | Stopped] -> 
NY -> (CLTNetCnServiceWmdmPmSNCLTNetCnService) Symantec Lic NetConnect service CLTNetCnServiceWmdmPmSN CLTNetCnServiceWmdmPmSNCLTNetCnService [Win32_Own | Auto | Stopped] -> 
NY -> (CLTNetCnServiceWmdmPmSNmnmsrvcdmadmin) Symantec Lic NetConnect service CLTNetCnServiceWmdmPmSN CLTNetCnServiceWmdmPmSNmnmsrvcdmadmin [Win32_Own | Auto | Stopped] -> 
NY -> (CLTNetCnServiceWmdmPmSNmnmsrvcdmadminW32TimeCryptSvc) Symantec Lic NetConnect service CLTNetCnServiceWmdmPmSN CLTNetCnServiceWmdmPmSNmnmsrvcdmadmin CLTNetCnServiceWmdmPmSNmnmsrvcdmadminW32TimeCryptSvc [Win32_Own | Auto | Stopped] -> 
NY -> (COMSysAppCiSvcodserv) Aplicativo de sistema COM+ COMSysAppCiSvcodserv [Win32_Own | Auto | Stopped] -> 
NY -> (CryptSvcRSVP) Serviços de criptografia CryptSvcRSVP [Win32_Own | Auto | Stopped] -> 
NY -> (CryptSvcSCardSvr) Serviços de criptografia CryptSvcSCardSvr [Win32_Own | Auto | Stopped] -> 
NY -> (dmadminRDSessMgrdmadmin) Serviço administrativo do gerenciador de disco lógico dmadminRDSessMgrdmadmin [Win32_Own | Auto | Stopped] -> 
NY -> (dmadminSCardSvr) Serviço administrativo do gerenciador de disco lógico dmadminSCardSvr [Win32_Own | Auto | Stopped] -> 
NY -> (dmadminWmilanmanserver) Serviço administrativo do gerenciador de disco lógico dmadminWmilanmanserver [Win32_Own | Auto | Stopped] -> 
NY -> (dmserverWmilanmanserver) Gerenciador de discos lógicos dmserverWmilanmanserver [Win32_Own | Auto | Stopped] -> 
NY -> (Dnscachestisvc) Cliente DNS Dnscachestisvc [Win32_Own | Auto | Stopped] -> 
NY -> (ERSvcupnphost) Erro ao informar o serviço ERSvcupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (FastUserSwitchingCompatibilityClipSrv) Compatibilidade com 'Troca rápida de usuário' FastUserSwitchingCompatibilityClipSrv [Win32_Own | Auto | Stopped] -> 
NY -> (FastUserSwitchingCompatibilityClipSrvgusvcSENS) Compatibilidade com 'Troca rápida de usuário' FastUserSwitchingCompatibilityClipSrv FastUserSwitchingCompatibilityClipSrvgusvcSENS [Win32_Own | Auto | Stopped] -> 
NY -> (FastUserSwitchingCompatibilityClipSrvRSVPhelpsvc) Compatibilidade com 'Troca rápida de usuário' FastUserSwitchingCompatibilityClipSrv FastUserSwitchingCompatibilityClipSrvRSVPhelpsvc [Win32_Own | Auto | Stopped] -> 
NY -> (FastUserSwitchingCompatibilityClipSrvwinmgmtNetDDE) Compatibilidade com 'Troca rápida de usuário' FastUserSwitchingCompatibilityClipSrv FastUserSwitchingCompatibilityClipSrvwinmgmtNetDDE [Win32_Own | Auto | Stopped] -> 
NY -> (gusvc Service) Google Updater Service gusvc Service [Win32_Own | Auto | Stopped] -> 
NY -> (gusvcSENS) Google Updater Service gusvcSENS [Win32_Own | Auto | Stopped] -> 
NY -> (gusvcSENSmnmsrvc) Google Updater Service gusvcSENS gusvcSENSmnmsrvc [Win32_Own | Auto | Stopped] -> 
NY -> (HidServDcomLaunch) HID Input Service HidServDcomLaunch [Win32_Own | Auto | Stopped] -> 
NY -> (iPodDhcp) Serviço iPod iPodDhcp [Win32_Own | Auto | Stopped] -> 
NY -> (iPodDhcpWmdmPmSN) Serviço iPod iPodDhcp iPodDhcpWmdmPmSN [Win32_Own | Auto | Stopped] -> 
NY -> (lanmanserverFastUserSwitchingCompatibility) Servidor lanmanserverFastUserSwitchingCompatibility [Win32_Own | Auto | Stopped] -> 
NY -> (lanmanserverFastUserSwitchingCompatibilityDcomLaunch) Servidor lanmanserverFastUserSwitchingCompatibility lanmanserverFastUserSwitchingCompatibilityDcomLaunch [Win32_Own | Auto | Stopped] -> 
NY -> (lanmanserverFastUserSwitchingCompatibilityDcomLaunchSamSs) Servidor lanmanserverFastUserSwitchingCompatibility lanmanserverFastUserSwitchingCompatibilityDcomLaunch lanmanserverFastUserSwitchingCompatibilityDcomLaunchSamSs [Win32_Own | Auto | Stopped] -> 
NY -> (lanmanserverFastUserSwitchingCompatibilityW32Time) Servidor lanmanserverFastUserSwitchingCompatibility lanmanserverFastUserSwitchingCompatibilityW32Time [Win32_Own | Auto | Stopped] -> 
NY -> (lanmanserverWmiApSrv) Servidor lanmanserverWmiApSrv [Win32_Own | Auto | Stopped] -> 
NY -> (lanmanworkstationupnphost) Estação de trabalho lanmanworkstationupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (MDM Service) Machine Debug Manager MDM Service [Win32_Own | Auto | Stopped] -> 
NY -> (Messengerwuauserv) Mensageiro Messengerwuauserv [Win32_Own | Auto | Stopped] -> 
NY -> (mnmsrvcdmadmin) Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcdmadmin [Win32_Own | Auto | Stopped] -> 
NY -> (mnmsrvcNtLmSsp) Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcNtLmSsp [Win32_Own | Auto | Stopped] -> 
NY -> (mnmsrvcTrkWksAppMgmt) Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcTrkWksAppMgmt [Win32_Own | Auto | Stopped] -> 
NY -> (mnmsrvcTrkWksAppMgmtsrservice) Compartilhamento remoto da área de trabalho do NetMeeting mnmsrvcTrkWksAppMgmt mnmsrvcTrkWksAppMgmtsrservice [Win32_Own | Auto | Stopped] -> 
NY -> (NetDDEdsdmAlerter) DSDM de DDE de rede NetDDEdsdmAlerter [Win32_Own | Auto | Stopped] -> 
NY -> (NetDDEdsdmAlertersrservice) DSDM de DDE de rede NetDDEdsdmAlerter NetDDEdsdmAlertersrservice [Win32_Own | Auto | Stopped] -> 
NY -> (Nlaaspnet_state) Reconhecimento de local da rede (NLA) Nlaaspnet_state [Win32_Own | Auto | Stopped] -> 
NY -> (Nlaaspnet_statelanmanworkstationupnphost) Reconhecimento de local da rede (NLA) Nlaaspnet_state Nlaaspnet_statelanmanworkstationupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (NtLmSspERSvcupnphost) Fornecedor de suporte de segurança NT LM NtLmSspERSvcupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (NtLmSspERSvcupnphostupnphost) Fornecedor de suporte de segurança NT LM NtLmSspERSvcupnphost NtLmSspERSvcupnphostupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (NtLmSspNVSvc) Fornecedor de suporte de segurança NT LM NtLmSspNVSvc [Win32_Own | Auto | Stopped] -> 
NY -> (PolicyAgentVSS) Serviços IPSEC PolicyAgentVSS [Win32_Own | Auto | Stopped] -> 
NY -> (PolicyAgentVSSPlugPlay) Serviços IPSEC PolicyAgentVSS PolicyAgentVSSPlugPlay [Win32_Own | Auto | Stopped] -> 
NY -> (RasAutoBrowser) Gerenciador de conexão de acesso remoto automático RasAutoBrowser [Win32_Own | Auto | Stopped] -> 
NY -> (RasAutoBrowser Licensing Service) Gerenciador de conexão de acesso remoto automático RasAutoBrowser RasAutoBrowser Licensing Service [Win32_Own | Auto | Stopped] -> 
NY -> (RasAutoBrowserBrowser) Gerenciador de conexão de acesso remoto automático RasAutoBrowser RasAutoBrowserBrowser [Win32_Own | Auto | Stopped] -> 
NY -> (RasAutoBrowserBrowserCryptSvc) Gerenciador de conexão de acesso remoto automático RasAutoBrowser RasAutoBrowserBrowser RasAutoBrowserBrowserCryptSvc [Win32_Own | Auto | Stopped] -> 
NY -> (RDSessMgrdmadmin) Gerenciador de sessão de ajuda de área de trabalho remota RDSessMgrdmadmin [Win32_Own | Auto | Stopped] -> 
NY -> (RpcLocatorRDSessMgr) Alocador Remote Procedure Call (RPC) RpcLocatorRDSessMgr [Win32_Own | Auto | Stopped] -> 
NY -> (RpcSsWmi) Chamada de procedimento remoto (RPC) RpcSsWmi [Win32_Own | Auto | Stopped] -> 
NY -> (RSVPhelpsvc) QoS RSVP RSVPhelpsvc [Win32_Own | Auto | Stopped] -> 
NY -> (RSVPhelpsvcmnmsrvcdmadmin) QoS RSVP RSVPhelpsvc RSVPhelpsvcmnmsrvcdmadmin [Win32_Own | Auto | Stopped] -> 
NY -> (seclogonWLSetupSvc) Logon secundário seclogonWLSetupSvc [Win32_Own | Auto | Stopped] -> 
NY -> (SharedAccessRasMan) Firewall do Windows/Compartilhamento de Conexão com a Internet (ICS) SharedAccessRasMan [Win32_Own | Auto | Stopped] -> 
NY -> (SharedAccesssrservice) Firewall do Windows/Compartilhamento de Conexão com a Internet (ICS) SharedAccesssrservice [Win32_Own | Auto | Stopped] -> 
NY -> (ShellHWDetectionNetDDEdsdm) Detecção do hardware do shell ShellHWDetectionNetDDEdsdm [Win32_Own | Auto | Stopped] -> 
NY -> (srservicesrservice) Serviço de restauração do sistema srservicesrservice [Win32_Own | Auto | Stopped] -> 
NY -> (SSDPSRVNla) Serviço de descoberta SSDP SSDPSRVNla [Win32_Own | Auto | Stopped] -> 
NY -> (SysmonLogClipSrvupnphost) Logs e alertas de desempenho SysmonLogClipSrvupnphost [Win32_Own | Auto | Stopped] -> 
NY -> (TapiSrvsrservice) Telefonia TapiSrvsrservice [Win32_Own | Auto | Stopped] -> 
NY -> (ThemesCryptSvc) Temas ThemesCryptSvc [Win32_Own | Auto | Stopped] -> 
NY -> (TrkWksAppMgmt) Cliente de rastreamento de link distribuído TrkWksAppMgmt [Win32_Own | Auto | Stopped] -> 
NY -> (TrkWksdmserverWmilanmanserver) Cliente de rastreamento de link distribuído TrkWksdmserverWmilanmanserver [Win32_Own | Auto | Stopped] -> 
NY -> (UMWdfSharedAccess) Windows User Mode Driver Framework UMWdfSharedAccess [Win32_Own | Auto | Stopped] -> 
NY -> (upnphostMSDTC) Host de dispositivo Plug and Play universal upnphostMSDTC [Win32_Own | Auto | Stopped] -> 
NY -> (usnjsvcDcomLaunch) Serviço de Compartilhamento de Pastas Messenger do USN Journal Reader usnjsvcDcomLaunch [Win32_Own | Auto | Stopped] -> 
NY -> (VSSaspnet_state) Cópia de volume em memória VSSaspnet_state [Win32_Own | Auto | Stopped] -> 
NY -> (W32TimeaawserviceNla) Horário do Windows W32TimeaawserviceNla [Win32_Own | Auto | Stopped] -> 
NY -> (W32TimeCryptSvc) Horário do Windows W32TimeCryptSvc [Win32_Own | Auto | Stopped] -> 
NY -> (W32TimeHidServ) Horário do Windows W32TimeHidServ [Win32_Own | Auto | Stopped] -> 
NY -> (W32TimeSwPrv) Horário do Windows W32TimeSwPrv [Win32_Own | Auto | Stopped] -> 
NY -> (W32TimeSwPrvMSDTC) Horário do Windows W32TimeSwPrv W32TimeSwPrvMSDTC [Win32_Own | Auto | Stopped] -> 
NY -> (W32TimeSwPrvSSDPSRVNla) Horário do Windows W32TimeSwPrv W32TimeSwPrvSSDPSRVNla [Win32_Own | Auto | Stopped] -> 
NY -> (winmgmtNetDDE) Testador de instrumentação de gerenciam. do Windows winmgmtNetDDE [Win32_Own | Auto | Stopped] -> 
NY -> (winmgmtNetDDEclr_optimization_v2.0.50727_32) Testador de instrumentação de gerenciam. do Windows winmgmtNetDDE winmgmtNetDDEclr_optimization_v2.0.50727_32 [Win32_Own | Auto | Stopped] -> 
NY -> (winmgmtNetDDEWmiApSrv) Testador de instrumentação de gerenciam. do Windows winmgmtNetDDE winmgmtNetDDEWmiApSrv [Win32_Own | Auto | Stopped] -> 
NY -> (WLSetupSvcSharedAccessRasMan) Windows Live Setup Service WLSetupSvcSharedAccessRasMan [Win32_Own | Auto | Stopped] -> 
NY -> (WLSetupSvcwscsvcShellHWDetection) Windows Live Setup Service WLSetupSvcwscsvcShellHWDetection [Win32_Own | Auto | Stopped] -> 
NY -> (WmdmPmSNDcomLaunch) Serviço de Número de Série de Mídia Portátil WmdmPmSNDcomLaunch [Win32_Own | Auto | Stopped] -> 
NY -> (WmdmPmSNDcomLaunchSCardSvr) Serviço de Número de Série de Mídia Portátil WmdmPmSNDcomLaunch WmdmPmSNDcomLaunchSCardSvr [Win32_Own | Auto | Stopped] -> 
NY -> (WmdmPmSNsrservice) Serviço de Número de Série de Mídia Portátil WmdmPmSNsrservice [Win32_Own | Auto | Stopped] -> 
NY -> (WmdmPmSNsrservicesrservice) Serviço de Número de Série de Mídia Portátil WmdmPmSNsrservicesrservice [Win32_Own | Auto | Stopped] -> 
NY -> (WmiApSrvInCDsrv) Adaptador de desempenho WMI WmiApSrvInCDsrv [Win32_Own | Auto | Stopped] -> 
NY -> (WmiAudioSrv) Extensões de driver de instrum. gerenc. do Windows WmiAudioSrv [Win32_Own | Auto | Stopped] -> 
NY -> (Wmilanmanserver) Extensões de driver de instrum. gerenc. do Windows Wmilanmanserver [Win32_Own | Auto | Stopped] -> 
NY -> (wscsvcShellHWDetection) Central de Segurança wscsvcShellHWDetection [Win32_Own | Auto | Stopped] -> 
NY -> (dmadminRasAuto) Serviço administrativo do gerenciador de disco lógico dmadminRasAuto [Win32_Own | Auto | Stopped] -> 
[Driver Services - Non-Microsoft Only]
NY -> (bnn47) bnn47 [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\Bnn47.sys
NY -> (cww51) cww51 [Kernel | Boot | Stopped] -> %SystemRoot%\system32\drivers\Cww51.sys
NY -> (eeCtrl) Symantec Eraser Control driver [Kernel | System | Stopped] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys
NY -> (EraserUtilDrv10621) EraserUtilDrv10621 [Kernel | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\EENGINE\EraserUtilDrv10621.sys
NY -> (kua81) kua81 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\Kua81.sys
NY -> (Lqn46) Lqn46 [Kernel | Boot | Stopped] -> %SystemRoot%\system32\drivers\Lqn46.sys
NY -> (PciCon) PciCon [Kernel | On_Demand | Stopped] -> D:\PciCon.sys
YY -> (sysrest.sys) sysrest.sys [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\sysrest.sys
NY -> (tcpsr) tcpsr [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\tcpsr.sys
YY -> (Winaf86) Winaf86 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winaf86.sys
YY -> (Winau25) Winau25 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winau25.sys
YY -> (Winbe12) Winbe12 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winbe12.sys
YY -> (Winbo82) Winbo82 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winbo82.sys
YY -> (Wincm03) Wincm03 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Wincm03.sys
YY -> (Windb71) Windb71 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Windb71.sys
YY -> (Windg28) Windg28 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Windg28.sys
YY -> (Windn26) Windn26 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Windn26.sys
YY -> (Windn33) Windn33 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Windn33.sys
YY -> (Windn44) Windn44 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Windn44.sys
YY -> (Winee86) Winee86 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winee86.sys
YY -> (Winej03) Winej03 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winej03.sys
YY -> (Winej27) Winej27 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winej27.sys
YY -> (Winel28) Winel28 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winel28.sys
YY -> (Wineo51) Wineo51 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Wineo51.sys
YY -> (Wineq48) Wineq48 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Wineq48.sys
YY -> (Winet22) Winet22 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winet22.sys
YY -> (Winfh63) Winfh63 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winfh63.sys
YY -> (Winfk02) Winfk02 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winfk02.sys
YY -> (Winfk47) Winfk47 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winfk47.sys
YY -> (Winfk62) Winfk62 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winfk62.sys
YY -> (Winfp73) Winfp73 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winfp73.sys
YY -> (Winfr66) Winfr66 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winfr66.sys
YY -> (Winge85) Winge85 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winge85.sys
YY -> (Wingo71) Wingo71 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Wingo71.sys
YY -> (Wings74) Wings74 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Wings74.sys
YY -> (Wingv35) Wingv35 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Wingv35.sys
YY -> (Winha06) Winha06 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winha06.sys
YY -> (Winhc03) Winhc03 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winhc03.sys
YY -> (Winhj35) Winhj35 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winhj35.sys
YY -> (Winhw36) Winhw36 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winhw36.sys
YY -> (Winia33) Winia33 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winia33.sys
YY -> (Winib38) Winib38 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winib38.sys
YY -> (Winik03) Winik03 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winik03.sys
YY -> (Winix14) Winix14 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winix14.sys
YY -> (Winje88) Winje88 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winje88.sys
YY -> (Winjh16) Winjh16 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winjh16.sys
YY -> (Winjm24) Winjm24 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winjm24.sys
YY -> (Winjw12) Winjw12 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winjw12.sys
YY -> (Winjw63) Winjw63 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winjw63.sys
YY -> (Winka24) Winka24 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winka24.sys
YY -> (Winkr26) Winkr26 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winkr26.sys
YY -> (Winks33) Winks33 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winks33.sys
YY -> (Winlt28) Winlt28 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winlt28.sys
YY -> (Winmc87) Winmc87 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winmc87.sys
YY -> (Winmm01) Winmm01 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winmm01.sys
YY -> (Winmp36) Winmp36 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winmp36.sys
YY -> (Winmt60) Winmt60 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winmt60.sys
YY -> (Winnd00) Winnd00 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winnd00.sys
YY -> (Winnf17) Winnf17 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winnf17.sys
YY -> (Winnl17) Winnl17 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winnl17.sys
YY -> (Winnp05) Winnp05 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winnp05.sys
YY -> (Winnp16) Winnp16 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winnp16.sys
YY -> (Winns10) Winns10 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winns10.sys
YY -> (Winns41) Winns41 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winns41.sys
YY -> (Winnu68) Winnu68 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winnu68.sys
YY -> (Winoe56) Winoe56 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winoe56.sys
YY -> (Winoo41) Winoo41 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winoo41.sys
YY -> (Winps25) Winps25 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winps25.sys
YY -> (Winpx36) Winpx36 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winpx36.sys
YY -> (Winqo71) Winqo71 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winqo71.sys
YY -> (Winqx18) Winqx18 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winqx18.sys
YY -> (Winqx22) Winqx22 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winqx22.sys
YY -> (Winrk12) Winrk12 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winrk12.sys
YY -> (Winrm40) Winrm40 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winrm40.sys
YY -> (Winru36) Winru36 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winru36.sys
YY -> (Winry27) Winry27 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winry27.sys
YY -> (Winsb17) Winsb17 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winsb17.sys
YY -> (Winsk74) Winsk74 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winsk74.sys
YY -> (Winsl22) Winsl22 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winsl22.sys
YY -> (Winsn36) Winsn36 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winsn36.sys
YY -> (Winsu08) Winsu08 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winsu08.sys
YY -> (Wintt14) Wintt14 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Wintt14.sys
YY -> (Winui87) Winui87 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winui87.sys
YY -> (Winuk22) Winuk22 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winuk22.sys
YY -> (Winuw47) Winuw47 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winuw47.sys
YY -> (Winvj44) Winvj44 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winvj44.sys
YY -> (Winvl55) Winvl55 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winvl55.sys
YY -> (Winwh16) Winwh16 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winwh16.sys
YY -> (Winwk86) Winwk86 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winwk86.sys
YY -> (Winwo85) Winwo85 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winwo85.sys
YY -> (Winwr76) Winwr76 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winwr76.sys
YY -> (Winwy44) Winwy44 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winwy44.sys
YY -> (Winxi00) Winxi00 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winxi00.sys
YY -> (Winxq56) Winxq56 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winxq56.sys
YY -> (Winyh00) Winyh00 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winyh00.sys
YY -> (Winyh15) Winyh15 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winyh15.sys
YY -> (Winyj47) Winyj47 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winyj47.sys
YY -> (Winyl15) Winyl15 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winyl15.sys
YY -> (Winyq04) Winyq04 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winyq04.sys
YY -> (Winyv71) Winyv71 [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\Winyv71.sys
YY -> (Winkw60) Winkw60 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\Winkw60.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> lphcllhj0el2n -> %SystemRoot%\system32\lphcllhj0el2n.exe [C:\WINDOWS\system32\lphcllhj0el2n.exe]
YN -> NSRKey -> %SystemDrive%\ARQUIV~1\NORTON~1\NSR\Agent\NSRTray.exe [C:\ARQUIV~1\NORTON~1\NSR\Agent\NSRTray.exe]
YY -> sysrest32.exe -> %SystemRoot%\system32\sysrest32.exe [C:\WINDOWS\system32\sysrest32.exe]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> WintelUpdate -> %SystemDrive%\gwwspin.exe [C:\gwwspin.exe]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> {AC1A234C-06B0-89E6-BC3F-8C589FA31478} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\xgdsi.dll [uYSUAFMTs]
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> fzglqyyb -> %SystemRoot%\system32\fzglqyyb32.dll
YY -> WinCtrl32 -> %SystemRoot%\system32\WinCtrl32.dll
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage -> 1
< HOSTS File > (1094 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
YN -> 124.217.252.77 bravesentry.com -> 
YN -> 124.217.252.77 www.bravesentry.com -> 
YN -> 124.217.252.78 secure.isoftpay.com -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> {CB07D6A9-7491-4A84-B8E8-E846CC689DDC} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\pvnsmfor.dll [pvnsmfor]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\{5E638779-1818-4754-A595-EF1C63B87A56} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\gwwspin.exe -> %SystemDrive%\gwwspin.exe [C:\gwwspin.exe:*:Disabled:gwwspin]
YY -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\sysrest32.exe -> %SystemRoot%\system32\sysrest32.exe [C:\WINDOWS\system32\sysrest32.exe:*:Enabled:enable]
[Files/Folders - Created Within 30 days]
NY -> 1025q.dll -> %SystemRoot%\System32\1025q.dll
NY -> activedsk.sys -> %SystemRoot%\System32\activedsk.sys
NY -> appendy.sys -> %SystemRoot%\System32\appendy.sys
NY -> blphcllhj0el2n.scr -> %SystemRoot%\System32\blphcllhj0el2n.scr
NY -> lphcllhj0el2n.exe -> %SystemRoot%\System32\lphcllhj0el2n.exe
NY -> phcllhj0el2n.bmp -> %SystemRoot%\System32\phcllhj0el2n.bmp
NY -> pphcllhj0el2n.exe -> %SystemRoot%\System32\pphcllhj0el2n.exe
NY -> 95 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> sysrest.sys -> %SystemRoot%\System32\sysrest.sys
NY -> sysrest32.exe -> %SystemRoot%\System32\sysrest32.exe
NY -> WinCtrl32.dl_ -> %SystemRoot%\System32\WinCtrl32.dl_
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 137 bytes -> %AllUsersProfile%\Dados de aplicativos\TEMP:DFC5A2B2
NY -> rhcglhj0el2n -> %AppData%\rhcglhj0el2n
NY -> shcjlhj0el2n -> %AppData%\shcjlhj0el2n
NY -> Malware Protector 2008.lnk -> %AllUsersProfile%\Desktop\Malware Protector 2008.lnk
NY -> rhcglhj0el2n -> %ProgramFiles%\rhcglhj0el2n
NY -> shcjlhj0el2n -> %ProgramFiles%\shcjlhj0el2n
[Files/Folders - Modified Within 30 days]
NY -> Winej03.sys -> %SystemRoot%\System32\drivers\Winej03.sys
NY -> Winnf17.sys -> %SystemRoot%\System32\drivers\Winnf17.sys
NY -> Winps25.sys -> %SystemRoot%\System32\drivers\Winps25.sys
NY -> 1025q.dll -> %SystemRoot%\System32\1025q.dll
NY -> 878130967.dat -> %SystemRoot%\System32\878130967.dat
NY -> activedsk.sys -> %SystemRoot%\System32\activedsk.sys
NY -> appendy.sys -> %SystemRoot%\System32\appendy.sys
NY -> blphcllhj0el2n.scr -> %SystemRoot%\System32\blphcllhj0el2n.scr
NY -> 95 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> lphcllhj0el2n.exe -> %SystemRoot%\System32\lphcllhj0el2n.exe
NY -> phcllhj0el2n.bmp -> %SystemRoot%\System32\phcllhj0el2n.bmp
NY -> pphcllhj0el2n.exe -> %SystemRoot%\System32\pphcllhj0el2n.exe
NY -> sysrest.sys -> %SystemRoot%\System32\sysrest.sys
NY -> sysrest32.exe -> %SystemRoot%\System32\sysrest32.exe
NY -> WinCtrl32.dll -> %SystemRoot%\System32\WinCtrl32.dll
NY -> WinCtrl32.dl_ -> %SystemRoot%\System32\WinCtrl32.dl_
NY -> WinNt32.dll -> %SystemRoot%\System32\WinNt32.dll
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 137 bytes -> %AllUsersProfile%\Dados de aplicativos\TEMP:DFC5A2B2
NY -> rhcglhj0el2n -> %AppData%\rhcglhj0el2n
NY -> shcjlhj0el2n -> %AppData%\shcjlhj0el2n
NY -> Antivirus XP 2008.lnk -> %AllUsersProfile%\Desktop\Antivirus XP 2008.lnk
NY -> Malware Protector 2008.lnk -> %AllUsersProfile%\Desktop\Malware Protector 2008.lnk
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #4

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #5

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #6

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users